Keeping it Clean: Sanitizing, Validating, and Escaping in WordPress

Transcript

1. KEEPING IT CLEAN Sanitizing, Validating, and Escaping in WordPress

2. ASSUME THAT EVERYONE AROUND YOU IS LYING (or clueless, confused,

   lost, can’t/won’t read, crazy)

3. FOUR STAGES OF DATA SAFETY Sanitization Validation Conditions Escaping Universal

   Actions Specific Actions INPUT OUTPUT

4. INPUT: SANITIZE FOR SANITY Save the Right Kind of Data

5. DISPLAY FEATURED IMAGE FOR GENESIS

6. MANAGE YOUR EXPECTATIONS If a value is supposed to be

   a number, make sure it’s saved as a number. If it’s supposed to be an image ID, make sure it’s a number. If it’s supposed to be a URL, make sure it’s a URL. …

7. BE RUTHLESS When you have a range of data that

   can be entered, make sure you sanitize it.

8. LITTLE BOBBY TABLES source: http:/ /xkcd.com/327/

9. SANITIZE Make sure what’s saved to the database is the

   correct format.

10. CORE SANITIZING FUNCTIONS Example functions: sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()

    sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()

11. ALSO CONSIDER: (bool) (int) intval() array_map() htmlspecialchars_decode() stripslashes() esc_url_raw( $url,

    (array) $protocols = null )

12. INPUT: VALIDATE FOR LOGIC Make Sure the Data Makes Sense

13. BE RUTHLESS Follow the whitelist philosophy with data validation, and

    only allow the user to input data of your expected type. If it's not the proper type, discard it.

14. BUT DOES IT MAKE SENSE? If a number needs to

    fall within a certain range, make sure it does.

15. BUT DOES IT MAKE SENSE?

16. OUTPUT: IT DEPENDS Use Conditionals To Make Smart Decisions

17. MAYBE I WILL, MAYBE I WON’T Use both WordPress conditionals

    and your own to make sure you’re only printing data when you can or should. http:/ /codex.wordpress.org/Con ditional_Tags

18. USE ALL THE TOOLS YOU CAN Make sure you’re debugging:

    define( 'WP_DEBUG', true ); define( 'SCRIPT_DEBUG', true ); Use plugins like Query Monitor, Debug Bar, or Hookr

19. OUTPUT: ESCAPE ALL THE THINGS

20. None

21. ESCAPE ALL THE THINGS “Escaping changes possibly evil content into

    safe content.” source: https:/ /css-tricks.com/introduction-to-wordpress-front-end-security-escaping-the-things/

22. ESCAPING FUNCTIONS •intval( $int ) or (int) $int •absint( $int

    ) •wp_kses( (string) $fragment, (array) $allowed_html, (array) $protocols = null ) •wp_rel_nofollow( (string) $html ) •wp_kses_allowed_html( (string) $context ) •esc_html( $text ) •esc_html__() •esc_html_e() •esc_textarea() •sanitize_text_field() •esc_attr( $text ) •esc_attr__() •esc_attr_e() •esc_js( $text ) •esc_url( $url, (array) $protocols = null ) •esc_url_raw( $url, (array) $protocols = null ) •urlencode( $scalar ) •urlencode_deep( $array ) •validate_file( (string) $filename, (array) $allowed_files = "" ) •wp_redirect($location, $status = 302) •wp_safe_redirect($location, $status = 302) •sanitize_title( $title ) •sanitize_user( $username, $strict = false ) •balanceTags( $html ) or force_balance_tags( $html ) •tag_escape( $html_tag_name ) •sanitize_html_class( $class, $fallback ) •is_email( $email_address )

23. BE RUTHLESS Escape data as much as possible on output

    to avoid XSS and malformed HTML.

24. SOURCES https:/ /css-tricks.com/introduction-to-wordpress-front-end-security-escaping- the-things/ https:/ /vip.wordpress.com/2014/06/20/the-importance-of-escaping-all-the- things/ https:/ /codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data https:/

    /ninjaforms.com/mr-mrs-null-form-validation-story/ http:/ /codex.wordpress.org/Conditional_Tags

25. THANK YOU robincornett.com @robincornett