Escaping untrusted data in php for my wordPress theme

1 Views

I have got a comment from someone superior to me who wants me to escape some comment in two php snippets which I have posted below. The problem is I don’t know how to do that. Can anyone help me by modifying the snippets.

Comment I got:

Read More

Comment #1:

Validate and/or sanitize untrusted data before entering into the database. All untrusted data should be escaped before output.

Code Snippet #1: 

<?php 
if ( get_header_image() && !('blank' == get_header_textcolor()) ) { 
        echo '<div class="site-branding header-background-image" style="background-image: url(' . get_header_image() . ')">'; 
    } else {
        echo '<div class="site-branding">';
    }
?>

Code Snippet #2: 

<?php
printf(
    /* translators: %1$s = text link: sangeet, URL: http://wordpress.org/themes/sangeet/, %2$s = text link: Kiran Kumar Dash, URL: https://twitter.com/TheKiranDash */
    __( 'Theme: %1$s by %2$s', 'sangeet' ),
                    '<a href="http://wordpress.org/themes/sangeet/" rel="nofollow">' . esc_attr( 'sangeet', 'sangeet' ) . '</a>',
    '<a href="https://twitter.com/TheKiranDash" rel="designer nofollow">' . esc_attr__( 'Kiran Kumar Dash', 'sangeet' ) . '</a>' ); 

?>

Comment #2:
esc all get_permalink() in content.php

Code snippet #3 

<?php
if ( !is_single() ) {
    echo '<div class="index-box">';
    if ( has_post_thumbnail()) {
        echo '<div class="small-index-thumbnail clear">';
        echo '<a href="' . get_permalink() . '" title="' . __('Read ', 'sangeet') . get_the_title() . '" rel="bookmark">';
        echo the_post_thumbnail('index-thumb');
        echo '</a>';
        echo '</div>';
    }
}
?>

My approach:

I used esc_url to esc the get_permalink() in the snippet. Shall I use esc_all? Or esc_url is just fine. 

<?php
if ( !is_single() ) {
    echo '<div class="index-box">';
    if ( has_post_thumbnail()) {
        echo '<div class="small-index-thumbnail clear">';
        echo '<a href="' . esc_url(get_permalink()) . '" title="' . __('Read ', 'sangeet') . get_the_title() . '" rel="bookmark">';
        echo the_post_thumbnail('index-thumb');
        echo '</a>';
        echo '</div>';
    }
}
?>
Post Views: 1

Related posts

1 comment

  1. As requested:
    PS. I didnt write this, only advanced it.

    Usage:

    $user = sanctify($_GET['user']);

    Function:

    function sanctify($data){
        // Fix &entityn;
        $data = str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $data);
        $data = preg_replace('/(&#*w+)[x00-x20]+;/u', '$1;', $data);
        $data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
        $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');
        // Remove any attribute starting with "on" or xmlns
        $data = preg_replace('#(<[^>]+?[x00-x20"'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);
        // Remove javascript: and vbscript: protocols
        $data = preg_replace('#([a-z]*)[x00-x20]*=[x00-x20]*([`'"]*)[x00-x20]*j[x00-x20]*a[x00-x20]*v[x00-x20]*a[x00-x20]*s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*:#iu', '$1=$2nojavascript...', $data);
        $data = preg_replace('#([a-z]*)[x00-x20]*=(['"]*)[x00-x20]*v[x00-x20]*b[x00-x20]*s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*:#iu', '$1=$2novbscript...', $data);
        $data = preg_replace('#([a-z]*)[x00-x20]*=(['"]*)[x00-x20]*-moz-binding[x00-x20]*:#u', '$1=$2nomozbinding...', $data);
        // Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
        $data = preg_replace('#(<[^>]+?)style[x00-x20]*=[x00-x20]*[`'"]*.*?expression[x00-x20]*([^>]*+>#i', '$1>', $data);
        $data = preg_replace('#(<[^>]+?)style[x00-x20]*=[x00-x20]*[`'"]*.*?behaviour[x00-x20]*([^>]*+>#i', '$1>', $data);
        $data = preg_replace('#(<[^>]+?)style[x00-x20]*=[x00-x20]*[`'"]*.*?s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*:*[^>]*+>#iu', '$1>', $data);
        // Remove namespaced elements (we do not need them)
        $data = preg_replace('#</*w+:w[^>]*+>#i', '', $data);
        $data = str_replace('"','',str_replace("'","",$data));
            do{
            // Remove really unwanted tags
            $old_data = $data;
            $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
            }
            while ($old_data !== $data);
                // we are done...
                return $data;

        }

Comments are closed.