I want to store JSON in my post_content, but the kses filters makes it break. I would like to remove the kses filters when creating or updating (well, saving) a specific post type; anywhere in the code (thus using filters, I guess). How could I do that ? Thanks !
I have a block built in Gutenberg - in it I use an Icon element from '@wordpress/components' I use a single arrow to create a dropdown which renders as an SVG. Of course when anyone who is not a super admin or admin saves this block - then the SVG is stripped and the block breaks as no SVG is found matching the save() function. I don't want to whitelist all SVGs on a site for security reasons - so …
I'm grabbing a remote feed in my plugin and some entries have iframe code I want to keep. However, SimplePie fetch_feed keeps stripping it out. Here is my code and what I've tried already: kses_remove_filters(); # remove kses filters but SimplePie strips codes anyway $rss = fetch_feed( 'http://www.someblog.com/feed/' ); $rss_items = $rss->get_items( 0, 2 ); # get two entries for this example foreach ( $rss_items as $item ) { # just dump to screen: echo "<div id='message' class='updated'><p>" . $item->get_content() …
Is there any way to remove the <script> tags including their contents? wp_kses_post seems to only remove the tags, while their content remains visible on the page. Thank you
I want to keep the style attribute. $str is just an example, here's my code: $allowed_html = array( 'div' => array( 'title' => array(), 'class' => array(), 'style' => array() ) ); $str = '<div title='Click to continue' style='display:table'>This is a button</div>'; wp_kses($str, $allowed_html ); $str will actually receive a bunch of html tags and attributes from a post. Then from there i want to strip out all tags and attributes leaving out only divs tags and style and title …
I'm inserting a post using wp_post_insert(). And my post's content looks like this: <img src="data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAN4AAAB6CA { ... } but on the insert process, Wordpress removes the data attribute. So above code becomes this: <img src="image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAN4AAAB6CA { ... } I've tried something like this but no luck: function my_filter_allowed_html($allowed, $context){ if (is_array($context)) { return $allowed; } if ($context === 'post') { $allowed['img']['data'] = true; $allowed['src']['data'] = true; } return $allowed; } add_filter('wp_kses_allowed_html', 'my_filter_allowed_html', 10, 2); How can I avoid …
For security purposes, we're mostly using the wordpress json api to display our posts/categories and we went to remove any malicious tags. I'm a bit unfamiliar with WP development... but what I'm trying to achieve is basically: Query all current posts Run wp_kses on all the post's content? What I'm trying so far in functions.php $post_args = array( 'posts_per_page' => -1 ); $post_query = new WP_Query($post_args); while( $post_query->have_posts()): $post_query->the_post(); // wp_kses the content here??? endwhile; I'm not entirely sure where …
In my Custom Post Type (CPT), I altered the display of the post title using the method mentioned here. But for my custom use case, I need to pass some HTML like <sup></sup>. But by default WP List Table class is designed to suppress any HTML tags using wp_strip_all_tags(). But I can see there might be a provision accepting user-defined functions using PHP's call_user_func(), but doesn't have any idea on how to do that. I want to accept certain HTML …
I am using below code for wp_kses(). But it's ignoring rel & target in the result. I want to show rel="nofolow" target="_blank" in my result (link). $link = "Here is my link: <a href="my-link" rel="nofollow" target="_blank">Link Text</a>" $allowed_tags= array( 'br' => array(), 'p' => array(), 'a' => array( 'href' => true, 'rel' => true, 'target' => true, ), ); $result = wp_kses( $link, $allowed_tags ); Output result: Here is my link: <a href="my-link">Link Text</a> Expected result: Here is my link: …
I'm trying to output an SVG file in a template, and PHPCS is telling me I need to escape the output. So I tried with KSES and it doesn't seem to want to include the viewbox attribute. $allowed_html = array( 'svg' => array( 'xmlns' => array (), 'viewBox' => true ), 'path' => array( 'd'=> array(), ), ); wp_kses(file_get_contents( $logo ), $allowed_html ) Any ideas why this doesn't work?
I have an html containing &nbsp but I am unable to pass it through wp_kses(). I have tried adding allowed html array('&nbsp' => array(),) but does not seems to work. I there a way or I should not do that? https://stackoverflow.com/questions/2300142/how-to-add-extra-whitespace-in-php/23844752
When I paste a table into the WordPress editor, I always get widths like <td width="232">. I want to remove all widths when tables are added to the editor. If it was regex, I would write something like: width="([0-9]+)". How do I go about accomplishing this?
I have a custom post textbox that I want to sanitize using wp_kses before I update my post meta. I was looking for examples of common $allowed settings, but I have only seen this example: $allowed = array( 'a' => array( // on allow a tags 'href' => array() // and those anchors can only have href attribute ) ); What is a typical wp_kses $allowed setting? Can someone provide an example of what they normally filter for?
I am attempting to publish HTML generated from an external party within Wordpress, but I am getting very inconsistent results with style attribute on all HTML elements, in that if I programmatically update the post the style attributes get removed, but if I publish the same HTML via the editor it remains untouched. Debugging so far it looks like the kses filter is what is performing the actual stripping Original HTML: <div class="container-fluid " style="background-image:url('https://localhost/app/uploads/2018/08/315.png');"></div> When submitted programmatically it becomes: …
I'm having a strange issue that I've never seen before. I moved a WordPress site from Siteground over to GoDaddy a few days ago, and now the site appears to have problems displaying HTML entities in certain cases. For example, on the 404 page, the title prints to the source code as: <h1 class="page-title">Oops! That page can&amp;rsquo;t be found.</h1> Causing it to display on the page as "Oops! That page can&rsquo;t be found." As you can see, for some reason …
I've set up a HTML editor for WordPress comments, and I want to change the allowed HTML tags for comments accordingly. Some of the HTML tags also have inline styling, or classes added. I only want to allow the styling and classes that I'm expecting, but I cannot get it to work. I want to allow only these custom classes and styles. <span class="spoiler">This is spoilered text</span> <span style="text-decoration: line-through;">This text has strikethrough</span> Non-working code: function custom_allowed_tags_comment() { global $allowedtags; …
With kses filtering, WordPress only allows a subset of html tags within a post or page, and one of the tags it strips out is the <iframe> tag (for many good reasons). I'd like to allow editors to include iframes where the src is from one of our other subdomains, or from a specified whitelist of domains, but still strip out other unknown src's. It is straightforward to bypass kses to allow all <iframe>'s, but is it possible to only …