A talk on escaping and security in WordPress and PHP
Escape From New YorkTom J Nowell
View Slide
ValidationSanitisationEscaping
Validation:Is this what it claims to be?
Sanitisation:Lets clean up this input
Escaping:Making output safe
WordPress.com VIPVIP Wrangler - @tarendai
'; DROP TABLE votes'
Search Results For:
Search Results For: [‘s’]; ?>
Test
alert(“hey”);
How to Escape
Sanitize earlyEscape LateEscape Often
No Data is Safe
<br/>
Escape Everything..?
echo $var;echo esc_html( $var );
class=””class=””
href=””href=””
wp_kses & wp_kses_post
echo apply_filters( ‘the_content’wp_kses_post( $content ) );
tomjn.com/escaping
automattic.com/work-with-us/vip-wrangler/
Questions?Tom J Nowell - WordPress.com VIP@tarendai - tomjn.com