Site icon Hip-Hop Website Design and Development

Is it necessary to sanitize plugin options?

I’ve always known that it’s good practice to sanitize GET and POST data. I usually do this globally in my functions file with code like this:

$_POST  = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
$_GET  = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);

With plugins that have a Settings screen, using the recommended code for plugins according to the plugin API, is it necessary to sanitize user inputs on the plugin’s Settings page, like checkboxes, text fields, etc?

Or does the Plugin API take care of POST/GET sanitization on plugin Settings screens?

Note that using the above code block gives me the message "your link has expired" when saving plugin options (via the "Save" button on the plugin’s settings screen).

What is the best practice for sanitizing plugin settings?