[wp-hackers] Saving input from untrusted users

Andrew Nacin wp at andrewnacin.com
Tue Dec 21 22:51:52 UTC 2010

On Tue, Dec 21, 2010 at 12:12 PM, Ken (WraithKenny) <ken.adcstudio at gmail.com
> wrote:

> Reading 'sanitize_text_field()' it looks like the sanitize functions
> call kses functions so I guess I don't need to call it twice.

Not in the case of sanitize_text_field(). That function is to sanitize text.
kses is to sanitize HTML. I'm simplifying this here, of course, but here:

So, you'd use sanitize_text_field() if you don't expect HTML at all in the
input. It doesn't call kses at all, just strips a whole lot of bad stuff.
(It does use a kses utility function in the process, but only to make sure
it doesn't destroy content in the process.)

You'd use kses if you are receiving HTML (a perfect example would be a
comment; in practice this will typically be textareas) and need to make sure
that nothing malicious is getting in. Thus a whitelist of HTML, attributes,
and values.

More information about the wp-hackers mailing list