using wp_kses for output

wordpress

#1

Hello,

I need some help about sanitizing output. I have read several threads where this is discussed but couldn’t find a clear and solid answer. Are we allowed to use wp_kses_* functions for output in some cases or not? I ask this because i saw some authors complaining about being rejected due to the use of wp_kses for output. There are cases where we want to avoid esc_* functions to keep some of the html tags. For example in one of my templates i want to output some data which i get from the user on the frontend. I sanitize the input with wp_kses_post before storing it in the database. Another example could be the widgets where we echo $before_widget variable which also contains html tags. Are we allowed to use wp_kses in such cases or is there an other way to accomplish this?


#3

The use of wp_kses will usually depend on the content you’re filtering. If it’s a large block of content, it’s probably not the most efficient way to sanitize. Ideally, it would only be used on a small part of text (ie. a copyright notice) so that you can format an array of allowed HTML tags like anchors to allow for a link there:

https://codex.wordpress.org/Function_Reference/wp_kses


#5

Thank you for your answer.
From what i understand the following code is ok since the variables only hold a small text with the opening and closing tags of div and h4 elements. Or shouldn’t i use variables($before_widget etc.) at all?

$allowed_tags = array(
	'div' => array(
	        'id' => array(),
	        'class' => array()
	),
	'h4' => array(
		'class' => array()
	)
);
echo wp_kses($before_widget, $allowed_tags);
echo wp_kses($before_title, $allowed_tags) . esc_html($title) . wp_kses($after_title, $allowed_tags);

// more code...

echo wp_kses($after_widget, $allowed_tags);

Regarding larger chunks of content, If wp_kses is not the way to go then how should i sanitize them without stripping all tags? I have a profile page where i display larger blocks of content which are entered by users from frontend. I sanitize them with wp_kses_post before saving. Should i leave a note for the reviewer about it and just echo them without sanitizing?


#6

Should i leave a note for the reviewer about it and just echo them without sanitizing?

You should definitely ask for more details if you’re not sure about the review policy on this but you shouldn’t ever echo any data out without escaping it.

There’s a distinction between how input (saving to database) and output (displaying on the frontend) are managed.

There are quite a few helper functions for output sanitization that you can use and you should be doing output sanitization as late as possible (generally at the point that that the data is being echo’d).

As for your example, how is the user entering the content? A custom post? A widget? WordPress already validates and escapes user data being entered into posts (for example).


#7

I have “submit post” page template to allow registered users to create posts from the frontend. I know the distinction and am aware about the helper functions and late sanitization but i am little a bit confused. For example, in my “submit post” template, should i leave the sanitization of the post content and the title to the wp_insert_post() and just pass the $_POST variables to that function without any sanitization? I know Wordpress takes care of the data but i am not sure whether or not i still have to do some sanitization.

Also on that “submit post” form i have a textarea where users enter some instructions whose content i save in a meta box. I want to allow some html tags there so i save the input after filtering it with wp_kses. My question is how will i display those instructions without stripping all tags on single post page?


#8

The docs for wp_insert_post includes the following details:

wp_insert_post() passes data through sanitize_post(), which itself handles all necessary sanitization and validation (kses, etc.).

That should answer your question about sanitizing the post data. I imagine you’re outputting with standard WP post tags (ie. the_content() ) so WP is taking care of that for you too.

For the textarea meta box, wp_kses_p might be the way to go if you’re specifically wanting HTML tags there.

If you’re interested in seeing the performance of wp_kses, you should really check out Zack Tollman’s post about it below:

https://www.tollmanz.com/wp-kses-performance/