One of the many issues we now check for when doing security reviews of WordPress plugins is proper usage of the sanitize_callback when using register_setting() to register settings. That helps to make sure that settings of the plugin don’t contain input that they shouldn’t. After finding that a plugin we were doing a review of lacked of usage of that, we couldn’t find good documentation written specifically on implementing that to send them a link to. Their attempt to implement it went wrong, suggesting even more need for having better documentation on that. We have provided the basics on that below, but if there is more that needs to be added, please let us know in the comments.

Registering the sanitize_callback

The format of the register_settings() function is this:

register_setting( string $option_group, string $option_name, array $args = array() )

The third parameter allows specifying several options. One of those is sanitize_callback, which is described in the documentation as “[a] callback function that sanitizes the option’s value.”

Using the plugin we looked at in the review, one of the registrations previously looked like this:

register_setting('settings_page_general_settings_page', 'proxycheck_io_risk');

You can see it only has two parameters, so there isn’t a sanitize_callback. The developer tried to add a call to a sanitization function named maspik_settings_sanitize_callback() this way:

register_setting('settings_page_general_settings_page', 'abuseipdb_api', 'maspik_settings_sanitize_callback');

But the parameter needs to be an array and the sanitize_callback needs to be included in that array (the sanitize callback also was in a class, so it needed to be called correctly):

register_setting('settings_page_general_settings_page', 'abuseipdb_api', array('sanitize_callback' =>  array( $this, 'maspik_settings_sanitize_callback')));

The function being called then calls the function sanitize_text_field():

 public function maspik_settings_sanitize_callback($input) {
	return sanitize_text_field($input);
}

That code can be simplified by taking out the extra function created by the developer, which then looks like this:

register_setting('settings_page_general_settings_page', 'abuseipdb_api', array('sanitize_callback' =>  'sanitize_text_field'));

Using the Proper Sanitization Function

You want to do sanitization that is relevant to what the setting value should contain. The sanitization function used above, sanitize_text_field(), is one of many sanitization functions provided by WordPress. Those should address many types of settings. PHP also offers other options, including many available through the filter_var() function. You can also write your own, if none of those address the situation.

Testing the Results

Once you have implemented the sanitize_callback it is a good idea to test out to make sure it is removing things that shouldn’t be in the setting, but not removing anything that should be in the setting. That clearly didn’t happen with the plugin we did the review of, as the developer didn’t notice it wasn’t working.

Need Help Fixing a Vulnerability in Your Plugin?