Sanitizing `wp_editor();` Values for Database, Edit, and Display

wp_kses to the rescue!

My Editor Contains everything a Post Might

Pass the result through wp_kses_post on the way in and out, and all should be good.

Remember, this will strip out anything added by the_content filter, so to preserve oembeds and shortcodes, use this:

echo apply_filters( 'the_content', wp_kses_post( $content ) );

You might also want esc_textarea for outputting the form if you’re using <textarea> tags directly

My Editor contains text, but no markup

On output, esc_html is your friend. Use this for situations when you have a text area that will never contain markup. On input, try wp_strip_all_tags on input to sanitise. The other WP APIs will make sure no SQL injections occur

My Editor contains markup, but a limited subset

wp_kses to the rescue, pass it through wp_kses along with a second parameter, an array defining what tags and attributes are allowed. E.g.:

$allowed = [
    'a' => [
        'href' => [],
        'title' => []
    ],
    'br' => [],
    'em' => [],
    'strong' => [],
];

echo wp_kses( $content, $allowed );

Be wary though of overextending. If you add script and iframe tags, is there really any point in using wp_kses?

wp_editor

wp_editor outputs internally, it can’t be escaped, therefore it is responsible for escaping itself. Do not try to be unhelpful by passing it pre-escaped content, this can lead ot mangled output and double escaping ( a great way for malformed content to bypass escaping ).

The function that outputs has the responsibility for escaping. This enables late escaping. Escaping earlier or multiple times is dangerous and introduces new complex problems, as you no longer know with certainty what is or isn’t escaped.

Related Posts:

  1. Saving Post Data in Another Database
  2. Update all posts automatically when using post_meta
  3. Better post meta efficiency?
  4. Change post format using custom field
  5. Exporting Data from WordPress into a flat table
  6. What Is meta_id In wp_postmeta?
  7. Add custom field automatically (add_post_meta) with value based on number of words of article
  8. How can I sort posts by the date and a custom meta field?
  9. Cannot retrieve a custom RSS field from posts
  10. Customize rel=canonical tag for single blog post
  11. How to I retrieve the ID from the Posts page?
  12. Add field to user meta table in database when link is clicked
  13. if in category but only with post meta
  14. Display post number by category
  15. Add multiple meta keys to a post at once
  16. saving/reading custom field value does not work – no value gets POSTed
  17. Post meta not working
  18. Is there a way to save different data when USER interacts with the same POST?
  19. How do you update post date (year only) in a separate custom field?
  20. WP_Query sort by meta_value_num or date
  21. Creating Ordered Query using Meta_key
  22. How enter custom post meta or custom field on box post list archive page?
  23. What effect can a large wp_post table have on overall site performance?
  24. How to check if post meta key exists or not in wordpress database
  25. Where is the old post permalink slug stored?
  26. How can I retrieve multiple get_post_meta values efficiently?
  27. Moving WordPress to new server: no posts found
  28. How to show posts rank based on custom field value
  29. Setting post meta data to random value during post status transition / on publish
  30. Add custom field to all posts in specific category
  31. How to add a custom field after wp post
  32. Custom fields on a virtual page
  33. Get a custom field of all posts on current blog page
  34. Only display posts after current date
  35. How much of my site can I recover from public_html?
  36. How to permanently delete a post meta entry?
  37. Reset/Reorder posts ID in the MySQL wp_posts table
  38. How can I get a post field value using javascript?
  39. Automatic value for custom fields for posts
  40. How to delete all the content of a wordpress site without deleting the Post and pages?
  41. Guest Author – How to display posts on /author/ archive page
  42. Extracting post categories
  43. Get Meta Key Value While Saving Post
  44. How to get rid of shortcodes in post content once and for all
  45. Two Custom Post Types Many to Many Relationship
  46. Automatically add custom fields value to wordpress post
  47. Meta value does not save for scheduled posts
  48. How to compare two posts including their meta fields on a scalable base?
  49. Getting value from get_post_custom
  50. Saving custom fields to a custom taxonomy
  51. wp_posts table: safely remove unused columns to save database storage
  52. Query Posts by Custom Field
  53. Change all author links in Blog roll
  54. Is there any way to tell when wp_postmeta has been updated?
  55. Edit multiple custom post types while saving a new or edited post
  56. Output Post with ACF Fields into other Post
  57. Show number of posts by logged in user
  58. How does WP decide how to display a page
  59. How to select particular month post from table and update the post status using MySQL?
  60. When sending a newsletter -not with wordpress- the server has 100% cpu [closed]
  61. Insert data from custom created PHP page into wp_postmeta table
  62. Update field in database for users
  63. Adding external field to my post form (admin side) and to post show (frontend side)
  64. How To Use Custom Fields With .mp3 Links
  65. how can display a post on home screen without images
  66. Is it possible to modify posts table to only read for more recent ones?
  67. How to save template data into wp_post table (post_content column)
  68. Custom Fields – How to get the list of a specific active widget each time it rendered
  69. Select another post in a post meta like a parent page is selected while editing a page
  70. How to setup default value of post_id
  71. Saving canvas generated image when saving post causes 404 error
  72. Show posts from WP Custom Post Type selected from a field in a metabox
  73. Reusing old post IDs
  74. Trigger on DB make problem on wordpress?
  75. Blogposting Schema & Structured Data without plugin
  76. Comments are in database, don’t show up in WordPress backend or frontend
  77. Add postmeta to all blog posts
  78. Clean up customize_changeset in DB
  79. Grab meta data before post is saved
  80. How to fetch posts that are stored in the different table than the default table (wp_posts)?
  81. Get the correct meta_value with get_post_meta
  82. Filter question list on substring of metavalue
  83. get_the_ID() fails the first time, returns a value the second time it’s called
  84. I moved my site to another server, wp admin works so does the front page, but posts don’t work
  85. Can’t seem to replicate permalink structure for localhost development site
  86. When I click edit on a post, all the content disappear. Does anyone know how to fix this?
  87. Show related (archive) month and year to post
  88. Attaching global meta to custom fields
  89. First Custom Post Custom Fields Empty After New Custom Post
  90. Display a custom field rating system in the front end
  91. Is there a maximum amount of pages for a multi-page post?
  92. WP_query sort by custom meta_key “price”
  93. How to make category for word post_content
  94. Read more opens attachment
  95. How to make internal links creating plugin to respect ACF?
  96. Change permalinks in posts via SQL
  97. Image inside the content is replaced with featured image from my older post
  98. Is it safe to totally unregister the default “post” Post Type
  99. How to get a list of all posts and their categories?
  100. How to manually delete post from database without causing conflicts?