"When writing code that will run across hundreds if not thousands of websites, you should be extra cautious of how you handle data coming into WordPress and how it's then presented to the end user. " - codex.wordpress.org
Escaping: Securing Output
Escaping means stripping out unwanted data, like malformed HTML or script tags. Whenever you’re rendering data, make sure to properly escape it.
Core functions
One of the questions with core functions is whether they need to be escaped or not. WordPress core has been meticulously documented in last few years. Every function and almost every line of code. Read this documentation for better understanding what the function do, why and how.
A good example you can find in core is with the_title(). When used in link for title attribute quite often theme authors are escaping it. It’s not just that it doesn’t need escaping (because it is already escaped in core), but WordPress already has a function, the_title_attribute(), that does all that work for you.
Besides core functions (which are getting added with every new version), WordPress is full of filters and actions which allow you to modify just parts you need modified and keep integration with core as environment.
One such example is post thumbnail functionality (wp-includes/post-thumbnail-template.php) which has been tremendously expanded in version 4.4 giving developers a great deal of control, especially with post_thumbnail_size, post_thumbnail_html, the_post_thumbnail_caption filter hooks and a couple more action hooks.
Type of value
Another question is what type of value you want to escape. Is it a number, a string? What is the right way to escape that specific value?
Translations should always be escaped.
In general, when you want to escape value inside the attribute you’ll use esc_attr(). Outside of attribute you’ll want to use esc_html(). These functions have versions for escaping translations, depending on whether you want to return or echo the value:
Then you start getting into specific ones: esc_js(), esc_url(), esc_url_raw() (for saving to database, which needs validation before saving), esc_textarea().
Also, you can do all sorts of custom escaping with wp_kses().
Sanitization: Securing Input
Sanitization is the process of cleaning or filtering your input data. Whether the data is from a user or an API or web service, you use sanitizing when you don’t know what to expect.
For starters, we should all agree that escaping (fundamentally, sanitizing input and escaping output) is a critical aspect of web application security.
- Nick Daugherty
WordPress has a number of built-in helper functions for sanitizing input; sanitize_html_class(), sanitize_title_with_dashes(), sanitize_text_field(), sanitize_email() and sanitize_meta() are just few of them. Using these functions is easy and effective way to ensure you’re ending up with safe data.
Custom functions
Always look into core code to get better idea what is the correct way of validating and sanitizing data before saving. Before creating custom function make sure that WordPress doesn’t already have the function for it because if it is then all plugins will rely on it, its hooks and security. All this will break in your theme if you use custom function instead.
It’s important to treat WordPress as an environment and to be aware when developing a theme, that theme won’t be used in isolation.
Data Validation
Data validation is the process of analyzing the data against a predefined pattern (or patterns) with a definitive result: valid or invalid. Data validation should be performed as early as possible. That means validating the data before performing any actions.
When you're playing "Rock, paper, scissors" you're not expecting someone to throw meteor.
- Jose Castaneda
Simple examples of data validation:
- Check that required fields have not been left blank.
- Check that an entered phone number only contains numbers and punctuation.
- Check that an entered postal code is a valid postal code.
- Check that a quantity field is greater than 0.
Finding code online
It also happens that authors find a piece of code online, not knowing if it is deprecated/outdated or not, not fully understanding what this piece of code exactly does and why. More often than not, this practice will hurt you as a developer, your theme users and waste reviewer’ time. All theme developers should visit #themereview slack channel and address all their questions there.
Useful Links