I got to learn something new today here on this post.
I have code written for a Post widget →
<?php
class chimp_post_widget extends WP_Widget {
function __construct() {
//Create Widget
parent::__construct(
'post_display_widget',
esc_html__('The Post Widget','simplisto'),
array(
'classname' => 'post-widget',
'description' => esc_html__('A Post Thumbnail Widget', 'simplisto' )
)
);
}
public function form( $instance ) {
$title = isset( $instance['title'] ) ? $instance['title'] : '';
$number_of_posts = isset( $instance['number_of_posts'] ) ? absint( $instance['number_of_posts'] ) : 5;
$number_of_words = isset( $instance['number_of_words'] ) ? absint( $instance['number_of_words'] ) : 20;
$cat_include = isset( $instance['cat_include'] ) ? $instance['cat_include'] : '';
$cat_exclude = isset( $instance['cat_exclude'] ) ? $instance['cat_exclude'] : '';
$vertical_sidebar_check = isset( $instance[ 'vertical_sidebar_check' ] ) && ( 'on' === $instance[ 'vertical_sidebar_check' ] ) ? 'on' : 'off';
?>
<p><label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php _e( 'Title:', 'simplisto' ); ?></label>
<input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo esc_attr( $title ); ?>" /></p>
<p><label for="<?php echo $this->get_field_id( 'number_of_posts' ); ?>"><?php _e( 'Number of projects to show:', 'simplisto' ); ?></label>
<input class="tiny-text" id="<?php echo $this->get_field_id( 'number_of_posts' ); ?>" name="<?php echo $this->get_field_name( 'number_of_posts' ); ?>" type="number" step="1" min="1" value="<?php echo $number_of_posts; ?>" size="3" /></p>
<p><label for="<?php echo $this->get_field_id( 'number_of_words' ); ?>"><?php _e( 'Set the word limit for project descriptions:', 'simplisto' ); ?></label>
<input class="tiny-text" id="<?php echo $this->get_field_id( 'number_of_words' ); ?>" name="<?php echo $this->get_field_name( 'number_of_words' ); ?>" type="number" step="1" min="1" value="<?php echo $number_of_words; ?>" size="4" /></p>
<p><label for="<?php echo $this->get_field_id( 'cat_include' ); ?>"><?php _e( 'Include Categories:', 'simplisto' ); ?></label>
<input class="widefat" id="<?php echo $this->get_field_id( 'cat_include' ); ?>" name="<?php echo $this->get_field_name( 'cat_include' ); ?>" type="text" value="<?php echo esc_attr( $cat_include ); ?>" />
<small>Comma separated list of category IDs to <strong>include</strong> in post query. e.g.: 11,17,347<br>If blank, all categories will be included.</small>
</p>
<p><label for="<?php echo $this->get_field_id( 'cat_exclude' ); ?>"><?php _e( 'Exclude Categories:', 'simplisto' ); ?></label>
<input class="widefat" id="<?php echo $this->get_field_id( 'cat_exclude' ); ?>" name="<?php echo $this->get_field_name( 'cat_exclude' ); ?>" type="text" value="<?php echo esc_attr( $cat_exclude ); ?>" />
<small>Comma separated list of category IDs to <strong>exclude</strong> in post query. e.g.: 1,16<br>If blank, no categories will be excluded.</small>
</p>
<p><input class="checkbox" type="checkbox" <?php checked( $vertical_sidebar_check, 'on' ); ?> id="<?php echo $this->get_field_id( 'vertical_sidebar_check' ); ?>" name="<?php echo $this->get_field_name( 'vertical_sidebar_check' ); ?>" />
<label for="<?php echo $this->get_field_id( 'vertical_sidebar_check' ); ?>"><?php _e('Select for Vertical Sidebar', 'simplisto'); ?></label></p>
<?php
}
public function update($new_instance, $old_instance) {
$instance = $old_instance;
$instance['title'] = sanitize_text_field( $new_instance['title'] );
$instance['number_of_posts'] = absint( $new_instance['number_of_posts'] );
$instance['number_of_words'] = absint( $new_instance['number_of_words'] );
