Add plugin security guidance for escaping and AJAX

[ValeriiVasyliev]

This PR expands the plugin security guidance in wp-plugin-development by adding practical review criteria for output escaping and AJAX handlers.

The goal is to help AI coding assistants generate and review WordPress plugins using safer patterns and more consistent security practices.

Key Changes

Output Escaping Guidance

Added a dedicated section covering context-specific escaping functions:

• HTML text: esc_html()
• HTML attributes: esc_attr()
• URLs: esc_url()
• Textareas: esc_textarea()
• JSON and script data: wp_json_encode()
• Allowed HTML: wp_kses_post() and wp_kses()

This reinforces the existing "sanitize on input, escape on output" guidance with concrete implementation recommendations.

AJAX Security Guidance

Added a new section covering secure AJAX handler development:

• Verify nonces and capabilities for wp_ajax_* actions
• Treat wp_ajax_nopriv_* requests as attacker-controlled input
• Use wp_send_json_success() and wp_send_json_error() for responses
• Avoid exposing private or sensitive data through AJAX endpoints

Improved Review Coverage

The additional guidance helps AI assistants identify and prevent common plugin security issues including:

• Missing output escaping
• Incorrect escaping contexts
• Weak AJAX authorization checks
• Information disclosure through AJAX responses

These additions complement the existing nonce, capability, sanitization, and SQL safety recommendations already present in the security reference.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: ValeriiVasyliev <gratta@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates WordPress plugin security reference guidance with concrete output-escaping context rules and AJAX handler review checks.

Changes:

• Added a quick-reference section mapping common output contexts to appropriate escaping functions.
• Added an AJAX handlers checklist covering nonce/capability checks and safe JSON responses.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.