How do I sanitize meta box contents to prevent XSS attacks?

276 Views Asked by Patrick At 12 December 2022 at 14:39

I know how to sanitize metabox content like

<img src=x onerror=console.log(hey) />

But how about the following?

<img src=x onerror=console.log(hey)<img src="x" />

Tried the code below, but doesn't seem to work.

wp_kses_post()

Tried using balanceTags(), striplashes(), wp_kses_post(), etc.

sanitize_text_field() would work obviously but it'd filter out all the HTML.

Original Q&A

There are 1 best solutions below

Moishy On 12 December 2022 at 16:00

if storing to the database you should use sanitze functions. if your outputting to the browser you should use escape functions.

<img src=<?php echo esc_url('x'); ?> onerror=<?php echo esc_attr('console.log(hey)'); ?><img src="<?php echo esc_url('x'); ?>" />

using wp_kses

$string = '<img src=x onerror=console.log(hey)<img src="x" />';

<?php echo wp_kses( $string, array( 'img' => array('src' => array() ), 'p' => array() ) ); ?>

<?php echo wp_kses( $string, 'data' ); ?>

How do I sanitize meta box contents to prevent XSS attacks?

There are 1 best solutions below

Related Questions in WORDPRESS

Related Questions in SECURITY

Related Questions in XSS

Related Questions in SANITIZATION

Related Questions in META-BOXES

Trending Questions

Popular # Hahtags

Popular Questions