[wp-hackers] Sanitizing PHP code snippets in meta

Brian Layman wp-hackers at thecodecave.com
Mon Aug 20 00:56:53 UTC 2012


Not when you are putting it in the database, but DEFINITELY any time you 
display it.

Sending it through esc_html() before display would be good.

Brian Layman

On 8/19/2012 6:06 PM, Drew wrote:
> Hey all,
>
> I'm working on a project where I need to store PHP code snippets in meta
> for a custom post type.
>
> I'll be using a textarea field for entry in deference to wp_editor (mostly
> due to wanting to use a syntax highlighter).
>
> Just wondering whether I need to sanitize that data in some way before
> storing it in the database. I don't know if some form of kses is already
> being run on custom fields and whether there's a security/stability
> argument to be made about storing or not storing code snippets in this way.
>
> Appreciate any insight,
>
> Drew
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list