daily notes

Coding standards help avoid common coding errors, improve the readability of code, and simplify modification. They ensure that files within the project appear as if they were created by a single person.
The WordPress commitment is to conform to all WCAG 2.2 Level A and Level AA guidelines. Conformance to level AAA success criteria is encouraged where relevant, as is exceeding the accessibility of any of these guidelines.
Level A success criteria address concerns considered to be accessibility barriers on a very wide scale that will prevent many people from accessing the site and the minimum set of accomplished goals required for the majority of web-based interfaces.
Level AA success criteria address concerns that are generally somewhat more complicated to address and may impact smaller groups of people, but are still common needs with broad reach.
Level AAA success criteria are mostly targeted at very specific needs and may be quite difficult to implement effectively.

WCAG 2.2 consists of 4 layers:

Principles
Guidance
Success criteria
Sufficient and advisory techniques

/*Correct Standard*/
#selector-1,
#selector-2,
#selector-3 {
    background: #fff;
    color: #000;
}

Use lowercase and separate words with hyphens when naming selectors. Avoid camelcase and underscores.
Attribute selectors should use double quotes around values.
Refrain from using over-qualified selectors

#comment-form {
    margin: 1em 0;
}

input[type="text"] {
    line-height: 1.1;
}

The baseline for ordering is:

Display
Positioning
Box model
Colors and Typography
Other

For tags that are self-closing, the forward slash should have exactly one space preceding it.

<br />

WordPress uses single quotation marks for string declarations.

Naming functions, classes, and variables

Functions
- Lowercase
- Underscore-separated
- Prefixed

myplugin_do_something();

class MyPlugin_Admin {}

$user_id = get_current_user_id();

<label for="email">
    <?php esc_html_e( 'Email Address', 'text-domain' ); ?>
</label>
<input type="email" id="email" name="email" />

SQL injection is just one attack trajectory. Script injection, such as in Cross-Site Scripting attacks, is another major concern. Ideally, data would be validated at input and sanitized or escaped at output.

HTML filtering functions

`wp_kses()`

Allows only specified HTML tags & attributes
Strips everything else
Used when you want limited HTML

`wp_kses_post()`

Allows HTML valid in post content
No <script> or form fields
Best for user-generated content

`wp_strip_all_tags()`

Removes all HTML tags
Also strips <script> and <style> content
Output = plain text

Escaping functions (`esc_*`)

Used when outputting data, not saving it.

`esc_html()`

Escapes text for HTML output
No HTML allowed

`esc_attr()`

Escapes data for HTML attributes
Example: values inside value=""

`esc_url()`

Escapes and validates URLs
Removes unsafe protocols

Translation + escaping (combined)

`esc_html__()`

Translate + escape HTML
Returns string

`esc_html_e()`

Translate + escape HTML
Echoes output

`esc_html_x()`

Translate + escape with context

`esc_attr__()`

Translate + escape for attributes

Sanitization functions (`sanitize_*`)

Used when saving input, not displaying it.

`sanitize_key()`

Lowercase alphanumeric + underscores only
Good for option names, keys

`sanitize_title()`

Creates URL-safe slugs
Used for post slugs

`sanitize_email()`

Cleans email address
Removes invalid characters

`is_email()`

Validates email format
Returns email or false

PHP input filtering functions

`filter_input()`

Fetches and sanitizes input from GET, POST, etc.
Safer than direct $_POST access

`filter_var()`

Validates or sanitizes a variable
Used for emails, URLs, integers, etc.

Task	Use
Allow some HTML	`wp_kses()`
Post content HTML	`wp_kses_post()`
Remove all HTML	`wp_strip_all_tags()`
Output text	`esc_html()`
Output attribute	`esc_attr()`
Save input	`sanitize_*()`
Validate input	`is_email()`, `filter_var()`

wp_kses() sanitizes HTML; esc_*() escapes output.
sanitize_text_field() is a WordPress-opinionated sanitizer with safe defaults, while PHP’s filter_* functions are generic and configurable. In WordPress development, core sanitize functions are preferred to ensure consistency with WordPress security and coding standards.

General nonce

A number used once
Usually random
Prevents replay attacks
Often truly single-use

WordPress nonce

Not strictly “used once”
✔ Time-based + user-based token
Protects against CSRF, not replay attacks
Valid for a time window

How they’re created

wp_create_nonce( 'my_action' );

How they’re verified

check_admin_referer( 'my_action' ); // or wp_verify_nonce( $_REQUEST['_wpnonce'], 'my_action' );

Logging in or out invalidates existing nonces

sanitize_text_field()	//Plain text
sanitize_textarea_field()	//Multiline text
sanitize_email()	//Emails
sanitize_key()	//Keys, slugs
sanitize_title()	//Post slugs
sanitize_file_name()	//File uploads
sanitize_html_class()	//CSS classes
sanitize_user()	//Usernames
sanitize_url()	//URLs (basic)
sanitize_hex_color()	//Colors

Naming functions, classes, and variables#

HTML filtering functions#

wp_kses()#

wp_kses_post()#

wp_strip_all_tags()#

Escaping functions (esc_*)#

esc_html()#

esc_attr()#

esc_url()#

Translation + escaping (combined)#

esc_html__()#

esc_html_e()#

esc_html_x()#

esc_attr__()#

Sanitization functions (sanitize_*)#

sanitize_key()#

sanitize_title()#

sanitize_email()#

is_email()#

PHP input filtering functions#

filter_input()#

filter_var()#

How they’re created#

How they’re verified#