WordPress Sensitization & Escaping Quick Examples

What is Sensitization?

Get secure user inputs.

What is Escaping?

Print / echo the secure output.


# Sanitize: Secure Input:

sanitize_email()
sanitize_file_name()
sanitize_html_class()
sanitize_key()
sanitize_meta()
sanitize_mime_type()
sanitize_option()
sanitize_sql_orderby()
sanitize_text_field()
sanitize_title()
sanitize_title_for_query()
sanitize_title_with_dashes()
sanitize_user()
esc_url_raw()
wp_filter_post_kses()
wp_filter_nohtml_kses()

# Escaping: Securing Output:

esc_html()
esc_url()
esc_js()
esc_attr() 
esc_textarea()

( with Localization )
esc_html__()
esc_html_e()
esc_html_x()
esc_attr__()
esc_attr_e()
esc_attr_x()


Examples ( Sanitize: Secure Input ):

sanitize_email()

$sanitized_email = sanitize_email('     admin@example.com!     ');
echo $sanitized_email; // It trim whitespace and special character and will output: 'admin@example.com'

sanitize_file_name()

echo sanitize_file_name("_profile pic--1_.png"); //Output "profile-pic-1_.png"

sanitize_html_class()

// If you want to explicitly style a post, you can use the sanitized version of the post title as a class
$post_class = sanitize_html_class( $post->post_title );
echo $post_class;
sanitize_key()
echo sanitize_key("https://WordPress.org"); //Output "httpswordpressorg"

sanitize_meta()

$clean_value = sanitize_meta( 'birth-year', $user_input, 'user' );

sanitize_mime_type()

sanitize_mime_type( $mime_type );

sanitize_option()

sanitize_option( 'admin_email', 'admin@example.com!' );

sanitize_sql_orderby()
Ensures a string is a valid SQL ‘order by’ clause.

$attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] );

sanitize_text_field()

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );

sanitize_title()

echo sanitize_title("Sanitizing, in WordPress"); //Output "sanitizing-in-wordpress"

sanitize_title_for_query()

$query['name'] = sanitize_title_for_query( $query['name'] );

sanitize_title_with_dashes()

echo sanitize_title_with_dashes("I'm in LOVE with WordPress!!!1"); // this will print: im-in-love-with-wordpress1

sanitize_user()
Only keep alphanumeric, _, space, ., -, @

$user = sanitize_user( $user );

esc_url_raw()
Use esc_url_raw() if you want to store a URL in a database or use in URL redirecting.
Else use esc_url()

$url = esc_url_raw( 'https://wordpress.org/' );

wp_filter_post_kses()
Sanitize content for allowed HTML tags for post content.

$content = wp_filter_post_kses( 'This tag is <p> working</p>.' );

wp_filter_nohtml_kses()
Strips all of the HTML in the content.

$content = wp_filter_nohtml_kses('This tag is <p> working</p>.' );

Examples ( Escaping: Securing Output ):

esc_html()

echo esc_html( '<strong>text</strong> <b>bold</b>' );

esc_url()

<img src="<?php echo esc_url( 'https://wordpress.org/logo.png' ); ?>" data-wpmedia-src="<?php echo esc_url( 'https://wordpress.org/logo.png' ); ?>" />

esc_js()

var value = '<?php echo esc_js( $value ); ?>';

esc_attr()
Encodes the , &, ” and ‘ characters.

<?php $fname = ( isset( $_POST['fname'] ) ) ? $_POST['fname'] : ''; ?>
<input type="text" name="fname" value="<?php echo esc_attr( $fname ); ?>">

esc_textarea()
Use esc_textarea() instead of esc_html() while displays text in textarea. Because esc_textarea() can double encode entities.

<textarea><?php echo esc_textarea( 'Content goes here.' ); ?></textarea>

( with Localization )

esc_html__()

echo esc_html__('Text to translate', 'text-domain');

esc_html_e()

esc_html_e('Text to translate', 'text-domain')

esc_html_e()

esc_html_x('Date translate', 'post date', 'text-domain')

esc_attr__()

echo esc_attr__('Text to translate', 'text-domain');

esc_attr_e()

esc_attr_e('Text to translate', 'text-domain');

esc_attr_x()

esc_attr_x('Date translate', 'post date', 'text-domain')

$clean_value = sanitize_meta( 'birth-year', $user_input, 'user' );

sanitize_mime_type()

sanitize_mime_type( $mime_type );

sanitize_option()

sanitize_option( 'admin_email', 'admin@example.com!' );

sanitize_sql_orderby()

Ensures a string is a valid SQL ‘order by’ clause.

$attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] );

sanitize_text_field()

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );

Examples ( Escaping: Securing Output ):

esc_html()

echo esc_html( '<strong>text</strong> <b>bold</b>' );
Advertisements

Author: maheshwaghmare

WordPress Developer since 2012

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s