Validating HTML in WordPress forms

**Ryan** · 02-06-2010 01:38 AM

I just tried to use wp_filter_kses() to strip HTML out of some data in a plugins' form, but it seems to be stripping out most of the HTML I need :(

I need it to preferably allow the insertion of <div>, <li>, <a> and <span> tags, but only the <a> tags seem to be allowed via wp_filter_kses().

This is only for site admins to be using, so there's no issue with people borking the layout or anything like that. I just need to make sure there's no security issues to contend with so I'm guessing I just need to strip out the <script> tags. I can find plenty of information about best practices for this in PHP in general, but nothing for WordPress specifically. Any ideas on the best approach to filtering this in WordPress in a secure way?

Thanks :)

**Ryan** · 02-06-2010 02:58 AM

FYI, I'm currently using strip_tags( $input, '<a><div><li><span>' ); which seems to do what I'm looking for. I just want to check there's not a built in WP way of doing the same thing that I should be using instead.

**andreasnrb** · 02-06-2010 05:12 AM

http://codex.wordpress.org/Function_Reference/wp_kses

PHP Code:

 $allowed_html=array('a' => array('href' => array(),'title' => array()),'br' => array(),'em' => array(),'strong' => array());

wp_kses($string, $allowed_html, $allowed_protocols);

**Ryan** · 02-06-2010 06:03 AM

Awesome, thanks :) I figured there was probably some way to do it that I'd glanced over and it seems I was correct.

That SEO security topic got me thinking I should tighten a few of these things up a little :) I've been making too many assumptions about how data will be handled in the past.

**Ryan** · 02-06-2010 06:09 AM

I was about to ask what advantage there was in using wp_kses() over strip_tags(), but I found the answer already ... http://phpxref.com/xref/wordpress/wp...p.html#wp_kses

This function makes sure that only the allowed HTML element names, attribute
names and attribute values plus only sane HTML entities will occur in
$string. You have to remove any slashes from PHP's magic quotes before you
call this function.

The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
'irc', 'gopher', 'nntp', 'feed', and finally 'telnet. This covers all common
link protocols, except for 'javascript' which should not be allowed for
untrusted users.

Thread: Validating HTML in WordPress forms

LinkBack

Thread Tools

Display

Validating HTML in WordPress forms

Posting Permissions