Validating a database
To instruct the validator to ignore the user's ID, we'll use the The field under validation must be a valid URL.
Sanitizes a html classname to ensure it only contains valid characters.
Note that the kses system can be resource-intensive, and should therefore not be run as an output sanitization filter directly, but as a filter to data after it has been input and processed, before it is saved in the database.
Word Press runs kses on the pre_comment_content filter, for example, to filter the HTML before saving the comment. This function does not encode characters as HTML entities: use it when storing a URL or in other cases where you need the non-encoded URL.
This functionality can be replicated in the old prepare( "SELECT something FROM table WHERE foo = %s and status = %d", $name, // an unescaped string (function will do the sanitization for you) $status // an untrusted integer (function will do the sanitization for you) ) ); Header splitting attacks are annoying since they are dependent on the HTTP client.
Word Press has little need to include user generated content in HTTP headers, but when it does, Word Press typically uses whitelisting for most of its HTTP headers.