I have written my first plugin, a shortcode plugin. I have read about wp_specialchars and wp_specialchars_decode but I’m not sure how to use them. The plugin read a shortcode allowing some parameters and it inserts a script in the page html code. For example, [MYSHORTCODE TITLE=”a short title”] yields the following script code lines: $html … Read more
I’m creating a theme in which I’ve created options for the admin to enter custom Javascript and Css code in the “Theme Settings” page (created using Options API). Now I’m just not sure how to output this code in the best possible way. For the Css I’ve decided to use wp_add_inline_style() and update a css … Read more
In my WordPress workflow I use Gulp and have a task that runs my PHP files through PHPCS using the WordPress coding standards tests (https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards). While writing my comments.php file, I have run across the following error: Expected next thing to be an escaping function (see Codex for ‘Data Validation’), not ‘_x’ This is being … Read more
I know that sanitize_hex_color exists for sanitizing hexadecimal values going into the database (and only exists in the Customizer), but what’s the best function to escape those same values. Should I just use sanitize_hex_color? Is there a better performing function? What about RGBA values? Here’s a function I’m using to sanitize hex + rgba values … Read more
How can I use spaces in the Windows Command Line? cmd /C C:\Program Files (x86)\WinRar\Rar.exe a D:\Hello 2\File.rar D:\Hello 2\*.* 11 Answers 11
I have some JavaScript code that communicates with an XML-RPC backend. The XML-RPC returns strings of the form: <img src=”https://stackoverflow.com/questions/3700326/myimage.jpg”> However, when I use the JavaScript to insert the strings into HTML, they render literally. I don’t see an image, I literally see the string: <img src=”https://stackoverflow.com/questions/3700326/myimage.jpg”> My guess is that the HTML is being … Read more
In my code I’m using the _e() function to echo static text onto the page: _e( ‘Plugin name not found.’, ‘opn_td’ ); Is this safe, or do I need to escape this output? As I understand (from WordPress documentation here and here), escaping needs to occur only if there is a chance the output could … Read more
I would like to use $allowedposttags to allow extra HTML tags during entry submission. Can I allow all attributes for a specific tag using $allowedposttags? For example, the code below will allow iframe tags and the src, height, and width attributes in the iframe tags: $allowedposttags[‘iframe’] = array( ‘src’ => array(), ‘height’ => array(), ‘width’ … Read more
I’m outputting values from a database (it isn’t really open to public entry, but it is open to entry by a user at the company — meaning, I’m not worried about XSS). I’m trying to output a tag like this: <a href=”” onclick=”DoEdit(‘DESCRIPTION’);”>Click Me</a> DESCRIPTION is actually a value from the database that is something … Read more
Here is how I’m currently converting XMLDocument to String StringWriter stringWriter = new StringWriter(); XmlTextWriter xmlTextWriter = new XmlTextWriter(stringWriter); xmlDoc.WriteTo(xmlTextWriter); return stringWriter.ToString(); The problem with this method is that if I have “ ((quotes) which I have in attributes) it escapes them. For Instance: <Campaign name=”ABC”> </Campaign> Above is the expected XML. But it returns … Read more
