Getting started with WordPressget_bloginfo()Enqueuing scriptsMaking network requests with HTTP APIEnqueuing Styleshome_url()Custom Post Typestemplate_includeThe Loop (main WordPress loop)AJAXThe $wpdb ObjectActions and Filterswp_get_current_user()Add/remove contact info for users with user_contactmethods filter hookCreating a custom templateCustomizer Hello WorldCustomizer Basics (Add Panel, Section, Setting, Control)The Admin Bar (aka "The Toolbar")Querying postsAlternating main loop (pre_get_posts filter)ShortcodeCreate a Post Programmaticallyget_template_part()Taxonomiesget_template_part()ShortcodesPost FormatsCustom exerpts with excerpt_length and excerpt_morePlugin developmentSecurity in WordPress - EscapingTemplate hierarchyRemove Version from Wordpress and StylesheetsChild Theme Basicsadd_action()get_template_part()Shortcode with attributeSidebarsSecurity in WordPress - SanitizationinitCreate Template for Custom Post TypeFunction: add_action()Add ShortcodeHow Can I integrate Markdown editor with Advance Custom Field's repeater Add-on.Installation and Configurationwp_get_current_user()WP-CronSecure your installationOptions APIFunction : wp_trim_words()WP_Query() LoopUpdate WordPress ManuallyThemesWP-CLIDebuggingadd_menu_page()add_submenu_page()get_option()get_permalink()get_the_category()the_title()get_the_title()add_editor_style()add_theme_support()WordPress Plugin creationRun WordPress local with XAMPPAdmin Dashboard WidgetsSite MigrationMeta BoxRemove Auto Line Breaks From Content and Excerptget_home_path()Wordpress theme and child-theme developmentREST API

Security in WordPress - Escaping

Other topics

Remarks:

Security should be always in mind when developing. Without security an app is open to various attacks such as SQL Injections, XSS, CSRF, RFI etc that can lead to serious problems.

Untrusted data comes from many sources (users, third party sites, your own database!, ...) and all of it needs to be validated both on input and output. (Source: WordPress Codex)

The data should be validated, sanitized or escaped depending the use and the purpose.

To validate is to ensure the data you've requested of the user matches what they've submitted. (Source: WordPress Codex)

Sanitization is a bit more liberal of an approach to accepting user data. We can fall back to using these methods when there's a range of acceptable input. (Source: WordPress Codex)

To escape is to take the data you may already have and help secure it prior to rendering it for the end user. (Source: WordPress Codex)

escape data in HTML code

esc_html should be used anytime we're outputting data inside HTML code.

<h4><?php echo esc_html( $title ); ?></h4>

escape a url

<a href="<?php echo esc_url( home_url( '/' ) ); ?>">Home</a>

<img src="<?php echo esc_url( $user_picture_url ); ?>" />

escape data in js code

esc_js() is intended to be used for inline JS, inside a tag attribute.

For data inside a <script> tag use wp_json_encode().

<input type="text" onfocus="if( this.value == '<?php echo esc_js( $fields['input_text'] ); ?>' ) { this.value = ''; }" name="name">

wp_json_encode() encodes a variable into JSON, with some sanity checks.

Note that wp_json_encode() includes the string-delimiting quotes automatically.

<?php
$book = array(
    "title" => "JavaScript: The Definitive Guide",
    "author" => "Stack Overflow",
);
?>
<script type="text/javascript">
var book = <?php echo wp_json_encode($book) ?>;
/* var book = {
    "title": "Security in WordPress",
    "author" => "Stack Overflow",
}; */
</script>

or

<script type="text/javascript">
    var title = <?php echo wp_json_encode( $title ); ?>;
    var content = <?php echo wp_json_encode( $content ); ?>;
    var comment_count = <?php echo wp_json_encode( $comment_count ); ?>;
</script>

escape attributes

<input type="text" value="<?php echo esc_attr($_POST['username']); ?>" />

escape data in textarea

<textarea><?php echo esc_textarea( $text ); ?></textarea>

Syntax:

  • esc_html( string $text )
  • esc_url( string $url, array $protocols, string $_context )
  • esc_js( string $text )
  • wp_json_encode( mixed $data, int $options, int $depth = 512 )
  • esc_attr( string $text )
  • esc_textarea( string $text )

Contributors

Topic Id: 6115

Example Ids: 21285,21286,21287,21288,21289

This site is not affiliated with any of the contributors.