Title: Sanitizing input? Last modified: July 14, 2024 --- # Sanitizing input? * [Trippetchz](https://wordpress.org/support/users/trippetchz/) * (@trippetchz) * [1 year, 10 months ago](https://wordpress.org/support/topic/sanitizing-input/) * Hi there, * Thanks for great software šŸ™‚ * Just wondering if this plugin has ever been fuzz tested for user input? Iā€™m not expert in injection, but I notice HTML tags enter into the database fields from user input from the front end: * ![](https://i0.wp.com/i.postimg.cc/3RpZrY6b/Screenshot-from-2024-07-14-15-29- 36.png?ssl=1) * Would it be wise to consider parsing text lines through `sanitize_text_field()` and text areas through `sanitize_textarea_field()`? * [https://developer.wordpress.org/apis/security/sanitizing/](https://developer.wordpress.org/apis/security/sanitizing/) Viewing 6 replies - 1 through 6 (of 6 total) * Plugin Author [xnau webdesign](https://wordpress.org/support/users/xnau/) * (@xnau) * [1 year, 10 months ago](https://wordpress.org/support/topic/sanitizing-input/#post-17888884) * Yes, all input to Participants Database is sanitized, a couple of years ago we did a security check on user input and tightened it up a lot, and we continue to look for ways to improve it. * The input you are testing is not dangerous, and there are lots of users that want to store HTML in text fields, but what html is allowed is filtered by the wp_kses() function to disallow anything that might be malicious. The functions you suggest we use donā€™t allow HTML. * If you have a specific security concern, let us know, we want to make sure our product is as secure as it can be. * Thread Starter [Trippetchz](https://wordpress.org/support/users/trippetchz/) * (@trippetchz) * [1 year, 10 months ago](https://wordpress.org/support/topic/sanitizing-input/#post-17903386) * Hi there, * Thanks for getting back. * Sure, the above example wasnā€™t dangerous, but this potentially is: * ![](https://i0.wp.com/i.postimg.cc/WzRzDr0r/Screenshot-from-2024-07-21-18-57- 07.png?ssl=1) * And that passed through `wp_kses()` (apparently?) in the same vein. * I understand youā€™re saying some use cases want to except HTML and other input through Participants Database, but for our use, we definitely **do not** want any possibility of any tags or any other input being inserted in any of our front- end (or back-end), especially in fields such as ā€œFirst Nameā€ or ā€œLast Nameā€ where is should never be expected/accepted. * If this isnā€™t going to be mainlined, are there some hooks we can use to invoke` sanitize_text_field()` and `sanitize_textarea_field()` for our own set up then, please? * Thanks! T * Plugin Author [xnau webdesign](https://wordpress.org/support/users/xnau/) * (@xnau) * [1 year, 10 months ago](https://wordpress.org/support/topic/sanitizing-input/#post-17903841) * There are several ways you can prevent tags from getting submitted. Doing it in the validation allows you to provide user feedback. * You can use a simple regex validation on the field that does not allow the ā€œless thanā€ symbol: `/^[^<]+$/` This will effectively prevent tags from getting submitted. * If you want a more detailed approach, you can use a custom validation: [Custom Field Validation](https://xnau.com/custom-field-validation/) * If you want to just sanitize it before it gets stored to the db, you can use these two filters: _pdb-before\_submit\_signup_ and _pdb-before\_submit\_update_. These filters are easy to use, they pass in the posted data and expect the posted data to be returned. You can alter the data before it is returned. * Iā€™m not suggesting you wait for this, but I do plan to add a setting that can disallow HTML tags from text fields. * Thread Starter [Trippetchz](https://wordpress.org/support/users/trippetchz/) * (@trippetchz) * [1 year, 10 months ago](https://wordpress.org/support/topic/sanitizing-input/#post-17918713) * Hi there, * Thanks for your reply. * Iā€™d like that, thanksā€”the option to totally disallow any HTML content in the core plugin. I think Iā€™ll wait for that to get deployed šŸ˜‰ * Cheers, T * Thread Starter [Trippetchz](https://wordpress.org/support/users/trippetchz/) * (@trippetchz) * [1 year, 8 months ago](https://wordpress.org/support/topic/sanitizing-input/#post-18028720) * Hi there, not rushing you or anything, no stress, but just wondering a potential ETA on this new feature? šŸ™‚ Thanks! T * Plugin Author [xnau webdesign](https://wordpress.org/support/users/xnau/) * (@xnau) * [1 year, 7 months ago](https://wordpress.org/support/topic/sanitizing-input/#post-18056000) * This is coming in the next update, weā€™re at least week out for that. Viewing 6 replies - 1 through 6 (of 6 total) The topic ā€˜Sanitizing input?ā€™ is closed to new replies. * ![](https://ps.w.org/participants-database/assets/icon-256x256.jpg?rev=1389807) * [Participants Database](https://wordpress.org/plugins/participants-database/) * [Frequently Asked Questions](https://wordpress.org/plugins/participants-database/#faq) * [Support Threads](https://wordpress.org/support/plugin/participants-database/) * [Active Topics](https://wordpress.org/support/plugin/participants-database/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/participants-database/unresolved/) * [Reviews](https://wordpress.org/support/plugin/participants-database/reviews/) ## Tags * [sanitation](https://wordpress.org/support/topic-tag/sanitation/) * [user input](https://wordpress.org/support/topic-tag/user-input/) * 6 replies * 2 participants * Last reply from: [xnau webdesign](https://wordpress.org/support/users/xnau/) * Last activity: [1 year, 7 months ago](https://wordpress.org/support/topic/sanitizing-input/#post-18056000) * Status: not resolved