Ryan McCue

There's a fairly significant disadvantage to using the profile page, which is that it requires rendering the entire admin. This potentially increases the attack surface and could lead to undesirable...

I just want to add a strong +1 to this. We have a custom dashboard built in React which allows developers to take requests to servers and dive into the...

Thanks for the info @jlfwong, incredibly useful. I wouldn't want this to increase your maintenance burden, and I think your approach of exposing a simple mount point makes sense: it...

Strong +1 for this. `in_array` counts as a sanitising function, and I think `strpos` should too. The canonical way of validating a string begins with a given substring in PHP...

Worth mentioning `WP/I18nSniff.php` already has a sprintf regex we could potentially use here.

> It casts it to a string, not an integer. Yeah; to be clear, that's what I meant by "integer string" above. In an output context, the distinction doesn't really...

That's using `%s` which is unsafe; I'm talking *only* about the non-string preparation, which casts the variable. That code example looks obviously insecure to me. However, these example are safe...

Yep. I think special-casing it inside EscapeOutputSniff works best in that regard. I'm not a huge fan of special-cases, but this is something I see used a *lot*.

`%d` casts the variable to a (signed) integer, the equivalent of running `intval()` on the parameter. For example, [compare](https://3v4l.org/X0kXD) the following with an intentionally-malicious SQL injection: ```php $var = "0...

👍 I've actually already written it: https://github.com/humanmade/coding-standards/blob/add-required-standard/HM/Sniffs/Performance/SlowMetaQuerySniff.php :) I'll work on getting it ready for contribution back to WPCS.