I read how to sanitize, validate and escape text fields and I know wp_insert_post sanitizes all field using wp_kses except HTML tags.
However, I'm new to development and would like to be confirmed that I'm going to right place.
Now, I'm creating user submitting frontend form.
There are several input fields,
1) Post title, type: text, sanitize method I've used: sanitize_text_field( $_POST['post_title'] )
2) Post content, type: textarea, sanitize method I've used: None, because of allowed html tag, for example, <h1> or <img> I do not sanitize. wp_insert_post will sanitize tags except allowed html tags.
3) URL, type: URL, sanitize method I've used: esc_url( strtok( 'url, '?' )); //Strip query string and sanitize.
4) Coupon code, type: text, sanitize method I've used: sanitize_text_field( $_POST['coupon'] )
5) Price, type: text, sanitize method I've used: sanitize_text_field( $_POST['price'] )
6) Image file(Thumbnail) type: file, sanitize method I've used: sanitize_file_name( $_POST['file']['name'] )
7) Category, type: int, sanitize method I've used: None, but validate whether the value is int or not using absint(), or type setting (int)
Is there anything else that I have to concern more?
I would like to know the way to secure my website.
The formal document recommend to use wp_strip_all_tags in post title field, however, I just use sanitize_text_field. Actually, I don't know the difference between wp_strip_all_tags and sanitize_text_field exactly. sanitize_text_field has more security features than wp_strip_all_tags, but in the light of the official documentation, wp_strip_all_tags is enough for sanitizing. Am I right?
Any tips are appreciated. Thank you in advance! :)
I read how to sanitize, validate and escape text fields and I know wp_insert_post sanitizes all field using wp_kses except HTML tags.
However, I'm new to development and would like to be confirmed that I'm going to right place.
Now, I'm creating user submitting frontend form.
There are several input fields,
1) Post title, type: text, sanitize method I've used: sanitize_text_field( $_POST['post_title'] )
2) Post content, type: textarea, sanitize method I've used: None, because of allowed html tag, for example, <h1> or <img> I do not sanitize. wp_insert_post will sanitize tags except allowed html tags.
3) URL, type: URL, sanitize method I've used: esc_url( strtok( 'url, '?' )); //Strip query string and sanitize.
4) Coupon code, type: text, sanitize method I've used: sanitize_text_field( $_POST['coupon'] )
5) Price, type: text, sanitize method I've used: sanitize_text_field( $_POST['price'] )
6) Image file(Thumbnail) type: file, sanitize method I've used: sanitize_file_name( $_POST['file']['name'] )
7) Category, type: int, sanitize method I've used: None, but validate whether the value is int or not using absint(), or type setting (int)
Is there anything else that I have to concern more?
I would like to know the way to secure my website.
The formal document recommend to use wp_strip_all_tags in post title field, however, I just use sanitize_text_field. Actually, I don't know the difference between wp_strip_all_tags and sanitize_text_field exactly. sanitize_text_field has more security features than wp_strip_all_tags, but in the light of the official documentation, wp_strip_all_tags is enough for sanitizing. Am I right?
Any tips are appreciated. Thank you in advance! :)
Share Improve this question edited May 9, 2020 at 13:40 Johansson 15.4k11 gold badges43 silver badges79 bronze badges asked May 2, 2020 at 17:20 hiyohiyo 356 bronze badges1 Answer
Reset to default 2If calling, sanitize_text_field(), it actually call an internal function _sanitize_text_fields() and add a filter for override. So
First look at _sanitize_text_fields(), which actually do
- Checks for invalid UTF-8,
- Converts single
<characters to entities - Strips all tags <--------- including
wp_strip_all_tags()here - Removes line breaks, tabs, and extra whitespace
- Strips octets
That's mean if calling sanitize_text_field(), it already includes wp_strip_all_tags() in the task list.
It is a pretty safe and generic method to sanitize any text.
By referring to the source code, it is known that the following use wp_strip_all_tags()
- sanitize_user() including some special characters checking
- wp_trim_words()
- wp_html_excerpt()
- wp_setup_nav_menu_item()
- comment's wp_blacklist_check()
- send_recovery_mode_email() ... etc
Because wp_strip_all_tags() strips all tags including styles and script and its content.
So it is a very useful tools and good for making any custom solutions if needed.
And according to source code, IDs and http status code are being sanitize by absint().
So I think what you are doing is enough.