sanitization Archives

Is password input sanitization required?

August 29, 2022 by Magenaut

I’m trying to sanitize any data that’s inputted by making sure the data is valid for a particular field (e.g. a name can’t contain special characters/numbers etc..) However, I’m not sure what to do when it comes to a password field. Would I even need to bother with any sanitization as the password is simply hashed? If the user was to inject anything malicious via the password textbox, should I bother checking for anything suspicious? AFAIK, some users may (should!) have special characters such as ‘< >’, which would normally trigger a potential attack alert. Should I just leave the password field unsanitized? Limiting input for passwords is a last resort for me, as I feel users should use all sorts of characters in their passwords.

Does WordPress sanitize arguments to WP_Query?

August 5, 2022 by Magenaut

This is a very straight-forward question, but it’s important and I can’t find anything definitive in the docs.

Sanitizing comments or escaping comment_text()

August 5, 2022 by Magenaut

I’m creating a template for comments on my WordPress site. I noticed that a simple <script>alert(1);</script> slips through the default WP codex implementation of comments, using the comment_text() function to display my comments. No bueno.

Input sanitation

August 5, 2022 by Magenaut

I have a question regarding a wordpress site I have recently developed for a client. I have only until now developed a site for small clients that just require personal websites, however this client has asked me to redeveloped his site as the current one has alot of security issues. Anyway I have created the site and shown it to him and he has asked if I can ‘apply input sanitation so special characters like @,&,-,+,% are not allowed’ to the login field.

Sanitizing, Validating and Escaping in WordPress (Plugin)

August 5, 2022 by Magenaut

I am currently developing my first WordPress plugin. A few days ago I submitted it to WordPress for review. Unfortunately, the plugin was not (yet) published, because I still have to close some security issues. More specifically, it is about the fact that data must be Sanitized, Escaped, and Validated.

Should I sanitize custom post meta if it is going to be escaped later?

August 5, 2022 by Magenaut

Firstly, sorry if this has been properly answered before. After reading a lot of questions and guides, I’m still not totally convinced on the best way of doing things.

What is the proper way to validate and sanitize JSON response from REST API?

August 5, 2022 by Magenaut

I have read the WordPress page about this but didn’t find a solution.

How to escape $_GET and check if isset?

August 5, 2022August 4, 2022 by Magenaut

I submitted a plugin to wordpress and I got a feedback that I have to escape this one
$active_tab = isset( $_GET[ 'tab' ] ) ? $_GET[ 'tab' ] : 'front_page_options';

Copy content stored in meta to post content

August 5, 2022August 4, 2022 by Magenaut

I’m working on a site that had an existing theme that used meta fields to store blocks (bad practice IMO but pre-block editor).

Escaping WP_Query tax_query when term has special character(s)

August 4, 2022August 3, 2022 by Magenaut

Here’s my issue. I have a custom post type that I’m attaching a custom taxonomy to. This taxonomy will allow the admin to provide search suggestions that will ensure the post is found when a user searches. This taxonomy is also used on the front-end to autocomplete the search field with these suggestions.