Using CURL Instead of HTTP API
WordPress comes with an extensive HTTP API that should be used instead of creating your own curl calls. It’s both faster and more extensive. It’ll fall back to curl if it has to, but it’ll use a lot of WordPress’ native functionality first.
Note: If using CURL in 3rd party vendor libraries, that’s permitted.
Data Must be Sanitized, Escaped, and Validated
When you include POST/GET/REQUEST/FILE calls in your plugin, it’s important to sanitize, validate, and escape them. The goal here is to prevent a user from accidentally sending trash data through the system, as well as protecting them from potential security issues.
-
SANITIZE: Data that is input (either by a user or automatically) must be sanitized as soon as possible. This lessens the possibility of XSS vulnerabilities and MITM attacks where posted data is subverted. -
VALIDATE: All data should be validated, no matter what. Even when you sanitize, remember that you don’t want someone putting in ‘dog’ when the only valid values are numbers. -
ESCAPE: Data that is output must be escaped properly when it is echo’d, so it can’t hijack admin screens. There are manyesc_*()functions you can use to make sure you don’t show people the wrong data.
WordPress comes with a number of sanitization and escaping functions:
- https://developer.wordpress.org/plugins/security/securing-input/
- https://developer.wordpress.org/plugins/security/securing-output/
Remember: You must use the most appropriate functions for the context. If you’re sanitizing email, use sanitize_email(), if you’re outputting HTML, use esc_html(), and so on.
$body = wp_unslash( $_POST );
