Home Forums Front-end Issues Is sanitization required for front end form? Reply To: Is sanitization required for front end form?

  • Thanks. I have done some initial testing.

    If one has a front end form with text field, a malicious user could potentially input <script>alert('You've been hacked');</script> and if echo get_field or the_field is used to output that field, the script will then run.

    As far as I understand it, one would therefore use echo esc_html (get_field(..)); to escape the data on output (or esc_attr, esc_url, etc as appropriate)

    I think this needs highlighting right at the top of your Front End form ‘how-to’!

    What I have yet to establish is whether any additional sanitization needs to be done before the data is input to the database. According to, $wpdb->update takes raw input values (they should not be SQL escaped) – so perhaps that’s enough?

    The only thing that bothers me is that potentially one could then still end up with malicious js script in the db – maybe the answer is to use esc_html on input to db as well as output.

    Any further thoughts welcome…