I have an element in my front end that looks like this:
<div class="infinite-scroll" data-query-args="{"post_type":"post","tax_query":[{"taxonomy":"category","field":"term_id","terms":62}]}"></div>
It’s a container for triggering an infinite scroll that I made. Since I want it to work with multiple queries and multiple front end situations, the simplest way to make it work was to put the JSON encoded WP query directly in the element and pass it back to the server when loading more posts.
This feels like a security issue to me, so what’s the right way to make sure this can’t be exploited? I’m not saving any of that string in the DB so I don’t see how I can make sure it’s secure.
If it’s an all around bad idea then I can restructure it, but I’d rather not since the queries can get a little more complex with tags, multiple categories, search terms, etc. The only proper alternative I can think of is a data- tag for each item in the query (data-post-type, data-tax-query, etc) but it’s a lot more work.
Thanks