This commit is contained in:
2026-07-02 15:54:39 -06:00
commit 9883323161
17470 changed files with 4470592 additions and 0 deletions
@@ -0,0 +1,29 @@
# Security guardrails (plugin work)
Use this file when making security fixes or when handling any input/output.
## Nonces + permissions
- Nonces help prevent CSRF, not authorization.
- Always pair nonces with capability checks (`current_user_can()` or a more specific capability).
Upstream reference:
- https://developer.wordpress.org/apis/security/nonces/
## Sanitization and escaping
Golden rule:
- sanitize/validate on input, escape on output.
Practical rules:
- never process the entire `$_POST` / `$_GET` array; read explicit keys
- use `wp_unslash()` before sanitizing when needed
- use prepared statements for SQL; avoid interpolating user input into queries
Common review guidance:
- https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/