Reading this great article Data Validation and Sanitization in WordPress I’ve noticed that in my blog, in header.php, I used <?php echo $title ?>
in a pair of codes.
According to the above article, in order to secure data, it is important to validate the data itself for data’s without validation are vulnerable to hackers.
As suggested by the author, I changed my initial <?php echo $title ?>
into <?php echo esc_html( $title ); ?>
.
This is the code before changes:
<span class="ads">
<?php
if ( is_user_logged_in() ) {
echo '<span><a href="/?page_id=175" title="inserisci un annuncio gratis">Pubblica il tuo annuncio gratis: è facile e veloce!</a></span>';
} else {
echo '<span><a class="simplemodal-login simplemodal-submit" href=""><?php echo $title ?>Pubblica il tuo annuncio gratis: è facile e veloce!</a> </span>';
}
?>
</span>
This is the code after changes:
<span class="ads">
<?php
if ( is_user_logged_in() ) {
echo '<span><a href="/?page_id=175" title="inserisci un annuncio gratis">Pubblica il tuo annuncio gratis: è facile e veloce!</a></span>';
} else {
echo '<span><a class="simplemodal-login simplemodal-submit" href=""><?php echo esc_html( $title ); ?>Pubblica il tuo annuncio gratis: è facile e veloce!</a> </span>';
}
?>
</span>
Now my question is (I guess it’s a newbie one!): the change I made is good for my blog’ security?
In the articles case,
$title
is an arbitrary value, as such it should be escaped via html, but, if it was gotten from a WordPress core function it is probably safe, but you should check anywayFor example,
get_the_title()
can contain html markup and is not escaped by default.Eitherway post and page titles should not have html in them. Styling is for themes, not for content.
You should validate all data at entry, and that is where you should focus your efforts. What your doing improves your security but by how much depends on where the data is coming from.
I recommend you escape all data on input and output, but do it out of habit rather than for specific exceptional cases
The post title can contain markup, and it will not be escaped by WordPress by default. To get an escaped title use:
the_title_rss()
(print get_the_title_rss()
) orthe_title_attribute()