Home › Forums › Front-end Issues › Is sanitization required for front end form? › Reply To: Is sanitization required for front end form?
Thanks. I have done some initial testing.
If one has a front end form with text field, a malicious user could potentially input <script>alert('You've been hacked');</script>
and if echo get_field
or the_field
is used to output that field, the script will then run.
As far as I understand it, one would therefore use echo esc_html (get_field(..));
to escape the data on output (or esc_attr, esc_url, etc as appropriate)
I think this needs highlighting right at the top of your Front End form ‘how-to’!
What I have yet to establish is whether any additional sanitization needs to be done before the data is input to the database. According to http://codex.wordpress.org/Class_Reference/wpdb#UPDATE_rows, $wpdb->update takes raw input values (they should not be SQL escaped) – so perhaps that’s enough?
The only thing that bothers me is that potentially one could then still end up with malicious js script in the db – maybe the answer is to use esc_html on input to db as well as output.
Any further thoughts welcome…
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users
Helping others is a great way to earn karma, gain badges and help ACF development!
We use cookies to offer you a better browsing experience, analyze site traffic and personalize content. Read about how we use cookies and how you can control them in our Privacy Policy. If you continue to use this site, you consent to our use of cookies.