Articles of escaping

How to sanitize user input?

What is the correct way sanitizing form data before submitting to the database? I have the following text input: <form method=”post” action=”options.php”> <?php wp_nonce_field(‘update-options’); ?> <input style=”width:100%” type=”text” name=”data[title]” id=”title” value=”<?php $title = get_option(‘data_test’); echo $title[‘title’]; ?>” /></p> <input type=”hidden” name=”action” value=”update”/> <input type=”hidden” name=”page_options” value=”lu_ban_data”/> <input style=”float:left;margin-top: 10px; margin-bottom: 10px; vertical-align: middle; clear: both;” […]

Quotes being escaped inside wp_editor when saved with wp_kses_post

Hi have a setting screen where I allow users to create HTML emails with the convenience of the editor they are already used to from posts and pages using wp_editor(); Everything seems to work fine except when I try to save with texts which are in quotes when the value returns it has the escaping, […]

Should I always prefer esc_attr_e & esc_html_e instead of _e?

I am working to internationalize my plugin. As I can see on WordPress site about esacaping, it says you should always use it. But as I can see in many popular plugins, they have used _e instead apart from few specific cases. So should I always use escaping or not for all strings, if not […]

When I re-save a post with sections, the entities are double-escaped (> becomes &gt; etc)

I’ve a hard time googling for this issue. On my blog, whenever I update an existing page, code sections are doubly escaped. I.e., on a recent page I have find /V “QWERTYUIOPPO” < calc.exe:yourads.txt and after a recent edit it has become: find /V &quot;QWERTYUIOPPO&quot; &lt; calc.exe:yourads.txt When I save it once more, it will […]

How Could I sanitize the receive data from this code

<form id=”tellastory” method=”post” action=””> <label for=”fullname”>Full Name </label> <input id=”fullname” name=”fullname” type=”text” maxlength=”255″ value=””/> <label for=”title”>Title </label> <input id=”title” name=”title” type=”text” maxlength=”255″ value=””/> <label for=”title”>Message </label> <textarea id=”editor” name=”editor” rows=”20″ cols=”50″></textarea> <input type=”hidden” name=”form_id” value=”123456″ /> <input id=”saveForm” type=”submit” name=”submit” value=”submit” /> </form> <?php $storyteller_user_id = “3”; //your guest user id here //$stories_category = “3”; […]

PHP Coding Standards, Widgets and Sanitization

I have an issue with custom widgets and WordPress Coding Standards. When you create a custom widget, your class should have a “widget” method that will display the widget. Something like: <?php public function widget( $args, $instance ) { echo $args[‘before_widget’]; ?> <span><?php echo esc_html( ‘Great widget’, ‘text-domain’ ); ?></span> <?php echo $args[‘after_widget’]; } ?> […]

Prevent escaping javascript in visual editor

I tried to put my JavaScript code directly to my blog content, but It seems WordPress escapes [ ] chars. Input: <p>Some content blah blah</p> <script> var locations = [{ lat: 50.765688, lng: 15.056265 },{ lat: 50.765688, lng: 15.056265} ]; </script> Output: var locations = [{ lat: 50.765688, lng: 15.056265, … Is there any way […]

wp_specialchars and wp_specialchars_decode in a shortcode plugin

I have written my first plugin, a shortcode plugin. I have read about wp_specialchars and wp_specialchars_decode but I’m not sure how to use them. The plugin read a shortcode allowing some parameters and it inserts a script in the page html code. For example, [MYSHORTCODE TITLE=”a short title”] yields the following script code lines: $html […]

Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?

I’m creating a theme in which I’ve created options for the admin to enter custom Javascript and Css code in the “Theme Settings” page (created using Options API). Now I’m just not sure how to output this code in the best possible way. For the Css I’ve decided to use wp_add_inline_style() and update a css […]

Prevent add_shortcode from escaping a tag

In my plugin, I’m rendering a shortcode with some inline JavaScript. WordPress seems to hate the closing CDATA tag (]]>), as it escapes it. I’m using CDATA blocks so as to render well-formed XHTML, which allows other processes to scrape the page content easily (legacy systems which suck and are beyond the scope of this […]