php - WordPress Coding Error: Non-sanitized input variables ← (PHP, HTML)

View Original

I'm currently trying to keep to WordPress coding standards for an important exercise/job with an index page that loops through random posts, I'm using PHP Code Sniffer and getting this error:

Detected usage of a non-sanitized input variable: $_GET['my_posts_per_page']

Here is my code:

function my_random_posts() {
  $my_posts_per_page = ! empty( wp_verify_nonce( $_GET['my_posts_per_page'] ) ) ? wp_verify_nonce( $_GET['my_posts_per_page'] )  : 10;
  $randomised_posts = wp_get_random_posts( $number = $my_posts_per_page );
  $output = '';
  foreach ($randomised_posts as $randomised_post) {
    $output .= '<li>';
    $output .= '<h3>' . wptexturize( $randomised_post->post_title ) . '</h3>
                <p>' . wptexturize( $randomised_post->post_content ) . '</p>
                <a href="' . get_permalink($randomised_post->ID) . '" title="' . esc_attr(wptexturize($randomised_post->post_title)) . '">' . 'Read More' . '</a>
                </li>';
    }
    $output = '<ul class="randome_post">' . $output . '</ul>';
    echo esc_html($output);
  };

Also on the same line I'm getting this error:

Notice: Undefined index: my_posts_per_page

I've been scratching my head for hours here. Also, using the escape function on echo esc_html($output); now just brings all the code in (I know this is the purpose of the escaping function), though what's the point of this for Security when it shows the HTML without any embedded li, p, h3 tags, just the tag itself, for example:

<ul class="random_post"><li><h3>Hello world!</h3>

What do I do with the escaped HTML to get it to render correctly? And why am I getting an Undefined index?

Answer

Solution:

For the actual post content, you might want to consider using WordPress function wp_kses_post( ), such as:

echo wp_kses_post( $content );

If it is just a small attribute for use within a tag, try using the WordPress function esc_attr( ), such as:

echo esc_attr( $attribute );

These will remove PHP code sniffer errors.

Source

About the technologies asked in this question

PHP

PHP (from the English Hypertext Preprocessor - hypertext preprocessor) is a scripting programming language for developing web applications. Supported by most hosting providers, it is one of the most popular tools for creating dynamic websites. The PHP scripting language has gained wide popularity due to its processing speed, simplicity, cross-platform, functionality and distribution of source codes under its own license.
https://www.php.net/

HTML

HTML (English "hyper text markup language" - hypertext markup language) is a special markup language that is used to create sites on the Internet. Browsers understand html perfectly and can interpret it in an understandable way. In general, any page on the site is html-code, which the browser translates into a user-friendly form. By the way, the code of any page is available to everyone.
https://www.w3.org/html/

Welcome to programmierfrage.com

programmierfrage.com is a question and answer site for professional web developers, programming enthusiasts and website builders. Site created and operated by the community. Together with you, we create a free library of detailed answers to any question on programming, web development, website creation and website administration.

Get answers to specific questions

Ask about the real problem you are facing. Describe in detail what you are doing and what you want to achieve.

Help Others Solve Their Issues

Our goal is to create a strong community in which everyone will support each other. If you find a question and know the answer to it, help others with your knowledge.