Since input can accept multidimensional reference such as name=”foo[bar]” or name=”foo[bar][inside], you should sanitize/escape values multidimensional array recursively from the POST action. With WordPress’s sanitize_text_field, here’s a gist: function sanitize_array( &$array ) { foreach ($array as &$value) { if( !is_array($value) ) // sanitize if value is not an array $value = sanitize_text_field( $value ); else // go inside this […]