Closed westonruter closed 9 years ago
Thanks, Weston. I'll change strip_tags()
to esc_attr()
I will also change the spaces to tabs.
Actually, it's fine to leave strip_tags
where they are. But adding esc_attr
is the key thing to add, and should be right where it does echo
. http://vip.wordpress.com/documentation/best-practices/security/validating-sanitizing-escaping/#always-escape-late
Thank you, I'll add the esc_attr
call at the echo
line.
:+1:
strip_tags
is not sufficient. Someone could enter double quote character and add entirely new attributes to theinput
element, or simply break the markup. Soesc_attr
is needed in both cases.https://github.com/kienstra/widget-live-editor/blob/a1164d0c68bf141a6fb780a072854a7c1039f8fc/includes/wle-options.php#L38-L64