Escaping user inputted data - WordPress Shortcode Attributes - PhpOut

JDawg
December 2, 2021
182 views
1 vote
2 Answers

Do shortcode attributes in WordPress need escaping if it’s user inputted data?

This plugin suggests accepting unsanitised from user input and passing it through via the shortcode.
https://connekthq.com/plugins/ajax-load-more/extensions/relevanssi/

Surely this should be sanitised similar to my example below?

I am I write to think this should be sanitised and is my method the recommended way?

$term = (isset($_GET['search'])) ? $_GET['search'] : '';
echo do_shortcode('[ajax_load_more id="relevanssi" search="'. esc_html($term) .'"]');

Tags: security wordpress

Answers

- admcfajn
- December 2, 2021 at 7:57 pm
- 0 votes
0
I would double-down & both sanitize the url-param using sanitize_key and escape it as you’ve already done, but using esc_attr rather than esc_html:
```
$term = ( isset($_GET['search'])) ? sanitize_key( $_GET['search'] ) : '';
echo do_shortcode('[ajax_load_more id="relevanssi" search="'. esc_attr($term) .'"]');
```
Also, it would be preferable to use the ajax_load_more function directly rather than do_shortcode.
Login or Signup to reply.

- MdZiyedUddin
- May 31, 2022 at 7:49 pm
- 0 votes
0
As you are going to escape user input data, I would like to suggest using sanitize_text_field() which is recommended to use for user input field data sanitization. If i am going to rewrite your code sample then it would be like
```
$term = (isset($_GET['search'])) ? sanitize_text_field($_GET['search']) : '';
echo do_shortcode('[ajax_load_more id="relevanssi" search="'. esc_html($term) .'"]');
```
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.