No the sanitization is already done. Well the mysql_real_escape_string is done, it’s considered bad form to filter html on input. I personally think doing it on output kinda breaches DRY. If you did in WordPress I highly suspect somewhere else will do it again resulting in double html entities encoding. Also by the way, wpdb::insert … Read more
Uppercase characters are not blocked in usernames on single site setups. Uppercase characters ARE blocked in usernames on multisite setups. The wpmu_validate_user_signup function forces lowercase a-z and numbers 0-9 only.
The wp_strip_all_tags() function will remove all HTML, including the content of script and style tags. The PHP strip_tags() function largely does the same thing, except it won’t eliminate the content of script and style tags. WP’s wp_strip_all_tags() function uses this after eliminating the scripts and styles manually. The wp_filter_nohtml_kses() function uses kses to remove all … Read more
Here is a PHP library that was created for sanitizing SVG files that may be worth looking into. https://github.com/darylldoyle/svg-sanitizer Here is an example of how this could be used: // Now do what you want with your clean SVG/XML data function your_save_meta( $post_id, $post, $update ) { // – Update the post’s metadata. if ( … Read more
Looking at the is_email() functionality on trac, it looks like you don’t need to sanatizie as it’s just string testing. I would even go so far as to say that if this function returns true, you wouldn’t need to sanitize it before sending it into the database.