Looking at the Codex for wp_insert_post() it states that this function “…sanitizes variables, does some checks, fills in missing variables like date/time, etc. “
Just wondering whether I need to do any further sanitization to prevent XSS hacks and the like or whether enough is being done through the function.
To be honest, I’ve checked through the function in core and haven’t found any wp_kses() or other sanitization on post_content for example, so I’m a little concerned. All I can see that it does is stripslashes_deep() on the data.
So should I be running wp_kses() or anything else when I build my arguments to wp_insert_post()?
What’s the best practice here? The Codex is pretty cavalier about security in its example.
- The topic ‘How secure/sanitized is wp_insert_post()’ is closed to new replies.