skip to Main Content

Do shortcode attributes in WordPress need escaping if it’s user inputted data?

This plugin suggests accepting unsanitised from user input and passing it through via the shortcode.
https://connekthq.com/plugins/ajax-load-more/extensions/relevanssi/

Surely this should be sanitised similar to my example below?

I am I write to think this should be sanitised and is my method the recommended way?

$term = (isset($_GET['search'])) ? $_GET['search'] : '';
echo do_shortcode('[ajax_load_more id="relevanssi" search="'. esc_html($term) .'"]');

2

Answers


  1. I would double-down & both sanitize the url-param using sanitize_key and escape it as you’ve already done, but using esc_attr rather than esc_html:

    $term = ( isset($_GET['search'])) ? sanitize_key( $_GET['search'] ) : '';
    echo do_shortcode('[ajax_load_more id="relevanssi" search="'. esc_attr($term) .'"]');
    

    Also, it would be preferable to use the ajax_load_more function directly rather than do_shortcode.

    Login or Signup to reply.
  2. As you are going to escape user input data, I would like to suggest using sanitize_text_field() which is recommended to use for user input field data sanitization. If i am going to rewrite your code sample then it would be like

    $term = (isset($_GET['search'])) ? sanitize_text_field($_GET['search']) : '';
    echo do_shortcode('[ajax_load_more id="relevanssi" search="'. esc_html($term) .'"]');
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search