Do shortcode attributes in WordPress need escaping if it’s user inputted data?
This plugin suggests accepting unsanitised from user input and passing it through via the shortcode.
https://connekthq.com/plugins/ajax-load-more/extensions/relevanssi/
Surely this should be sanitised similar to my example below?
I am I write to think this should be sanitised and is my method the recommended way?
$term = (isset($_GET['search'])) ? $_GET['search'] : '';
echo do_shortcode('[ajax_load_more id="relevanssi" search="'. esc_html($term) .'"]');
2
Answers
I would double-down & both sanitize the url-param using
sanitize_key
and escape it as you’ve already done, but usingesc_attr
rather thanesc_html
:Also, it would be preferable to use the
ajax_load_more
function directly rather than do_shortcode.As you are going to escape user input data, I would like to suggest using sanitize_text_field() which is recommended to use for user input field data sanitization. If i am going to rewrite your code sample then it would be like