I’m the original author of that article, hopefully I can elaborate on my point (“Rule 4”). The ‘data’ in this case is the value entered by the user: $raw = ‘<textarea name=”my-textarea”></textarea> Hello World’; There are two contexts in which we display this data in some form: The front-end view, where we wish to render … Read more
It depends on the context. In a template you’d just echo it: <div> <?php echo parse_html_for_images(); ?> </div> In a function you might want to concatenate it with something else: function wpse_303376_thumbnail() { return ‘<div>’ . parse_html_for_images() . ‘</div>’; } In a shortcode callback with lots other markup you might want to use output buffering, … Read more
The proper way to do that is using filter_input(). Here is an example for using a custom sanitize function: $tab = filter_input( INPUT_GET, ‘tab’, FILTER_CALLBACK, [‘options’ => ‘esc_html’] ); $tab = $tab ?: ‘front_page_options’;
Sanitize array callback for the WordPress Settings API
wp_kses (Codex) removes unallowed tags, but it doesn’t remove their content. So, if you have a “{something}”, wp_kses only removes the tags, not the content, returning “{something}”. Thus, this is intended behaviour and your issue doesn’t seem to be a bug.
What you’re asking for is impossible, there is no such thing as a safe javascript entry box. Even if we strip out extra script and style tags, it’s pointless, as the javascript code itself is inherently dangerous, and can create any elements it wants using DOM construction, e.g.: var s = jQuery( ‘script’, { ‘src’: … Read more
tl;dr Should I serialize the data? No, it will be done for you as long as everything is serializable. Should I sanitize/escape the data? Partially. The data will be escaped automatically for you to prevent SQL injection attacks, but you should sanitize and validate it to assure data consistency. Explanation If there’s no object cache … Read more
Just finished now the sanitize callback for RGBA colors.and tested in my theme and working perfect, and its taking RGBA values please find the code function awstheme_sanitize_rgba( $color ) { if ( empty( $color ) || is_array( $color ) ) return ‘rgba(0,0,0,0)’; // If string does not start with ‘rgba’, then treat as hex // … Read more
Your last prepare() snippet should work just fine, check that you have $wpdb declared as global in your function. Also blank page seems extreme, enable WP_DEBUG if not yet and see if there are any specific errors that cause it.
For the first example, a lot of people will use wp_kses_post to handle basic HTML output from wrapper functions. It’s a shortcut for some basic attributes and tags using wp_kses. You could use this function where you specify allowed tags and attributes that can pass through for the second example.