Sanitize filters to make data safe. WordPress open

Sanitize filters to make data safe. WordPress

Approved. Code works!
This is exactly the working code that is verified by the moderator or site administrators

These are filters that are applied to data to make it “safe” in a particular context. For example, to display HTML code in a text area, you must replace all HTML tags with their entity equivalents.

esc_html

esc_html($text);// removes html tags

Where you should use esc_html:

  • Displaying User-Generated Content: when you display content that can be submitted by users, such as comments, form inputs, or content from the database, you should use esc_html to escape the content before outputting it to the browser. This prevents any malicious HTML or JavaScript code from being executed.

    	$user_input = $_POST['user_comment']; // Assuming this contains user input
	echo esc_html($user_input);
	
esc_html__( $text,'translation_domain') // removes html tags and makes text translation_ready

esc_attr

esc_attr($text) // removes attributes used inside the tag

Use esc_attr($text) when you want to escape and sanitize a text string to make it safe for output as an HTML attribute. The esc_attr function is used to prevent cross-site scripting (XSS) vulnerabilities by encoding special characters in a way that is suitable for use in attribute values within HTML elements.

Where you should use esc_html:

  • Outputting HTML Attributes: when you’re dynamically generating HTML attributes, such as href, src, alt, title, class, or any other attribute within HTML elements, you should use esc_attr to ensure that the attribute value is properly encoded.

    $link_url = 'https://example.com';
$link_text = 'Visit Example';
echo '<a href="' . esc_attr($link_url) . '">' . esc_html($link_text) . '</a>';
  • Using Data from Untrusted Sources: if you’re working with data from external sources, form inputs, or user-generated content, and you intend to use that data as an attribute value, it’s essential to use esc_attr to prevent potential security risks. 
esc_attr__('text to translate','text-domain'); // retrieves the translation of $text and escapes it for safe use in an attribute.

esc_js

esc_js( $text ) // for escaping inline js

Prepares a string for use in JavaScript. To protect against errors: escapes quotes, changes ” 

<> &

characters to special HTML characters and corrects line endings.

Useful when using one-line JS code (in HTML attributes, for example onclick=’…’).

wp_kses

wp_kses( $string, $allowed_html, $allowed_protocols ); // when you need to sanitize but leave to allow the output of the required tags

$string – content that needs to be cleared.
$allowed_html – list of valid HTML elements in the submitted content.
$allowed_protocols – protocols, links to which will be allowed in the content.

Clears a line, leaving only the specified HTML tags, their attributes and attribute values. The function also removes some HTML entities.

Expects an UN-escaped string! This means that before use you need to remove all escape slashes (see wp_unslash()) that WP automatically adds for any $_POST request, as PHP did (PHP’s magic quotes).

Where you should use:

  • Custom content editing fields: if you have custom content editing fields in your WordPress theme or plugin and you want to allow specific HTML tags and attributes while disallowing others, you can use wp_kses to filter the content based on your desired configuration.

    	$user_input = $_POST['custom_field_content']; // Assuming user input
	$allowed_tags = array(
    'a' => array(
        'href' => array(),
        'title' => array(),
    ),
    'em' => array(),
    'strong' => array(),
	);
	$filtered_content = wp_kses($user_input, $allowed_tags);
	echo $filtered_content;
  • Data input and output: in cases where you’re working with dynamic data from external sources and you want to sanitize and control the allowed HTML, you can use wp_kses to customize the filtering based on your requirements.

    	$external_data = get_external_data(); // Data from an external source
	$allowed_tags = array('p' => array(), 'a' => array('href' => array(), 'title' => array()));
	$filtered_data = wp_kses($external_data, $allowed_tags);
	echo $filtered_data;

wp_kses_post

wp_kses_post($text) // synthesizes and skips all tags that are allowed for the post

Clears the passed string, leaving in it the HTML tags allowed for publication in a post for the current user.

Where you should use:

  • This function is convenient to use to clear the data of an array passed in $_POST: 
    	$some_array = array_map( 'wp_kses_post', $_POST['some_array'] );

    This function expects a string (data) without slashes! This means that before using it, you need to remove all slashes, see wp_unslash(), which WP automatically adds to any global data, such as $_POST, see wp_magic_quotes().

  • Displaying user comments: if you allow users to leave comments on your WordPress site, you should use wp_kses_post to sanitize and filter the comment content. This function ensures that any HTML tags and attributes in the comments are safe and conform to your site’s allowed HTML structure.

    	$comment_content = get_comment_text(); // Get comment content
	echo wp_kses_post($comment_content);
  • Using content in shortcodes: if you’re developing custom shortcodes that accept content, you should apply wp_kses_post to the content provided by users. This helps ensure that any content within your shortcode is safe.

    	function custom_shortcode($atts, $content = null) {
    $content = wp_kses_post($content);
    // Process and return the content within the shortcode
}
add_shortcode('my_shortcode', 'custom_shortcode');
  • Custom templates for posts or pages: when you’re creating custom templates for displaying post or page content, you can use wp_kses_post to sanitize the post content before outputting it in your templates. This is particularly important if you’re dealing with custom post types or data from external sources.

    	$post_content = get_the_content(); // Get post content
echo wp_kses_post($post_content);

sanitize_field

A set of functions that must be used to store data directly in the site’s Database.

sanitize_text_field

Clears the passed string leaving pure text: without HTML tags, line breaks, etc.

This function is used to clear strings saved to the database (transmitted from the input field), sometimes when received from the database.
sanitize_text_field( 'Text for sanitize, <em>text</em>more text     <br>. ' );
What is the difference between esc_html() and sanitize_text_field():
esc_html() is less rigid – it only translates HTML characters and entities into visible text, so that the browser does not treat the text as HTML, i.e. saves all data, but will change it for display.

sanitize_text_field() – removes all HTML characters, line breaks, tabs and HTML entities. The function leaves blank text, i.e. The function makes sure that the value of the input field is safe to save.

sanitize_textarea_field

Clears the string passed from the textarea field (when saving to the database) or when receiving from the database.

This function does everything the same as sanitize_text_field(), except it leaves line breaks (\n), spaces, and other characters that can be used in the textarea field.

Removes all HTML characters, tabs, HTML entities, etc. Leaves clear text. The function makes sure that the value of the textarea field can be safely used when saving.

sanitize_text_field( 'Big text' );

There are also many more esc… and sanitize functions… you can find them in the official WordPress documentation.

0

More

Leave a Reply

Your email address will not be published. Required fields are marked *

How many?: 22 + 22

lil-code© | 2022 - 2024
Go Top
Authorization
Registration
*
*
Entry Lost your Password ?
Registration
*
*
*
*
Signup
Registration
Password generation
Get New Password