Hi I am making my own theme in WordPress and setting up some customizer options and I have one for the text in my footer but I would like to still use <? echo date('Y');?> in the footer to dynamically change the date so I don't have to keep going in and doing it manually but the sanitizer call-back obviously blocks it is there a way to still be able use that php function in the sanitizer here is my …
I have created a plugin wherein I have a custom post type. I am using post_content for some simple text. I do not need to offer any fancy editing or insertion of data for this field, so I looked for a way to remove the buttons from the tinyMCE editor. I never found a very good solution so I removed the editor from the custom post type supports in the register function. 'supports' => array('title','revisions','thumbnail'), Then to create an area …
I have been unable to figure out how I can properly sanitize (in the customizer) and escape (in the theme, while allowing the user to use "<" and ">" to insert a '< br >' and add a line break wherever they want. I have an area in my theme's customizer that allows the user to put text in a text box, and it outputs to a main headline area of the site. It works fine, but it does not …
so if i have a function that gets terms from the database ( not the user ) do I need to use prepare first ( before get_results() ), or some sort of data sanitizing?
I'm creating a WordPress theme in which I've allowed users to add some custom css from the Theme Options. This css code then directly gets echoed out in the head section of the page, with the following code: add_action('wp_head', 'theme_dynamic_css'); function theme_dynamic_css(){ global $my_theme_options; $custom_css = ''; if (isset($my_theme_options['custom-css'])) { $custom_css .= $my_theme_options['custom-css']."\r\n"; } echo '<style id="my-theme-custom-css">'.$custom_css.'</style>'; } Should I be using esc_html(); here? At first I assumed if the code is between the style tags, then it shouldn't be …
I have been trying to figure out how to escape quotes (single and double) from shortcode attributes. Basically the content is written by the user and therefore can potentially include " and ' quotes. Problem being, with " quotes it is stopping the shortcode attribute from functioning eg: attibute="some text here with "quotes" so it stops the attribute...." So instead of getting the entire string it is stopping at the second pair of quotes. Now, I know it could be …
I have a textarea for small css enhancements on the plugins page i output them directly to the head. My Question is how to sanitize the CSS i have validation function registered for the options with register_setting. On the setting page right now $output['css'] = (string) $input['css']; is all what i am doing. Should i escape it somehow? What does word-press with it? Does it some escaping by itself for database? I could there some evil injection take place here. …
Hi I want to achieve the following szenario and asking for advice to start off Szenario We have an external mysql-database filled with product informations. This database is delivering data for a few online-shops. The access to the database is possible directly per mysql connection or as i prefer per homegrown API. (http-request). The result can be fetched as a JSON-formated array. We now want several wordpress environments on different servers / countries and display filtered product information. We want …
Sometimes, I want to apply inline style—i.e. custom CSS for a single element, oftentimes unique across the site. But, with a very few exceptions, WordPress seems to strip these out. When I, the site administrator and post author, add certain CSS directives, they are removed, and I cannot find any setting to stop this from happening. So far, I have found it to remove: white-space outline image-rendering I am aware that UGC is highly volatile, and it's vital for security …
Simple question, I see that some themes are using esc_attr or esc_html and url after they define varible with get_post_meta, while others are using it during variable definition. What would be best practice 1. $portf_icon = get_post_meta($post->ID,'dt_portf_icon',true); echo esc_html($portf_icon); or $portf_icon = esc_html(get_post_meta($post->ID,'dt_portf_icon',true)); echo $portf_icon; Does it have any difference and which one would be best practices?
I have a WooCommerce module creating Wordpress usernames on my behalf. I want to make sure those usernames are sanitized according to my rules, which are stricter than the Wordpress requirements. How can I hook / override sanitize_user to use my custom rules?
I am trying to convert a post title to a slug. I used sanitize_title_with_dashes, thinking that's what WordPress uses. However, if my post title has an apostrophe in it, sanitize_title_with_dashes does not strip out the apostrophe. Instead, it escapes the apostrophe with a backslash. For example, if I use the default post editor to create a post named "Bob's Boutique", WordPress core will correctly create the slug as "bobs-boutique". If I try to convert "Bob's Boutqiue" to a post slug …
I have submitted a plugin to the WordPress repo, they have come back and said I need to escape the values in my email sending code NOT sanitize. So I'm confused what function they want me to use. Can you provide advice on the best escape function I should use for an email and plain text? Existing code they want me to escape and not sanitize: $message = " ... <li><strong>Email:</strong> " . sanitize_email($_REQUEST['email']) . "</li> <li><strong>Name: </strong> " . …
I am in the process of creating some options / the options page for my plugin. In the context of this I have only added two checkboxes so far to store boolean values. The creation, display on the page and saving works fine. Regarding future options, I wanted to test the validation of the options. For this I have created the function "sanitize_options", which now simply returns the parameter it receives as a test. public function sanitize_options( $data ) { …
I am used to register plugin settings like this: $string_sanitization = array( 'sanitize_callback' => 'sanitize_text_field', ); // Section Setting: Just some example string register_setting( 'whatever', // Options group name 'some_example_string', // Option ID $string_sanitization // Sanitization callback ); And it works perfect. But when it comes to options that store arrays of strings, I don't know what to use. The docs contain a types key for the args, but it's not clear enough, so I tried as follows: register_setting( 'whatever', …
Background I'm building a project that according to the specifications need to follow the WordPress Coding Standards. I am using phpcs to scan my code. If I try to pass $_POST-data into a function without sanitizing it, I will get an error. What I do before my code: Verify that this is actually a POST request by checking that $_POST is set. Verify that we have a value by checking if $_POST['faq_highlighted'] is set. Verify the nonce field using wp_verify_nonce …
I built a custom post type where we can find a standard textarea/tinymce generated by wp_editor() and I'm facing an issue for the saving part. If I save the content with the following code : update_post_meta( $post_id, $prefix.'content', $_POST['content'] ); Everything is working fine but there is no security (sanitization, validation etc...) If I save the content with the following code : update_post_meta( $post_id, $prefix.'content', sanitize_text_field($_POST['content']) ); I solve the security issue but I lose all the style, media etc.. …
This is a very straight-forward question, but it's important and I can't find anything definitive in the docs. This question asks a similar question for the 's' parameter, specifically. I want to know if WordPress validates/sanitizes parameters for any of the other parameters. For example, do the terms in a tax_query get sanitized automatically? Clarification: This is a technical / engineering question about specifically what the WP_Query class does with particular parameters. Several recent answers offer philosophical advice and general …