Malicious data is always some sequence of text, so for numeric data, you can simply cast the data as a number. For example, for integers: $safe = (int) $suspect;
For actual string data, the proper method depends on the intended use of the data. Use the functions as described in the doc you linked to. If you’re not sure which, try wp_kses_data(). That’s pretty safe.
In the case of arrays, if they are well structured, you can use array_map() to apply the appropriate function to each element. For arrays not conducive to such treatment, you may need to resort to a custom foreach loop to target various elements within.
Can you show me some example of code?
Wrote this on my lunch break for ya, it’s been awhile since I’ve been on the forums but this should help. If you need to do something with the keys, you’ll probably want a foreach and to clone the $filters into a new modified version, but really without seeing what that array looks like I’ll be of little help.
<?php
function get_filter_list($ids, $filters, $selected_filters) {
//some operation
$ids = array_map( 'intval', $ids );
$selected_filters = array_map( 'intval', $selected_filters );
/*
Assuming the following
$filters = [
123 => 'someValue'
];
*/
$filters = array_map( 'esc_html', $filters );
return wp_json_encode( compact( 'ids', 'selected_filters', 'filters' ) );
}
//function call
get_filter_list($ids, $filters, $selected_filters);
@bcworkz really thanks for the help.
@phyrax Your code helps me a lot.
Finally, I found the solution and correct way:
Actually, the question subject should be “How to escape custom function in WordPress?”.
The function returning the HTML filter button tag wrapped in div tag, like below:
<div class='ufg-parent-filters'>
<div class='col-md-12 my-2'>
<button id='1evel1-all' class='ufg-all-filter-button ufg-parent-filters ufg-all-filter btn btn-sm btn-danger all mb-3 mr-2' onclick='return filter(this.id, this.value)' value='all'> All (3)</button>
<button id='1evel1-a-1' class='ufg-parent-filter-button ufg-parent-filters btn btn-sm btn-primary mb-3 mr-2 a-1' onclick='return filter(this.id, this.value)' value='a-1'> a</button>
<button id='1evel1-b-2' class='ufg-parent-filter-button ufg-parent-filters btn btn-sm btn-primary mb-3 mr-2 b-2' onclick='return filter(this.id, this.value)' value='b-2'> b</button>
<button id='1evel1-c-3' class='ufg-parent-filter-button ufg-parent-filters btn btn-sm btn-primary mb-3 mr-2 c-3' onclick='return filter(this.id, this.value)' value='c-3'> c</button>
</div>
</div>
And the Ecscaping code I applied:
<?PHP
$ufg_fitter_results = get_filter_list($ids, $filters, $selected_filters);
$ufg_filters_allowed = array(
'div' => array( 'class' => array(), 'id' => array()),
'button' => array ( 'id' => array(), 'class' => array(), 'value' => array(), 'onclick' => array()),
);
echo wp_kses($ufg_fitter_results, $ufg_filters_allowed);
?>
Hope this question will also help the others.
References:
https://developer.ww.wp.xz.cn/plugins/security/securing-output/
https://developer.ww.wp.xz.cn/reference/functions/wp_kses/
https://wordpress.stackexchange.com/questions/44764/typical-wp-kses-allowed
Thanks
Faraz
