Allow unfiltered HTML for not logged in users when saving a post

Capabilties – for guests?

Your problem is that a guest doesn’t have any capabilities. And when posts get processed, they need to pass certain checks. One is unfiltered_html. From Codex:

Allows user to post HTML markup or even JavaScript code in pages, posts, comments and widgets.

Note: Enabling this option for untrusted users may result in their posting malicious or poorly formatted code.

Note: In WordPress Multisite, only Super Admins have the unfiltered_html capability.

To still get it into the DB, you should encode it. The following example first does trimming of leading and trailing white space. Then converts all characters to their encoded equivalent, encodes single and double quotes and returns it in proper UTF-8 (this is recommended as pre PHP 5.4 versions used the ISO-8859-1 charset). If you’re using PHP 5.4+ you could as well add | ENT_HTML5 to the flags/2nd arg to convert it to HTML5. Now there’s the important part: Stripping off all unwanted tags using the WP global for allowed tags and PHPs strip_tags. And finally we decode all HTML tags. Now your content should be able to be saved including the HTML.

$content = trim( $new_post['post_title'] );
$content = htmlentities( $content, ENT_QUOTES, "UTF-8" );
$content = strip_tags( $content, "<".join( "><", array_keys( $GLOBAL['allowedtags'] ) ).">" );
$content = html_entity_decode( $content );

The code isn’t tested and I’m not completely sure if the join part works like that. strip_tags() expects a string and IIRC the global $allowedtags is an array and has the tag names without leading/trailing brackets as keys and the attributes as values. In case, you’ll have to play around with it a bit (and please file an [edit] in case I somewhere was wrong).

Safe content

Aside from that, you’re inserting unsafe and unchecked content directly retrieved via $_GET. You should use the esc_*() functions or – even better – the native PHP filter_var() or it’s cousins.