Why escape if the_content isnt?

If I were a hacker with access to the database, wouldn’t I just add my
code to a post’s content?

If you’ve got access to the database, chances are that you’ve got enough access that escaping isn’t going to stop you. Escaping is not going to help you if you’ve been hacked. It’s not supposed to. There’s other reasons to escape. The two main ones that I can think of are:

To deal with unsanitized input

WordPress post content is sanitized when it’s saved, but not everything else is. Content passed via a query string in the URL isn’t sanitized, for example. Neither is content in translation files, necessarily. Both those are sources of content that have nothing to do with the site being compromised. So translatable text and content pulled from the URL need to be escaped.

To prevent users accidentally breaking markup

Escaping isn’t just for security. You also need it to prevent users accidentally breaking their site’s markup. For example, if the user placing quotes or > symbols in some content in your plugin would break the markup, then you should escape that output. You don’t want to be over-aggressive in sanitising on input, because there’s perfectly valid reasons a user might want to use those characters.

“Escaping isn’t only about protecting from bad guys. It’s just making
our software durable. Against random bad input, against malicious
input, or against bad weather.”

That’s from the WordPress VIP guidelines on escaping. It has a lot more to say on this matter, and you should give it a read.

Related Posts:

  1. what is a auth_user_file.txt?
  2. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
  3. How to view PHP on live site
  4. Is moving wp-config outside the web root really beneficial?
  5. Hide the fact a site is using WordPress?
  6. Verifying that I have fully removed a WordPress hack?
  7. WordPress 4.7.1 REST API still exposing users
  8. Can I Prevent Enumeration of Usernames?
  9. Best way to eliminate xmlrpc.php?
  10. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  11. Should I remove install.php and install-helper.php?
  12. Are Nonces Useless?
  13. What is the difference between esc_html filter vs attribute_escape filter?
  14. Why does WordPress have more than one salt?
  15. What is the ideal setup to address security concerns?
  16. Will there be security updates for 3.1 once 3.2 is released?
  17. How do I technically prove that WordPress is secure?
  18. WordPress it’s cleaning a custom query_var to avoid sql injections?
  19. How do WordPress Nonces Work?
  20. Tips for finding SPAM links injected into the_content
  21. Is WordPress vulnerable to the httpoxy?
  22. How can I easily verify a core or plugin update has not broken anything?
  23. Vanilla WordPress install, what can/should I put in disable_functions?
  24. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  25. Secure my “add_settings_field” translation?
  26. Is there a security risk giving someone temporary access to my blog’s code?
  27. How to properly sanitize/secure a WP Query coming from the front end
  28. WordPress Logout Only If User Click Logout or If User Delete Browser History
  29. brute force attack even though it is limited by IP
  30. How brute-forcer knows that the password is cracked for target username?
  31. wp_insert_post disable HTML filter
  32. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  33. Completely remove the author url
  34. Restricting access to content
  35. About WordPress site security
  36. Relative security of different releases of WordPress
  37. Is there any point setting the keys and salts in wp-config.php?
  38. Where to store OAuth 2.0 client id and secret?
  39. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  40. Using HTACCESS for Secret Access
  41. Definitive wordpress directory ownership and permissions on linux
  42. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  43. Changing Table Prefixes – once done, am I good to go going forward?
  44. wordpress website host price and security [closed]
  45. Are there security risks in working directly in the themes folder that builds into a theme folder?
  46. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  47. Secure WordPress: Change admin
  48. Changing the default header name
  49. how much information can we hide when using wordpress cms?
  50. Is it safe to use a global wp nonce per user instead of a nonce per action?
  51. Wordfence detects change in wp-admin/includes/upgrade.php
  52. Basic password protection without using users and roles
  53. System setting changed by system user
  54. Does meta-data need to be sanitized?
  55. Will there be security updates for WordPress 4.9.9
  56. White screen of death on admin pages after moving wp-config up two levels for security
  57. Any known bugs that could cause disappearance of the wp_users table?
  58. On new server, site got hacked, permissions a bit strange? Please help
  59. 404/500 error on content images if Referer header is from another domain [closed]
  60. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  61. Restrict Access without Creating Users
  62. Switching between security plugins is a risk?
  63. How to obfuscate wp-config.php or code
  64. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  65. How to prevent to direct access of my custom plugin folder/files
  66. Checking for origin of a xmlrpc request
  67. RESTRICT EDIT of PHP files?
  68. wp-content – permissions for files/folders created by apache
  69. How can I restrict access to specific parts of a page, not just the page itself?
  70. Why do people use “admin” username by default? [closed]
  71. User generated content and security
  72. Are major WordPress updates mandatory for security?
  73. i moved wp-config.php outside of public html and this broke my website
  74. Monitor wordpress all external calls
  75. Is it safe to use the basic administration with reduced rights for private member space
  76. Securing WordPress running on Azure platform
  77. Verifying that I have fully removed a WordPress hack?
  78. Spam Registrations
  79. Robots.txt file not updating
  80. How can I have more confidence that WP plugins aren’t getting and storing user data?
  81. Standard Method for Securing a WordPress Site
  82. wordpress security (only one part of the site)
  83. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  84. Any way to disable /wp-login.php redirecting to the site folder?
  85. Folder Permissions + Security Concerns
  86. Malware/Permission bug removal?
  87. Could a user account with a stolen password compromised entire WP site?
  88. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  89. Secure a WordPress website in 2019: one plugin or a combinations of them?
  90. What are the different types of firewall protections available for a WordPress website?
  91. is this code properly secured
  92. Run a security scan on WordPress site that has .htaccess password [closed]
  93. Is this a WordPress security bug?
  94. Competitor is somehow accessing MetaData on a hidden WordPress site
  95. WordPress Hacks/Defacing [closed]
  96. Move data from wp-config to another file
  97. Heartbleed: What is it and what are options to mitigate it?
  98. OpenVPN vs. IPsec – Pros and cons, what to use?
  99. How to test if my server is vulnerable to the ShellShock bug?
  100. Is wp-cron.php vulnerable to external attacks and how to protect it?

Leave a Comment