If I understand correctly, WordPress automatically applies a wp_slash() on the global $_POST variable: should this means that for any $_POST variable, prior to saving to the DB, we should first unslash it? Which one of the following solution is the correct one? Is the $_GET variable also slashed? Do we need to apply the … Read more
I assume you’re missing the value=””, it seems like you use <input> as a regular HTML tag, and not a self-closing one. A basic example of what it should be like if I only use your value and ignore all the other attributes. <input value=”<?php echo esc_attr( get_the_author_meta( ‘periodo_1da’, $user->ID ) ); ?>”> And here … Read more
You could do something like this: $input=”Name <[email protected]>”; // Break the input into parts preg_match( ‘/([^<]+)<([^>]+)>/i’, $input, $matches, PREG_UNMATCHED_AS_NULL ); // Clean the name $name = sanitize_text_field( $matches[ 1 ] ); // Clean the email $email = sanitize_email( $matches[ 2 ] ); // Bail early if the values are invalid. if ( !$name || !$email … Read more
Escaping data from database (users table) is necessary?
Just thought I’d point out, your call to remove_accent() is incorrect, you are missing the s off of accents. Example from codex: $text = “Hoy será un gran día”; echo remove_accents($text); Echo result: Hoy sera un gran dia https://codex.wordpress.org/Function_Reference/remove_accents
As @karpstrucking mentioned in the comments, the problem was in the end with my function: my_string_manipulation_function() I was using preg_replace() to process the string of native language character, but I didn’t used the /u flag modifier to specify that I’m working with unicode characters. Adding this flag fixed all weird behaviour.
The more elaborate data is, the harder it is to both formulate and implement sanitization process. For a number this might be as simple as “integer” and (int)$number. For HTML this is highly not trivial with different possibilities of desired scope (no HTML tags? some blacklisted tags? some whitelisted tags? what about embedded scripts? CSS?) … Read more
How to use wp_filter_oembed_result?
I think this is probably not right approach for the way the Customiser is organised. Controls and Settings are pretty much separate entities. Controls can save settings, but settings aren’t tied to a specific control. As far as I’m aware there’s nothing stopping you having multiple controls for a single setting, for example. My suggestion … Read more
Another solution would be to put the style directly in the header, and only put the escaped values in, which would solve the double quote issue, but in the case that no styling has been set I’m left with an empty style in my element, and that also seems kinda unnecessary. You could e.g. check … Read more