Sanitize, escape, and validate your POST calls

When you include POST/GET/REQUEST/FILE calls in your plugin, it's important to sanitize, validate, and escape them. The goal here is to prevent a user from accidentally sending trash data through the system, as well as protecting them from potential security issues.

SANITIZE: Data that is input (either by a user or automatically) must be sanitized. This lessens the possibility of XSS vulnerabilities and MITM attacks where posted data is subverted.

VALIDATE: All data should be validated as much as possible. Even when you sanitize, remember that you don’t want someone putting in ‘dog’ when the only valid values are numbers.

ESCAPE: Data that is output must be escaped properly, so it can't hijack admin screens. There are many esc_*() functions you can use to make sure you don't show people the wrong data.

To help you with this, WordPress comes with a number of sanitization and escaping functions. You can read about those here:

Remember: You must use the MOST appropriate functions for the context. If you’re sanitizing email, use sanitize_email(), if you’re outputting HTML, use esc_html(), and so on.

Clean everything, check everything, escape everything, and never trust the users to always have input sane data.

Some examples from your plugin:

tasks/inc/controllers/admin/settings.php:30: $this->options['access_read'] = $_POST['access_read']; tasks/inc/controllers/admin/settings.php:31: $this->options['access_comment'] = $_POST['access_comment'];

tasks/inc/models/item.php:309: if (preg_match('/(php|phtml|phps)/i', $_FILES[$file_input]['type']) tasks/inc/models/item.php:310: || preg_match('/.(php|phtml|phps)$/i', $_FILES[$file_input]['name'])) { tasks/inc/models/item.php:311: $this->error = __('Forbidden upload: ', 'tasks').$_FILES[$file_input]['name'];

Remember to use https://developer.wordpress.org/reference/functions/wp_check_filetype/

pcx3com / wp-tasks

Sanitize, escape, and validate your POST calls #4