Skip Navigation

[Résolu] General Question About Escaping & Sanitization

This support ticket is created Il y a 5 années. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Aucun de nos assistants n'est disponible aujourd'hui sur le forum Jeu d'outils. Veuillez créer un ticket, et nous nous le traiterons dès notre prochaine connexion. Merci de votre compréhension.

Sun Mon Tue Wed Thu Fri Sat
- - 14:00 – 20:00 14:00 – 20:00 14:00 – 20:00 14:00 – 20:00 14:00 – 20:00
- - - - - - -

Supporter timezone: Asia/Ho_Chi_Minh (GMT+07:00)

Ce sujet contient 3 réponses, a 2 voix.

Dernière mise à jour par julieP Il y a 5 années.

Assisté par: Beda.

Auteur
Publications
#1384795

I've been under the impression that all necessary escaping & sanitization is performed automatically when using Toolset plugins (as indicated here https://toolset.com/forums/topic/cred-data-sanitization-and-escaping/).

However, I've seen this recent ticket: https://toolset.com/forums/topic/how-to-escape-characters-in-loop-editor/ and am wondering why it would be necessary to specifically escape the double quotes inside a View?

#1384877

Well, for starters that is not the front end like a Form, where potentially dangerous JS code can be added by malicious guests, so the Content Templates or View loop editors logically will not remove any code you add to it.

Why that particular user wants to do what is described in that ticket is entirely unclear to me.

If you want to add an email, or "", or whatever code you want to a Content Template, you just add it.
It won't break or change the input, and since you will trust Administrators to not store malicious JS code in a Content Template they create, there is less of a worry as well to escape that input.

Of course Toolset ensures (still) every WordPress implementation of security is followed, and it's impossible to "hack" Toolset like that (at least, by what I know)

Sometimes it's required to use HTML encoded character to then output them properly on the Front end, but that is a very rare case, and by what I see in that ticket linked, not the case there.
I mean, to add an email link, you just add this to a Content Template or View Loop:

<a href="mailto:name@email.com">Link text</a>

That's it, it'll work and not be unsafe.

There is no reason to encode or escape any of the HTML characters as they are valid entities, and not unsafe.

Maybe I misunderstand the issue and will better understand with some context, please feel free to elaborate in this case, so I can give a more appropriate update

Thanks!

#1385131

Hi Beda

Many thanks for your response - especially on a weekend!

You've understood my question perfectly and your clarification confirms what I believed to be the case.

#1385133

My issue is resolved now. Thank you!