Wp_unslash before or after $-post string?

$_GET data not unslashed before sanitization. Use wp_unslash() or similar (`WordPress.Security.ValidatedSanitizedInput.MissingUnslash`)

^does anyone have experience with knowing if the order that wp_uslash and sanitize_text_field goes when checking a request using isset? I keep getting WPCS (CPCS) error whenever I am formating this request in an admin setting/options page

$active_tab = ( ( null!= sanitize_text_field( wp_unslash( $_GET[ 'tab' ] )) ) )  
? sanitize_key( wp_unslash( $_GET[ 'tab' ] ) ) : 'vertycal_options'; 

using wpunslash “before” sanitize still gets the same error… any insights please?

Use wp_unslash first and on its own line, not in conjunction with any other function.

So something like $tab = wp_unslash( $_GET[ 'tab' ] ) before the rest of this code

1 Like

Wasn’t sure because this is for sanitizing inputs that are GET requests and not to be put into database. So it was hard to google for it. thx

1 Like