halben Posted October 14, 2013 Share Posted October 14, 2013 (edited) I'm working on a WordPress website. This is in the child's function.php file. I'm just wondering if I need to sanitize when I embed strings within HTML markup. if (is_user_logged_in()) { $user = wp_get_current_user(); $fName = $user -> user_firstname; $lName = $user -> user_lastname; $items .= '<li id="user-name" title="Edit my profile" ><a href="' . site_url('/something') . '">' . $fName . ' ' . $lName . '</a></li>'; $link = '<a href="' . wp_logout_url($redirect) . '" title="' . __('Logout') . '">' . __('Logout') . '</a>'; } Do I need to sanitize $items and $link? If so, would it be this? $items .= '<li id="user-name" title="Edit my profile" >htmlspecialchars(<a href="' . site_url('/something') . '">, ENT_QUOTES)' . $firstName . ' ' . $lastName . '</a></li>'; $link = htmlspecialchars('<a href="' . wp_logout_url($redirect) . '" title="' . __('Logout') . '">' . __('Logout') . '</a>, ENT_QUOTES)'; How about this one? echo '<p>' . __('A message will be sent to your email address.') . '</p>'; to echo '<p>' . htmlspecialchars(__('A message will be sent to your email address.'), ENT_QUOTES) . '</p>'; Thanks for helping. Edited October 14, 2013 by halben Quote Link to comment Share on other sites More sharing options...
Solution requinix Posted October 14, 2013 Solution Share Posted October 14, 2013 If there's a chance the value might not be safe for HTML then yes, you need to escape it. But only escape the unsafe values themselves - if you try to escape your entire string then you'll be escaping the parts too. $fName = htmlspecialchars($user->user_firstname, ENT_QUOTES, 'UTF-8'); // [1] $lName = htmlspecialchars($user->user_lastname, ENT_QUOTES, 'UTF-8'); $items .= '<li id="user-name" title="Edit my profile"><a href="' . site_url('/something') /* [2] */ . '">' . $fName . ' ' . $lName . '</a></li>'; $logout = htmlspecialchars(__('Logout'), ENT_QUOTES, 'UTF-8'); // [3] $link = '<a href="' . wp_logout_url($redirect) /* [2] */ . '" title="' . $logout . '">' . $logout . '</a>';[1] You should also specify the character encoding.[2] Probably safe. [3] Probably safe for normal HTML, but you're putting it in a title="" so you do need to worry about quotes. Quote Link to comment Share on other sites More sharing options...
halben Posted October 15, 2013 Author Share Posted October 15, 2013 Thank you requinix, that was helpful. I'll definitely learn more about sql injection. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.