The proper way to do that is using filter_input(). Here is an example for using a custom sanitize function: $tab = filter_input( INPUT_GET, ‘tab’, FILTER_CALLBACK, [‘options’ => ‘esc_html’] ); $tab = $tab ?: ‘front_page_options’;
Sanitize array callback for the WordPress Settings API
wp_kses (Codex) removes unallowed tags, but it doesn’t remove their content. So, if you have a “{something}”, wp_kses only removes the tags, not the content, returning “{something}”. Thus, this is intended behaviour and your issue doesn’t seem to be a bug.
What you’re asking for is impossible, there is no such thing as a safe javascript entry box. Even if we strip out extra script and style tags, it’s pointless, as the javascript code itself is inherently dangerous, and can create any elements it wants using DOM construction, e.g.: var s = jQuery( ‘script’, { ‘src’: … Read more
tl;dr Should I serialize the data? No, it will be done for you as long as everything is serializable. Should I sanitize/escape the data? Partially. The data will be escaped automatically for you to prevent SQL injection attacks, but you should sanitize and validate it to assure data consistency. Explanation If there’s no object cache … Read more
Just finished now the sanitize callback for RGBA colors.and tested in my theme and working perfect, and its taking RGBA values please find the code function awstheme_sanitize_rgba( $color ) { if ( empty( $color ) || is_array( $color ) ) return ‘rgba(0,0,0,0)’; // If string does not start with ‘rgba’, then treat as hex // … Read more
Your last prepare() snippet should work just fine, check that you have $wpdb declared as global in your function. Also blank page seems extreme, enable WP_DEBUG if not yet and see if there are any specific errors that cause it.
For the first example, a lot of people will use wp_kses_post to handle basic HTML output from wrapper functions. It’s a shortcut for some basic attributes and tags using wp_kses. You could use this function where you specify allowed tags and attributes that can pass through for the second example.
$url = esc_url ( str_replace(‘ ‘ , ‘-‘, $url ) ); Replace the spaces to – chars before activating esc_url function, and your problem is solved.
Sanitizing is required when you are inserting user input into Database or outputting it in HTML etc. Here, you are simply doing a String comparison. wp_verify_nonce function checks $nonce value like this: if ( hash_equals( $expected, $nonce ) ) { return 1; } For this you don’t need sanitizing. So the following is fine: wp_verify_nonce( … Read more