Escaping HTML in WP PHP
https://codex.wordpress.org/Data_Validation#Output_Sanitation
https://codex.wordpress.org/I18n_for_WordPress_Developers
esc_html() vs esc_html__(): https://wordpress.stackexchange.com/questions/244867/can-someone-explain-the-use-cases-of-esc-html/286688
esc_html: https://wordpress.stackexchange.com/questions/46113/esc-html-security-what-for-in-this-example
https://wordpress.stackexchange.com/questions/243545/how-to-escape-html-code-with-html-allowed
wp_kses(): https://codex.wordpress.org/Function_Reference/wp_kses
How to escape properly: https://github.com/WordPress/WordPress-Coding-Standards/issues/1270
CssTricks article: https://css-tricks.com/introduction-to-wordpress-front-end-security-escaping-the-things/
Random
Link example
<a href="<?php the_permalink(); ?>" title="<?php the_title_attribute(); ?>"> <?php the_title(); ?> </a>
absint example
<?php $volume_level = absint( $_POST['volume_level'] ); update_post_meta( get_the_ID(), 'volume_level', $volume_level );
verify nonce
<?php
if ( wp_verify_nonce( $_POST['nonce'], 'update_email' ) && is_email( $_POST['email'] ) ) {
update_post_meta( get_the_ID(), 'email', sanitize_email( $_POST['email'] ) );
}
Escaping
esc-html-e
<h1><?php esc_html_e( 'Blog', 'textdomain' ); ?></h1>
Esc JS
<script>
var name = '<?php echo esc_js( $_POST['name'] ); ?>';
</script>
<a href="<?php echo esc_url( home_url( '/blog/' ) ); ?>"
onclick="<?php echo esc_js( 'alert("Welcome " + name);' ); ?>">
<?php _e( 'Blog', 'textdomain' ) ?>
</a>
Esc Textarea
<label> <span><?php _e( 'Label', 'textdomain' ); ?></span> <textarea name="message"><?php echo esc_textarea( $_POST['message'] ); ?></textarea> </label>
Esc Url
<a href="<?php echo esc_url( home_url( '/' ) ); ?>"> <img src="<?php echo esc_url( get_stylesheet_directory_uri() . '/img/logo.png' ); ?>" /> </a>
Esc HTML
<h1><?php echo esc_html( $title ); ?></h1>
Esc attr e
<input name="s" placeholder="<?php esc_attr_e( 'Search', 'textdomain' ); ?>" />
Esc attr
<div class="<?php echo esc_attr( $_POST['layout'] ); ?>"> Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy... </div>
Validation
Validate Postal Code
<?php
$postal_code = $_POST['postal_code'];
if ( preg_match( '/[0-9]{5}/', $postal_code ) ) {
update_post_meta( get_the_ID(), 'postal_code', $postal_code );
}
validate Email
<?php register_meta( 'post', 'email', 'is_email' ); update_post_meta( get_the_ID(), 'email', $_POST['email'] );
Validate Mail
<?php $excerpt = wp_kses_post( balanceTags( substr( $_POST['content'], 0, 300 ), true ) ); update_post_meta( get_the_ID(), 'excerpt', $excerpt );
Validate safe html
<?php $message = wp_kses_post( $_POST['message'] ); update_post_meta( get_the_ID(), 'message', $message );
Sanitization
Sanitize postal code
<?php $postal_code = preg_replace( '/[^0-9]/', '', $_POST['postal_code'] ); update_post_meta( get_the_ID(), 'postal_code', $postal_code );
Sanitize html class
<?php $html_class = sanitize_html_class( $_POST['html_class'] ); update_post_meta( get_the_ID(), 'html_class', $html_class )
Sanitize Text Field
<?php $title = sanitize_text_field( $_POST['title'] ); update_post_meta( get_the_ID(), 'title', $title );
Sanitize Title
<?php $slug = sanitize_title( $_POST['title'], 'untitled' ); update_post_meta( get_the_ID(), 'slug', $slug );
Sanitize Email
<?php $email = sanitize_email( $_POST['email'] ); update_post_meta( get_the_ID(), 'email', $email );
Sanitize URL
<?php $url = esc_url_raw( $_POST['url'] ); update_post_meta( get_the_ID(), 'url', $url );
Sanitize MIME type
<?php $mime_type = sanitize_mime_type( $_FILES['upload']['type'] ); update_post_meta( get_the_ID(), 'mime_type', $mime_type );