This is a very straight-forward question, but it’s important and I can’t find anything definitive in the docs.
I’m creating a template for comments on my WordPress site. I noticed that a simple
<script>alert(1);</script> slips through the default WP codex implementation of comments, using the
comment_text() function to display my comments. No bueno.
I have a question regarding a wordpress site I have recently developed for a client. I have only until now developed a site for small clients that just require personal websites, however this client has asked me to redeveloped his site as the current one has alot of security issues. Anyway I have created the site and shown it to him and he has asked if I can ‘apply input sanitation so special characters like @,&,-,+,% are not allowed’ to the login field.
I am currently developing my first WordPress plugin. A few days ago I submitted it to WordPress for review. Unfortunately, the plugin was not (yet) published, because I still have to close some security issues. More specifically, it is about the fact that data must be Sanitized, Escaped, and Validated.
Firstly, sorry if this has been properly answered before. After reading a lot of questions and guides, I’m still not totally convinced on the best way of doing things.
I submitted a plugin to wordpress and I got a feedback that I have to escape this one
$active_tab = isset( $_GET[ 'tab' ] ) ? $_GET[ 'tab' ] : 'front_page_options';
I’m working on a site that had an existing theme that used meta fields to store blocks (bad practice IMO but pre-block editor).
Here’s my issue. I have a custom post type that I’m attaching a custom taxonomy to. This taxonomy will allow the admin to provide search suggestions that will ensure the post is found when a user searches. This taxonomy is also used on the front-end to autocomplete the search field with these suggestions.