Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Variables and options must be escaped when echo'd #172

Closed
remcotolsma opened this issue Feb 13, 2024 · 0 comments
Closed

Variables and options must be escaped when echo'd #172

remcotolsma opened this issue Feb 13, 2024 · 0 comments
Assignees
@remcotolsma

Comments

@remcotolsma
Copy link
Member

remcotolsma commented Feb 13, 2024
edited
Loading

## Variables and options must be escaped when echo'd

Much related to sanitizing everything, all variables that are echoed need to be escaped when they're echoed, so it can't hijack users or (worse) admin screens. There are many esc_*() functions you can use to make sure you don't show people the wrong data, as well as some that will allow you to echo HTML safely.

At this time, we ask you escape all $-variables, options, and any sort of generated data when it is being echoed. That means you should not be escaping when you build a variable, but when you output it at the end. We call this 'escaping late.'

Besides protecting yourself from a possible XSS vulnerability, escaping late makes sure that you're keeping the future you safe. While today your code may be only outputted hardcoded content, that may not be true in the future. By taking the time to properly escape when you echo, you prevent a mistake in the future from becoming a critical security issue.

This remains true of options you've saved to the database. Even if you've properly sanitized when you saved, the tools for sanitizing and escaping aren't interchangeable. Sanitizing makes sure it's safe for processing and storing in the database. Escaping makes it safe to output.

Also keep in mind that sometimes a function is echoing when it should really be returning content instead. This is a common mistake when it comes to returning JSON encoded content. Very rarely is that actually something you should be echoing at all. Echoing is because it needs to be on the screen, read by a human. Returning (which is what you would do with an API) can be json encoded, though remember to sanitize when you save to that json object!

There are a number of options to secure all types of content (html, email, etc). Yes, even HTML needs to be properly escaped.

https://developer.wordpress.org/apis/security/escaping/

Remember: You must use the most appropriate functions for the context. There is pretty much an option for everything you could echo. Even echoing HTML safely.

Example(s) from your plugin:

pronamic-pay-with-mollie-for-ninja-forms/packages/wp-pay/core/views/meta-box-payment-info.php:712 echo nl2br( esc_html( (string) $address ) );
pronamic-pay-with-mollie-for-ninja-forms/packages/wp-pay/core/views/meta-box-payment-info.php:693 echo nl2br( esc_html( (string) $address ) );

Originally posted by @remcotolsma in pronamic/pronamic-pay-with-mollie-for-ninja-forms#2
@remcotolsma remcotolsma self-assigned this Feb 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@remcotolsma remcotolsma

Labels
None yet
Projects
Pronamic Pay
Status: Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@remcotolsma