[wp-hackers] Saving input from untrusted users
Ken (WraithKenny)
ken.adcstudio at gmail.com
Mon Dec 20 23:42:36 UTC 2010
Anyone can register to this blog and add meta data from this plugin,
so before releasing, I need to tighten it up...
Where I have the plugin saving to meta_data, I have:
add_filter( 'my_filter', 'wp_kses_post' );
add_filter( 'my_filter', 'wptexturize' );
add_filter( 'my_filter', 'convert_chars' );
and:
$output = apply_filters( 'my_filter', $input );
My question is, do I need a esc_html() on those also, and am I running
those in the right order? I've tested and it appears to be working
(except wptexturize only does the ” version of quotes, so somethings
busted.)
I also have a url field which I'm running:
$output = str_replace("http://", "", esc_url_raw( $input, array('http') ))
before saving and on output in the theme, I manually put the http://
back in. Is that enough to be safe or should it have the above
filters?
I've been searching though the source all day, and as far as I can
tell, kses don't seem to be run on the_content for example (that I
could find). As you can tell, this is all relatively new to me. Thanks
for your help,
Ken
More information about the wp-hackers
mailing list