When you register a setting, you pass the santize callback for that setting:
register_setting(
'my_setting_group',
'my_setting_name',
// The next parameter is the validation callback
'my_setting_validation'
);
Then, in the validation callback you can allow whatever you want. For example, in the next code snippet, users with unfiltered_html
capability will be allowed to insert raw HTML code; other users are allowed to insert the same HTML tags allowed in post content:
function my_setting_validation( $input ) {
// Check for the field that we want to allow html
if( $input['ng_menu_html'] ) {
if ( current_user_can('unfiltered_html') ) {
$validated_input['ng_menu_html'] = $input['ng_menu_html'];
} else {
$validated_input['ng_menu_html'] = stripslashes( wp_filter_post_kses( wp_slash( $input['ng_menu_html'] ) ) ); // wp_filter_post_kses() expects slashed
}
} else {
// Sanitize here other fields with no HTML or whatever you want
}
return $validated_input;
}
Finally, you need to use esc_attr()
when set the value of the field:
function ng_html_callback() {
$options = get_option( 'my_setting_name' );
if( !isset( $options['ng_html'] ) ) $options['ng_html'] = '';
echo '<label for="ng_html">' . _e( 'Insert additional HTML', 'plugin') . '</label>';
echo '<input type="text" id="ng_html" name="my_settings[ng_html]" value="' . esc_attr( $options['ng_html'] ) . '" placeholder="Add HTML">';
}
}