Escaping untrusted data in php for my wordPress theme

I have got a comment from someone superior to me who wants me to escape some comment in two php snippets which I have posted below. The problem is I don’t know how to do that. Can anyone help me by modifying the snippets.

Comment I got:

Read More

Comment #1:

Validate and/or sanitize untrusted data before entering into the database. All untrusted data should be escaped before output.

Code Snippet #1:

<?php 
if ( get_header_image() && !('blank' == get_header_textcolor()) ) { 
        echo '<div class="site-branding header-background-image" style="background-image: url(' . get_header_image() . ')">'; 
    } else {
        echo '<div class="site-branding">';
    }
?>

Code Snippet #2:

<?php
printf(
    /* translators: %1$s = text link: sangeet, URL: http://wordpress.org/themes/sangeet/, %2$s = text link: Kiran Kumar Dash, URL: https://twitter.com/TheKiranDash */
    __( 'Theme: %1$s by %2$s', 'sangeet' ),
                    '<a href="http://wordpress.org/themes/sangeet/" rel="nofollow">' . esc_attr( 'sangeet', 'sangeet' ) . '</a>',
    '<a href="https://twitter.com/TheKiranDash" rel="designer nofollow">' . esc_attr__( 'Kiran Kumar Dash', 'sangeet' ) . '</a>' ); 

?>

Comment #2:
esc all get_permalink() in content.php

Code snippet #3

<?php
if ( !is_single() ) {
    echo '<div class="index-box">';
    if ( has_post_thumbnail()) {
        echo '<div class="small-index-thumbnail clear">';
        echo '<a href="' . get_permalink() . '" title="' . __('Read ', 'sangeet') . get_the_title() . '" rel="bookmark">';
        echo the_post_thumbnail('index-thumb');
        echo '</a>';
        echo '</div>';
    }
}
?>

My approach:

I used esc_url to esc the get_permalink() in the snippet. Shall I use esc_all? Or esc_url is just fine.

<?php
if ( !is_single() ) {
    echo '<div class="index-box">';
    if ( has_post_thumbnail()) {
        echo '<div class="small-index-thumbnail clear">';
        echo '<a href="' . esc_url(get_permalink()) . '" title="' . __('Read ', 'sangeet') . get_the_title() . '" rel="bookmark">';
        echo the_post_thumbnail('index-thumb');
        echo '</a>';
        echo '</div>';
    }
}
?>

Related posts

1 comment

  1. As requested:
    PS. I didnt write this, only advanced it.

    Usage:

    $user = sanctify($_GET['user']);
    

    Function:

    function sanctify($data){
            // Fix &entityn;
            $data = str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $data);
            $data = preg_replace('/(&#*w+)[x00-x20]+;/u', '$1;', $data);
            $data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
            $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');
            // Remove any attribute starting with "on" or xmlns
            $data = preg_replace('#(<[^>]+?[x00-x20"'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);
            // Remove javascript: and vbscript: protocols
            $data = preg_replace('#([a-z]*)[x00-x20]*=[x00-x20]*([`'"]*)[x00-x20]*j[x00-x20]*a[x00-x20]*v[x00-x20]*a[x00-x20]*s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*:#iu', '$1=$2nojavascript...', $data);
            $data = preg_replace('#([a-z]*)[x00-x20]*=(['"]*)[x00-x20]*v[x00-x20]*b[x00-x20]*s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*:#iu', '$1=$2novbscript...', $data);
            $data = preg_replace('#([a-z]*)[x00-x20]*=(['"]*)[x00-x20]*-moz-binding[x00-x20]*:#u', '$1=$2nomozbinding...', $data);
            // Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
            $data = preg_replace('#(<[^>]+?)style[x00-x20]*=[x00-x20]*[`'"]*.*?expression[x00-x20]*([^>]*+>#i', '$1>', $data);
            $data = preg_replace('#(<[^>]+?)style[x00-x20]*=[x00-x20]*[`'"]*.*?behaviour[x00-x20]*([^>]*+>#i', '$1>', $data);
            $data = preg_replace('#(<[^>]+?)style[x00-x20]*=[x00-x20]*[`'"]*.*?s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*:*[^>]*+>#iu', '$1>', $data);
            // Remove namespaced elements (we do not need them)
            $data = preg_replace('#</*w+:w[^>]*+>#i', '', $data);
            $data = str_replace('"','',str_replace("'","",$data));
                do{
                // Remove really unwanted tags
                $old_data = $data;
                $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
                }
                while ($old_data !== $data);
                    // we are done...
                    return $data;
    
            }
    

Comments are closed.