[wp-hackers] Saving input from untrusted users
Philip M. Hofer (Frumph)
philip at frumph.net
Tue Dec 21 22:56:12 UTC 2010
Nacin, what would the function wp_filter_nohtml_kses() be used for then,
thats what i'm using and I might be using it wrong
----- Original Message -----
From: "Andrew Nacin" <wp at andrewnacin.com>
To: <wp-hackers at lists.automattic.com>
Sent: Tuesday, December 21, 2010 2:51 PM
Subject: Re: [wp-hackers] Saving input from untrusted users
> On Tue, Dec 21, 2010 at 12:12 PM, Ken (WraithKenny)
> <ken.adcstudio at gmail.com
>> wrote:
>
>> Reading 'sanitize_text_field()' it looks like the sanitize functions
>> call kses functions so I guess I don't need to call it twice.
>
>
> Not in the case of sanitize_text_field(). That function is to sanitize
> text.
> kses is to sanitize HTML. I'm simplifying this here, of course, but here:
>
> So, you'd use sanitize_text_field() if you don't expect HTML at all in the
> input. It doesn't call kses at all, just strips a whole lot of bad stuff.
> (It does use a kses utility function in the process, but only to make sure
> it doesn't destroy content in the process.)
>
> You'd use kses if you are receiving HTML (a perfect example would be a
> comment; in practice this will typically be textareas) and need to make
> sure
> that nothing malicious is getting in. Thus a whitelist of HTML,
> attributes,
> and values.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list