In a Wordpress site I have a custom textarea metabox with text editor.
If I use sanitize_textarea_field() to sanitize the text, the HTML markup manually set in the text editor disappears.
If I use wp_kses_post HTML tags are allowed.
Is this the right solution to keep a good security level?
Thank you.
Yes, wp_kses_post() is a right method as per the WP documentations.
Securing (sanitizing) Input
Securing (escaping) Output
And when we need control over the allowed HTML tags and attributes, we can use wp_kses().
Related
I'm trying to implement an WYSIWYG editor to my WP comment section. I experience many difficulties with saving the HTML data in the WordPress database. WP strips many of the HTML tags automatically. I was able to restore the tags trough the 'preprocess_comment' filter. I added the wpautop() filter to the content. Now the line breaks are appearing. But when I want to use the tag, WordPress deletes is too.
I use the Trumbowysiwyg js solution to replace the default comment textarea with the wysiwyg editor. When using the editor, the HTML code looks nice. It has all the HTML tags but after saving the comment, these tags are stripped. Can someone tell me how to allow HTML comments to be saved in the database?
WordPress keeps a list of allowed tags which you can use in comments, surely you do not want users to post any html they want. So I suggest you edit the allowedtags so they will not be removed.
add_action('comment_post', 'allow_more_tags');
function allow_more_tags() {
global $allowedtags;
$allwedtags['sup'] = array('class'=>array());
}
Like this you can add any tags you like and even allow certain classs to be added to them.
I try to import HTML into wordpress WYSIWYG custom fields and later display it correctly.
The values get written by the importer, but when I try to edit such a content type, the WYSIWYG editor is spammed with html-tags.
I tried different variants to escape the htmlspecialchars. With no succes. The WYSIWYG editor also displays those, instead of formatting the text.
Also, when i do print_custom_field in my template, the html does not get rendered, but displayed again. Obviously not what I would want.
All related content types are created with custom content type manager
https://code.google.com/p/wordpress-custom-content-type-manager/
My Question:
Is it a bad idea in general to import html-snippets from a (trusted) external source?
How can I trick the output from worpdress into rendering html for certain fields, instead of displaying it.
This was actually related to the view layer. Since that was not my business, I didn't care at first.
Turns out, that one has to us htmlspecialchars_decode in the templates, because the wordpress-api does htmlspecialchars on import.
The following code works fine
<? print htmlspecialchars_decode(get_custom_field('foo'));?>
I have a couple of questions related to building a custom theme with Wordpress.
1) If the website is made up of pages, I can use page .php to run the LOOP and retrieve content. In this case, is it OK to paste the content (of each page) using the backend of word press - I.e. paste all content and HTML markup into the 'text; . Is this a reliable way to enter content and accompanying markup into the database?
I guess the advantage is that users will then be able to edit the content themselves using the visual Tab.
Many thanks,
P
Well this not a recommended way to do it, but yes the editor is there for the same purpose. I wont be using it this way, because in my experience wordpress editor often acts weird with html. By default auto paragraphs are enabled, so everything gets in its own paragraph, even if you disable auto paragraph it still has some issues. For instance if you add html in the text tab, and then goto visual tab and switch back to html, and save the same html, this time it would be styled differently. Secondly its also not good to allow users to add html from a security POV and you cant guarentee the consitency of the website.
I would recommend using custom fields instead and fetch these custom fields in the through your theme files.
I have a question about wordpress. I am creating a web form for branch managers to enter data into a database, one of the fields can contain bullet points so I need to use an editor that will allow the user to use bullets and then convert it to html like the way wordpress handles posts. Is there a way to make text areas use the tinymce editor? I tried using mceTextarea but it didn't do anything. Anyone know how to add editor options to textareas?
(Making this an answer so others can find it.)
WordPress has a function called wp_editor() that creates a WYSIWYG editor anywhere you need one.
My tinyMCE editor is showing up just fine, but in the form I have a select box and according to what you choose, the textarea is filled with content accordingly.
Like if I choose PHP, then the description for PHP comes into the textarea. It works without tinyMCE, but when I add tinyMCE, nothing shows up in the textarea.
TinyMCE does not display the content of the textarea in real-time. It reads the content on start, and saves it at the end of the work. All the edit work takes place in an iframe element, created on the fly by Tiny. If you update the textarea, you must ask TinyMCE to refresh itself.
In a few minutes I will look up the exact method for you. (It was long time ago when I was using TinyMCE, so I forgot the method names.)
[few minutes have passed..]
Look at the documentation: http://www.tinymce.com/wiki.php/How-to_load/save_with_Ajax_in_TinyMCE
You just need to call setContent method on the TinyMCE editor, instead of (or in addition to) setting the new text in the textarea.
with tiny mce sometimes it dependes the plugins that you in the Init.
Try Removing all the plugins and add one by one and see if this helps you in finding a better solution for this.
Some plugins like the media can strip and not allow tags in the text area, so the textarea is empty if tiny mce doens't allow that tags, or add valid_elemens:'[]' and try if it shows something.
Good luck