sanitize, escape, and validate POST calls about agora-wordpress HOT 2 CLOSED

Please sanitize, escape, and validate your POST calls

When you include POST/GET/REQUEST/FILE calls in your plugin, it's important to sanitize, validate, and escape them. The goal here is to prevent a user from accidentally sending trash data through the system, as well as protecting them from potential security issues.

SANITIZE: Data that is input (either by a user or automatically) must be sanitized. This lessens the possibility of XSS vulnerabilities and MITM attacks where posted data is subverted.

VALIDATE: All data should be validated as much as possible. Even when you sanitize, remember that you don’t want someone putting in ‘dog’ when the only valid values are numbers.

ESCAPE: Data that is output must be escaped properly, so it can't hijack admin screens. There are many esc_*() functions you can use to make sure you don't show people the wrong data.

To help you with this, WordPress comes with a number of sanitization and escaping functions. You can read about those here:

https://developer.wordpress.org/plugins/security/securing-input/
https://developer.wordpress.org/plugins/security/securing-output/

Remember: You must use the most appropriate functions for the context. If you’re sanitizing email, use sanitize_email(), if you’re outputting HTML, use esc_html(), and so on.

Clean everything, check everything, escape everything, and never trust the users to always have input sane data.

Example(s) from your plugin:

Agora-Word-Press/admin/class-agora-channels-list-table.php:86: $args['s'] = $_REQUEST['s'];
Agora-Word-Press/admin/class-wp-agora-io-admin.php:205: isset( $_GET['page'] ) ? trim( $_GET['page'] ) : '',
Agora-Word-Press/admin/class-wp-agora-io-admin.php:210: $id = isset( $_POST['post_ID'] ) ? $_POST['post_ID'] : '-1';

from agora-wordpress.

New instances have been flagged by WP during the plugin review.

from agora-wordpress.