Data Sanitization/Escaping

Sanitization: Securing Input

Sanitization is the process of cleaning or filtering your input data. Whether the data is from a user or an API or web service, you use sanitizing when you don’t know what to expect or you don’t want to be strict with data validation.

The easiest way to sanitize data is with built-in WordPress functions.

The sanitize_*() series of helper functions provide an effective way to ensure you’re ending up with safe data, and they require minimal effort on your part:

Tip: Any time you’re accepting potentially unsafe data, it is important to validate or sanitize it.

Top ↑

Example -Simple Input Field

Let’s say we have an input field named title.

[html]<input id="title" type="text" name="title">[/html]

You can sanitize the input data with the sanitize_text_field() function:

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );

Behind the scenes, sanitize_text_field() does the following:

  • Checks for invalid UTF-8
  • Converts single less-than characters (<) to entity
  • Strips all tags
  • Removes line breaks, tabs and extra white space
  • Strips octets
Tip: Remember, rely on the WordPress API and its help functions to assist with securing your themes.

Top ↑

Escaping: Securing Output

Whenever you’re outputting data make sure to properly escape it.

Escaping is the process of securing output by stripping out unwanted data, like malformed HTML or script tags, preventing this data from being seen as code.

Escaping helps secure your data prior to rendering it for the end user and prevents XSS (Cross-site scripting) attacks.

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

WordPress has a few helper functions you can use for most common scenarios.

  • esc_html() – Use this function anytime an HTML element encloses a section of data being displayed.
  • <?php echo esc_html( $title ); ?>
  • esc_url() – Use this function on all URLs, including those in the src and href attributes of an HTML element.
  • <img src="<?php echo esc_url( $great_user_picture_url ); ?>" />
  • esc_js() – Use this function for inline Javascript.
  • <a href="#" onclick="<?php echo esc_js( $custom_js ); ?>">Click me</a>
  • esc_attr() – Use this function on everything else that’s printed into an HTML element’s attribute.
  • <ul class="<?php echo esc_attr( $stored_class ); ?>"> </ul>
  • esc_textarea() – encodes text for use inside a textarea element.
  • <textarea><?php echo esc_textarea( $text ); ?></textarea>
Tip: Output escaping should occur as late as possible.

Top ↑

Escaping with Localization

Rather than using echo to output data, it’s common to use the WordPress localization functions, such as _e() or __() .

These functions simply wrap a localization function inside an escaping function:

esc_html_e( 'Hello World', 'text_domain' );
// same as
echo esc_html( __( 'Hello World', 'text_domain' ) );

These helper functions combine localization and escaping:

Top ↑

Custom Escaping

In the case that you need to escape your output in a specific way, the function wp_kses() (pronounced “kisses”) will come in handy. For example, there are instances when your want HTML elements or attributes to display in your output.

This function makes sure that only the specified HTML elements, attributes, and attribute values will occur in your output, and normalizes HTML entities.

$allowed_html = [
    'a'      =&gt; [
        'href'  =&gt; [],
        'title' =&gt; [],
    'br'     =&gt; [],
    'em'     =&gt; [],
    'strong' =&gt; [],
echo wp_kses( $custom_content, $allowed_html );

wp_kses_post() is a wrapper function for wp_kses where $allowed_html is a set of rules used by post content.

echo wp_kses_post( $post_content );

Top ↑

Database Escaping

All data in SQL queries must be SQL-escaped before the SQL query is executed to prevent against SQL injection attacks. WordPress provides helper classes to assist with escaping SQL queries $wpdb.

Top ↑

Selecting Data

The escaped SQL query ($sql in this example) can then be used with one of the methods:

Top ↑

Inserting and Updating Data

Top ↑

Like Statements