In my WordPress Admin, I have my theme options set-up using the Settings API. I am trying to save the theme options form using Ajax so that the page does not refresh. The only thing i needed to add was this jQuery code :
$("#cgform").submit(function() {
var form_data = $('#cgform input').serializeArray();
$.post( 'options.php', form_data ).error(function() {
alert('error');
}).success( function() {
alert('success');
});
return false;
});
I wanted to know if doing this is safe? I know the settings api takes care of the nonce fields but I want to be sure if doing this is safe and secure.
It would be great if someone can guide me with the “best practices” for using settings api with Ajax.
WordPress does not natively use Ajax submits with Settings API, so there isn’t really best practice for it. I remember scbFramework having such option, but it was removed.
Essentially there is nothing inherently more insecure to such submit, you should treat form data as untrusted regardless of submit method and appropriately sanitize and validate it in PHP back end (any sanitization or validation client-side isjust convenience and cannot be relied on for security).