Validating HTML in WordPress forms

**Ryan** · 02-06-2010, 02:38 AM

I just tried to use wp_filter_kses() to strip HTML out of some data in a plugins' form, but it seems to be stripping out most of the HTML I need :(

I need it to preferably allow the insertion of <div>, <li>, <a> and <span> tags, but only the <a> tags seem to be allowed via wp_filter_kses().

This is only for site admins to be using, so there's no issue with people borking the layout or anything like that. I just need to make sure there's no security issues to contend with so I'm guessing I just need to strip out the <script> tags. I can find plenty of information about best practices for this in PHP in general, but nothing for WordPress specifically. Any ideas on the best approach to filtering this in WordPress in a secure way?

Thanks :)

**Ryan** · 02-06-2010, 03:58 AM

FYI, I'm currently using strip_tags( $input, '<a><div><li><span>' ); which seems to do what I'm looking for. I just want to check there's not a built in WP way of doing the same thing that I should be using instead.

**andreasnrb** · 02-06-2010, 06:12 AM

http://codex.wordpress.org/Function_Reference/wp_kses

PHP Code:

 $allowed_html=array('a' => array('href' => array(),'title' => array()),'br' => array(),'em' => array(),'strong' => array());

wp_kses($string, $allowed_html, $allowed_protocols);

**Ryan** · 02-06-2010, 07:03 AM

Awesome, thanks :) I figured there was probably some way to do it that I'd glanced over and it seems I was correct.

That SEO security topic got me thinking I should tighten a few of these things up a little :) I've been making too many assumptions about how data will be handled in the past.

**Ryan** · 02-06-2010, 07:09 AM

I was about to ask what advantage there was in using wp_kses() over strip_tags(), but I found the answer already ... http://phpxref.com/xref/wordpress/wp...p.html#wp_kses

This function makes sure that only the allowed HTML element names, attribute
names and attribute values plus only sane HTML entities will occur in
$string. You have to remove any slashes from PHP's magic quotes before you
call this function.

The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
'irc', 'gopher', 'nntp', 'feed', and finally 'telnet. This covers all common
link protocols, except for 'javascript' which should not be allowed for
untrusted users.

Thread: Validating HTML in WordPress forms

LinkBack

Thread Tools

Display

Validating HTML in WordPress forms

Posting Permissions