$instance['cat_include'] = sanitize_text_field( $new_instance['cat_include'] );
$instance['cat_exclude'] = sanitize_text_field( $new_instance['cat_exclude'] );
$instance[ 'vertical_sidebar_check' ] = isset( $new_instance[ 'vertical_sidebar_check' ] ) && ( 'on' === $new_instance[ 'vertical_sidebar_check' ] ) ? 'on' : 'off';
return $instance;
}
public function widget($args, $instance) {
extract( $args );
$title = apply_filters( 'widget_title', $instance['title'] );
/* Display the markup before the widget. */
echo $args['before_widget'];
if ( ! empty( $instance['title'] ) ) {
echo $args['before_title'] . apply_filters( 'widget_title', $instance['title'] ) . $args['after_title'];
}
$number_of_posts = ( ! empty( $instance['number_of_posts'] ) ) ? absint( $instance['number_of_posts'] ) : 5;
if ( ! $number_of_posts ) {
$number_of_posts = 5;
}
$number_of_words = ( ! empty( $instance['number_of_words'] ) ) ? absint( $instance['number_of_words'] ) : 20;
if ( ! $number_of_words ) {
$number_of_words = 20;
}
// Convert comma separated string to array for use in WP_Query.
$category_include = $instance['cat_include'];
if ( $category_include ) {
$category_include = explode( ',', $instance['cat_include'] );
} else {
$category_include = array();
}
// Convert comma separated string to array for use in WP_Query.
$category_exclude = $instance['cat_exclude'];
if ( $category_exclude ) {
$category_exclude = explode( ',', $instance['cat_exclude'] );
} else {
$category_exclude = array();
}
$vertical_sidebar_check = isset( $instance[ 'vertical_sidebar_check' ] ) && ( 'on' === $instance[ 'vertical_sidebar_check' ] ) ? 'on' : 'off';
/* Create a custom query and get the most recent x projects. */
$queryArgs = array(
'category__in' => $category_include,
'category__not_in' => $category_exclude,
/* Order by date. */
'orderby' => 'date',
/* Show all posts. */
'posts_per_page' => $number_of_posts,
);
$query = new WP_Query( $queryArgs );
if ( $query->have_posts() ) : ?>
<ul class="unbullet<?php echo $vertical_sidebar_check === 'on' ? ' unbullet-v' : ''; ?>">
<?php while ( $query->have_posts() ) : $query->the_post(); ?>
<li class="snippet-box<?php echo $vertical_sidebar_check === 'on' ? ' vertical' : ''; ?>">
<div>
<!-- <img src="http://heightandweights.com/wp-content/uploads/2014/10/Beautiful-Lindsey-Vonn.jpg" alt="" class="hundred"> -->
<?php the_post_thumbnail( 'medium', array( 'class' => 'hundred' ) ); ?>
<div class="snippet-text">
<h3><a href="<?php the_permalink(); ?>" title="<?php the_title_attribute(); ?>"><?php the_title(); ?></a></h3>
<p><?php echo wp_trim_words( get_the_excerpt(), $number_of_words , __( '…', 'simplisto' ) ); ?></p>
</div>
</div>
<!-- <a href="<?php the_permalink(); ?>" title="<?php the_title_attribute(); ?>"><?php the_post_thumbnail( 'large', array( 'class' => 'img-responsive' ) ); ?></a> -->
</li>
<?php endwhile; ?>
</ul>
<?php endif;
/* Display the markup after the widget. */
echo $after_widget;
}
}
add_action('widgets_init', function(){
register_widget('chimp_post_widget');
})
?>
Do you think is there any place where we can write the apply_filters or any other kind of sanitization that a novice like me has missed.
I think this post may be helpful to various beginners in implementing santization and other functions that are important for code quality.
1 Answer
I use these commands at the top of my functions.php in all child themes; it will sanitize all POST/GETs. Maybe there are better ways (and it might be redundant), but it appears to work for me.
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
But I am open to constructive criticism….
