HTML is perfectly safe in the database. As long as you’re using update_post_meta()
or add_post_meta()
, and not SQL directly, WordPress will make sure that you’re safe from any SQL issues.
The real trouble with allowing HTML in meta is that if you are outputting this HTML on the front-end without escaping, then any user that has access to set a product description will be able to output scripts on the front end by including them in the HTML. These could potentially be malicious.
So what you can do is:
- If the user is trusted (i.e. has the
unfiltered_html
capability), let them save any HTML they like. - If they are not, strip unsafe tags.
wp_kses()
is the function for stripping disallowed HTML tags from text. You’re right that you would normally need to provide a full list of tags that are allowed, but there is another function, wp_kses_post()
. This function uses wp_kses()
, but with a preset list of tags that WordPress allows for post authors without unfiltered_html
(Authors and Contributors).
So in practice this would look like:
$description = $_POST['description'];
if ( current_user_can( 'unfiltered_html' ) ) {
update_post_meta( $post_id, 'description', $description );
} else {
update_post_meta( $post_id, 'description', wp_kses_post( $description ) );
}