Support

Account

Home Forums Front-end Issues Is sanitization required for front end form? Reply To: Is sanitization required for front end form?

  • Thanks for raising this @Sarah, I was wondering the same thing.

    Skimming through the code it looks like most of the actual data saving seems to be via prepared statements or sql escaped sql code (@Elliot is that right??) so I think you’re right in thinking that it’s the output escaping that needs to be watched out for…

    The approach I’m taking now is following the codex guide on output sanitisation (http://codex.wordpress.org/Data_Validation).

    So for anything on the form that needs to contain some html I’m using wp_kses() or wp_kses_post(), anything that comes from a field not allowed to have html tags gets echo’d through esc_html()