Looking at the Codex for wp_insert_post() it states that this function “…sanitizes variables, does some checks, fills in missing variables like date/time, etc. ” (EDIT: I updated the Codex entry to include a more robust example that includes security as well as post meta and category assignment)
Just wondering whether I need to do any further sanitization to prevent XSS hacks and the like or whether enough is being done through the function.
To be honest, I’ve checked through the function in core and haven’t found any wp_kses() or other sanitization on post_content for example, so I’m a little concerned. All I can see that it does is stripslashes_deep() on the data.
So should I be running wp_kses() or anything else when I build my arguments to wp_insert_post()?
What’s the best practice here? The Codex is pretty cavalier about security in its example.
Thanks
You don’t have to do anything.
On WP load:
'init' hook -> kses_init() -> kses_init_filters()Later:
wp_insert_post() -> sanitize_post() -> sanitize_post_field() -> 'content_save_pre' -> wp_filter_post_kses()Similarly for post titles, comment text etc.
Conclusion: wp_insert_post() is very sanitized. 🙂