[wp-hackers] Saving input from untrusted users

Ken (WraithKenny) ken.adcstudio at gmail.com
Mon Dec 20 23:42:36 UTC 2010

Anyone can register to this blog and add meta data from this plugin,
so before releasing, I need to tighten it up...

Where I have the plugin saving to meta_data, I have:

add_filter( 'my_filter', 'wp_kses_post'  );
add_filter( 'my_filter', 'wptexturize'   );
add_filter( 'my_filter', 'convert_chars' );


$output = apply_filters( 'my_filter', $input );

My question is, do I need a esc_html() on those also, and am I running
those in the right order? I've tested and it appears to be working
(except wptexturize only does the ” version of quotes, so somethings

I also have a url field which I'm running:

$output = str_replace("http://", "", esc_url_raw( $input, array('http') ))

before saving and on output in the theme, I manually put the http://
back in. Is that enough to be safe or should it have the above

I've been searching though the source all day, and as far as I can
tell, kses don't seem to be run on the_content for example (that I
could find). As you can tell, this is all relatively new to me. Thanks
for your help,

More information about the wp-hackers mailing list