Escaping output fields ( the_content() )

tips-and-tricks

#1

To make the themes more secure, every echo $something output must be serialized. Nothing wrong with that, this is how it should be.

However, the_content() outputs everything. You can use <script> tags in it, which is kind of vulnerable and defeats the purpose of escaping everything else. If we escape it with echo wp_kses_post(get_the_content) , it no longer can contain iframes and now the native video embedding of Worpdress doesn’t work.

How you deal with this and what is your solution to the problem?


#2

You don’t need to escape the_content as WP does it, itself, including wp_kses and wp_sanititize

https://code.tutsplus.com/articles/data-sanitization-and-validation-with-wordpress--wp-25536 should give you a good understanding of when and where to santiuze.


#3

But why then the content alows script tags? Isn’t this vulnerability?


#4

allowing script tags isn’t bad, it’s allowing certain elements within the tags, WordPress filters out stuff that shouldn’t be there.


#5

Alright, what is then the preferred way if say we have a WYSIWYG custom field and we want to output it?

$content = get_field('content_field');

echo $content - Envato will reject our theme because it is not escaped.
echo wp_kses_posts($content) - This will remove YouTube and similar video embedding.


#6

something like:

echo apply_filters('the_content', get_field('content_field');