Validating text area
Word Press runs kses on the pre_comment_content filter, for example, to filter the HTML before saving the comment. This function does not encode characters as HTML entities: use it when storing a URL or in other cases where you need the non-encoded URL.
This functionality can be replicated in the old prepare( "SELECT something FROM table WHERE foo = %s and status = %d", $name, // an unescaped string (function will do the sanitization for you) $status // an untrusted integer (function will do the sanitization for you) ) ); Header splitting attacks are annoying since they are dependent on the HTTP client.
Word Press does use user generated content in HTTP Location headers, and provides sanitization for those.This way you can always be sure that your data is properly validated/escaped and you don't need to remember if the variable has been previously validated.Note that the kses system can be resource-intensive, and should therefore not be run as an output sanitization filter directly, but as a filter to data after it has been input and processed, before it is saved in the database.If you are at an office or shared network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices.