Your code works, but is it safe? When writing code for the WordPress.com VIP environment, you’ll need to be extra cautious of how you handle data coming into WordPress and how it’s presented to the end user. Here are some tips to get your started:
- Don’t trust user input or third-party APIs. Always make sure to validate and sanitize all data that can be populated from “outside.” Review our document on Validating, Sanitizing, and Escaping to learn how.
- Try to exploit your code with common XSS methods as a test. Visit http://ha.ckers.org/xss.html for a list of basic XSS attacks and make sure pasting these snippets to input fields or url parameters will not harm your site.
- Make sure to implement nonces to avoid duplicate submission of forms and fraud activities. See http://codex.wordpress.org/WordPress_Nonces
- When adding menus or registering your plugins, make sure that you use an unique handle or slug other than
__FILE__to ensure that you are not revealing system paths.