templates/templates/map-global.php.
This was not the correct fix. The JSON data should not be (directly) in a div element. Instead it should be in a script element with type=application/json. If it is in the correct element type, it does not need escaping (and should not be).
The existence of the data in a display element (regadless of the inline style hack with display: none; visibility: hidden) causes SEO issues. Search engines regard it as content for the page (they often ignore CSS and style properties), include it in indexing, and may even include it in a snippet in search results.
This is a bug report. (I don’t know where else to report bugs.)
]]>I’m using the the “Plugin Check” Plugin to review the plugin (displayed at https:Manna-network.com/demo) before submitting to the WordPress repo. The checker generated a ton of errors all related to escaping the plugin’s output to the browser. I’ve gone through and “fixed” about a third of them (using esc_attr()) but it doesn’t “feel” right and am asking if I am doing it right? I am seeing that everything that the checker is requiring me to escape is 100% trusted content from my own database. It seems all these calls to the esc_attr function are redundant and unnecessary. Am I missing something? Am I correct but it’s “just the way it is” etc.?
In the documentation it says “escaping late makes sure that you’re keeping the future you safe.?While today your code may be only outputted hardcoded content,?that may not be true in the future.?By taking the time to properly escape?when?you echo,?you prevent a mistake in the future from becoming a critical security issue”.
So it acknowledges “outputted hardcoded content” is perfectly safe but holds that we need to escape because “that may not be true in the future”?
That seems non nonsensical. Am I missing something?
Thanks.
]]>add_filter( 'wp_kses_allowed_html', 'acf_add_allowed_iframe_tag', 10, 2 );
function acf_add_allowed_iframe_tag( $tags, $context ) {
if ( $context === 'post' ) {
$tags['iframe'] = array(
'src' => true,
'height' => true,
'width' => true,
'frameborder' => true,
'allowfullscreen' => true,
);
}
return $tags;
}
So then I tried to build something similar to enable SCRIPT tags — I know they’re disabled to prevent XSS attacks, but my employer feels enabling them is worth the risk because we can just restore a backup.
This is the my code to enable SCRIPT / JavaScript rendering — why isn’t this working?
add_filter('wp_kses_allowed_html', 'acf_add_allowed_script_tag', 10, 2);
function acf_add_allowed_script_tag($tags, $context) {
if ($context === 'post') {
$tags['script'] = array(
'async' => true,
'crossorigin' => true,
'defer' => true,
'integrity' => true,
'nomodule' => true,
'referrerpolicy' => true,
'src' => true,
'type' => true,
);
}
return $tags;
}
Thank you.
]]>I have not studied PHP and I ask for help in solving my problem. The Code Editor requires escaping < for <?php. I have tried many escaping options, but I have not achieved the result. What should I wrap < for the code to become correct for the shortcode?
This is my code:
<div class="sitemap">
<h2 class="sitemap-series">Series</h2>
<?php $variable = wp_list_categories('taxonomy=series&echo=0&show_count=1&orderby=term_group&order=ASC&hide_empty=1&use_desc_for_title=1&child_of=0&feed=/RSS&title_li=&depth=0¤t_category=0&pad_counts=1&walker=Walker&hide_title_if_empty=false&separator=');
$resultStr = str_replace(array("(", ")"), array("<font color='#000000'>", "</font>"), "$variable");
echo $resultStr;
?>
</div>Thanks!
]]>The example is available via the provided link.
]]>In an AJAX call the server responds with some JSON:
wp_send_json_success or wp_send_json_error
In particular I am doing this:
echo wp_send_json_error(
$email_confirmation->getData()
);But the code sniffer is unhappy with this and says I should escape the output.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found ‘wp_send_json_success’.
How?
Is there a function for escaping json?
on /wp-admin/options-general.php?page=custom-login
#login > div{
border: 3px solid #135e96;
}is being escaped on save to
#login > div{
border: 3px solid #135e96;
}Could you look into this, thanks
Carsten
Version 3.2.11
]]>I’m using URL parameters to pre-populate a WP Forms field, as described in this tutorial: https://wpforms.com/developers/how-to-enable-dynamic-field-population/
The string I am putting into the URL parameter contains an apostrophe (the word don't), and when it appears in the field, it always appears with a backslash prepended (don\'t).
I’ve tried encoding the apostrophe in different ways:
– %27
– '
– '
Or leaving it as simply an apostrophe, or escaping it with a backslash in the URL parameter, but in all cases I get the same result (although if I try to escape the backslash, this also gets prepended, and I end up with (don\\\’t).
Any suggestions for what I can try? Thanks in advance.
]]>Code
//function defination
function get_filter_list($ids, $filters, $selected_filters) {
//some operation
return $ouput;
}
//function call
get_filter_list($ids, $filters, $selected_filters); //
Prarmeter Data Type
$ids = array of numeric ids
$filters = associative array of filters ids and names
$selected_filters = array of numeric ids
Like, which escaping functions should apply on function parameters $ids, $filters and $selected_filters: esc_attr(), esc_html(), wp_kses() and wp_kses_data()
get_filter_list($ids, $filters, $selected_filters); // escape pararmetes
Any help appreciated.
Reference: https://developer.www.ads-software.com/plugins/security/securing-output/
]]>