esc_url removes white space. Can I change that to using ‘-‘?
$url = esc_url ( str_replace(‘ ‘ , ‘-‘, $url ) ); Replace the spaces to – chars before activating esc_url function, and your problem is solved.
sanitization
Should nonce be sanitized?
Sanitizing is required when you are inserting user input into Database or outputting it in HTML etc. Here, you are simply doing a String comparison. wp_verify_nonce function checks $nonce value like this: if ( hash_equals( $expected, $nonce ) ) { return 1; } For this you don’t need sanitizing. So the following is fine: wp_verify_nonce( … Read more
What is the best way to sanitize data?
No the sanitization is already done. Well the mysql_real_escape_string is done, it’s considered bad form to filter html on input. I personally think doing it on output kinda breaches DRY. If you did in WordPress I highly suspect somewhere else will do it again resulting in double html entities encoding. Also by the way, wpdb::insert … Read more
Reason for Lowercase usernames
Uppercase characters are not blocked in usernames on single site setups. Uppercase characters ARE blocked in usernames on multisite setups. The wpmu_validate_user_signup function forces lowercase a-z and numbers 0-9 only.
What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
The wp_strip_all_tags() function will remove all HTML, including the content of script and style tags. The PHP strip_tags() function largely does the same thing, except it won’t eliminate the content of script and style tags. WP’s wp_strip_all_tags() function uses this after eliminating the scripts and styles manually. The wp_filter_nohtml_kses() function uses kses to remove all … Read more
Escaping and sanitizing SVGs in metabox textarea
Here is a PHP library that was created for sanitizing SVG files that may be worth looking into. https://github.com/darylldoyle/svg-sanitizer Here is an example of how this could be used: // Now do what you want with your clean SVG/XML data function your_save_meta( $post_id, $post, $update ) { // – Update the post’s metadata. if ( … Read more
Should I sanitize an email address before passing it to the is_email() function?
Looking at the is_email() functionality on trac, it looks like you don’t need to sanatizie as it’s just string testing. I would even go so far as to say that if this function returns true, you wouldn’t need to sanitize it before sending it into the database.