Support » Developing with WordPress » How to Escape Custom Function Parameters

  • Resolved FARAZFRANK

    (@farazfrank)


    How do I escape my custom function parameters?

    Code

    
    //function defination
    function get_filter_list($ids, $filters, $selected_filters) {
       //some operation
       return $ouput;
    }
    //function call
    get_filter_list($ids, $filters, $selected_filters); // 
    

    Prarmeter Data Type
    $ids = array of numeric ids
    $filters = associative array of filters ids and names
    $selected_filters = array of numeric ids

    Like, which escaping functions should apply on function parameters $ids, $filters and $selected_filters: esc_attr(), esc_html(), wp_kses() and wp_kses_data()

    
    get_filter_list($ids, $filters, $selected_filters); // escape pararmetes
    

    Any help appreciated.

    Reference: https://developer.wordpress.org/plugins/security/securing-output/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator bcworkz

    (@bcworkz)

    Malicious data is always some sequence of text, so for numeric data, you can simply cast the data as a number. For example, for integers: $safe = (int) $suspect;

    For actual string data, the proper method depends on the intended use of the data. Use the functions as described in the doc you linked to. If you’re not sure which, try wp_kses_data(). That’s pretty safe.

    In the case of arrays, if they are well structured, you can use array_map() to apply the appropriate function to each element. For arrays not conducive to such treatment, you may need to resort to a custom foreach loop to target various elements within.

    Thread Starter FARAZFRANK

    (@farazfrank)

    Can you show me some example of code?

    Wrote this on my lunch break for ya, it’s been awhile since I’ve been on the forums but this should help. If you need to do something with the keys, you’ll probably want a foreach and to clone the $filters into a new modified version, but really without seeing what that array looks like I’ll be of little help.

    <?php
    function get_filter_list($ids, $filters, $selected_filters) {
       //some operation
    	$ids = array_map( 'intval', $ids );
    	$selected_filters = array_map( 'intval', $selected_filters );
    
    	/* 
    	Assuming the following
    	$filters = [
    		123 => 'someValue'
    	];
    	*/
    	$filters = array_map( 'esc_html', $filters );
    
    	return wp_json_encode( compact( 'ids', 'selected_filters', 'filters' ) );
    }
    
    //function call
    get_filter_list($ids, $filters, $selected_filters);
    Thread Starter FARAZFRANK

    (@farazfrank)

    @bcworkz really thanks for the help.
    @phyrax Your code helps me a lot.

    Finally, I found the solution and correct way:

    Actually, the question subject should be “How to escape custom function in WordPress?”.

    The function returning the HTML filter button tag wrapped in div tag, like below:

    
    <div class='ufg-parent-filters'>
    	<div class='col-md-12 my-2'>
    		<button id='1evel1-all' class='ufg-all-filter-button ufg-parent-filters ufg-all-filter btn btn-sm btn-danger all mb-3 mr-2' onclick='return filter(this.id, this.value)' value='all'> All (3)</button>
    		<button id='1evel1-a-1' class='ufg-parent-filter-button ufg-parent-filters btn btn-sm btn-primary mb-3 mr-2 a-1' onclick='return filter(this.id, this.value)' value='a-1'> a</button>
    		<button id='1evel1-b-2' class='ufg-parent-filter-button ufg-parent-filters btn btn-sm btn-primary mb-3 mr-2 b-2' onclick='return filter(this.id, this.value)' value='b-2'> b</button>
    		<button id='1evel1-c-3' class='ufg-parent-filter-button ufg-parent-filters btn btn-sm btn-primary mb-3 mr-2 c-3' onclick='return filter(this.id, this.value)' value='c-3'> c</button>
    	</div>
    </div>
    

    And the Ecscaping code I applied:

    
    <?PHP
    $ufg_fitter_results = get_filter_list($ids, $filters, $selected_filters);
    
    $ufg_filters_allowed = array(
    	'div' => array( 'class' => array(), 'id' => array()),
    	'button' => array ( 'id' => array(), 'class' => array(), 'value' => array(), 'onclick' => array()),
    );
    
    echo wp_kses($ufg_fitter_results, $ufg_filters_allowed);
    ?>
    

    Hope this question will also help the others.

    References:
    https://developer.wordpress.org/plugins/security/securing-output/
    https://developer.wordpress.org/reference/functions/wp_kses/
    https://wordpress.stackexchange.com/questions/44764/typical-wp-kses-allowed

    Thanks
    Faraz

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.