[wp-hackers] Saving input from untrusted users

Andrew Nacin wp at andrewnacin.com
Tue Dec 21 14:21:17 UTC 2010


On Mon, Dec 20, 2010 at 6:42 PM, Ken (WraithKenny)
<ken.adcstudio at gmail.com>wrote:

> Anyone can register to this blog and add meta data from this plugin,
> so before releasing, I need to tighten it up...
>
> Where I have the plugin saving to meta_data, I have:
>
> add_filter( 'my_filter', 'wp_kses_post'  );
> add_filter( 'my_filter', 'wptexturize'   );
> add_filter( 'my_filter', 'convert_chars' );
>
> and:
>
> $output = apply_filters( 'my_filter', $input );
>
> My question is, do I need a esc_html() on those also, and am I running
> those in the right order? I've tested and it appears to be working
> (except wptexturize only does the ” version of quotes, so somethings
> busted.)
>
> I also have a url field which I'm running:
>
> $output = str_replace("http://", "", esc_url_raw( $input, array('http') ))
>
> before saving and on output in the theme, I manually put the http://
> back in. Is that enough to be safe or should it have the above
> filters?
>
> I've been searching though the source all day, and as far as I can
> tell, kses don't seem to be run on the_content for example (that I
> could find). As you can tell, this is all relatively new to me. Thanks
> for your help,
> Ken


Generalizing here: sanitization should be done on save, and escaping on
display.

So you'll want to run kses, absint, esc_url_raw, sanitize_text_field, what
have you, on save. Then, use esc_url, esc_html along wiht texturization or
whatever else you need, what have you, on output. There may be use cases for
running kses on display. We do it in some instances. But as long as the data
is safe going in, it's going to be safe coming out. (And if it isn't, then
you have a larger problem.)


More information about the wp-hackers mailing list