Sanitization is the process of cleaning or filtering your input data. Whether the data is from a user or an API or web service, you use sanitizing when you don’t know what to expect or you don’t want to be strict with data validation.
The easiest way to sanitize data is with built-in WordPress functions.
sanitize_*() series of helper functions provide an effective way to ensure you’re ending up with safe data, and they require minimal effort on your part:
Tip: Any time you’re accepting potentially unsafe data, it is important to validate or sanitize it.
Let’s say we have an input field named title.
[html]<input id="title" type="text" name="title">[/html]
You can sanitize the input data with the sanitize_text_field() function:
$title = sanitize_text_field( $_POST['title'] ); update_post_meta( $post->ID, 'title', $title );
Behind the scenes, sanitize_text_field() does the following:
- Checks for invalid UTF-8
- Converts single less-than characters (<) to entity
- Strips all tags
- Removes line breaks, tabs and extra white space
- Strips octets
Whenever you’re outputting data make sure to properly escape it.
Escaping is the process of securing output by stripping out unwanted data, like malformed HTML or script tags, preventing this data from being seen as code.
Escaping helps secure your data prior to rendering it for the end user and prevents XSS (Cross-site scripting) attacks.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
WordPress has a few helper functions you can use for most common scenarios.
- esc_html() – Use this function anytime an HTML element encloses a section of data being displayed.
<?php echo esc_html( $title ); ?>
hrefattributes of an HTML element.
<img src="<?php echo esc_url( $great_user_picture_url ); ?>" />
<a href="#" onclick="<?php echo esc_js( $custom_js ); ?>">Click me</a>
<ul class="<?php echo esc_attr( $stored_class ); ?>"> </ul>
<textarea><?php echo esc_textarea( $text ); ?></textarea>
These functions simply wrap a localization function inside an escaping function:
esc_html_e( 'Hello World', 'text_domain' ); // same as echo esc_html( __( 'Hello World', 'text_domain' ) );
These helper functions combine localization and escaping:
In the case that you need to escape your output in a specific way, the function wp_kses() (pronounced “kisses”) will come in handy. For example, there are instances when your want HTML elements or attributes to display in your output.
This function makes sure that only the specified HTML elements, attributes, and attribute values will occur in your output, and normalizes HTML entities.
$allowed_html = [ 'a' => [ 'href' => , 'title' => , ], 'br' => , 'em' => , 'strong' => , ]; echo wp_kses( $custom_content, $allowed_html );
wp_kses_post() is a wrapper function for wp_kses where
$allowed_html is a set of rules used by post content.
echo wp_kses_post( $post_content );
All data in SQL queries must be SQL-escaped before the SQL query is executed to prevent against SQL injection attacks. WordPress provides helper classes to assist with escaping SQL queries
The escaped SQL query ($sql in this example) can then be used with one of the methods: