The allowed tags are stored in $allowedposttags (located in /wp-includes/kses.php) as an array. For each element it looks something like this: $allowedposttags = array( ‘div’ => array( ‘align’ => true, ‘dir’ => true, ‘lang’ => true, ‘xml:lang’ => true, ) ); You can remove a single element of an array via unset unset($allowedposttags[‘div’]);
I would approach this by modifying the attributes allowed in the table, tr, and td markup from wp_kses. wp_kses is a function that runs on the content to filter out unwanted tags and attributes. It stands for KSES Strips Evil Scripts, but it does much more than that. It’s a large and sometimes convoluted function, … Read more
I hope that you don’t have to modify the allowed array with the full data name (data-term) for this to work… It appears to be that way. data-term and data aren’t the same attribute after all, and poking around in core I don’t think any sort of regular expressions can be used as supported attributes. … Read more
You are changing the $allowedtags too late. On the last line, add_filter should be called for pre_comment_content instead of comment_post, and also, use different priority, something like this: add_filter(‘pre_comment_content’, ‘custom_allowed_tags_comment’, 9);
The list of allowed elements and attributes is stored in the global variable $allowedposttags which is set in wp-includes/kses.php. To override it create a simple mu plugin with the following content: <?php # -*- coding: utf-8 -*- /** * Plugin Name: Enable placeholder attribute for input elements in post tags. * Version: 2012.07.18 */ add_action( … Read more
Thanks to naththedeveloper from StackOverflow. His answer worked for me. Well, this was a nightmare to find, but I think I’ve resolved it after digging through the WordPress code which hooks in through wp_insert_post. Please add this to your functions.php file and check it works: add_filter(‘kses_allowed_protocols’, function ($protocols) { $protocols[] = ‘data’; return $protocols; }); … Read more
Technical difference is kinda obvious. PHP one is single function, using logic in PHP code. WP one is one of family of functions, based on third party KSES library. Is there practical difference between these two specific functions? I think the important point is that strip_tags() was made for utility, while KSES was made for … Read more
Here is an example how to allow a commenter to insert HTML5 video into the comment. Both <video> and <source> elements has two allowed attributes. preprocess_comment filter is applied when saving the comment to the DB. See /wp-includes/kses.php for $allowedtags array structure. function myAllowHtmlComments($comment) { global $allowedtags; $allowedtags[‘video’] = array( ‘width’ => true, ‘height’ => … Read more
KSES is designed to prevent execution of undesired and potentially dangerous tags, not preventing display of the innerHTML. Blocking the content would require –1 Either a custom function that used some kind of string manipulation or xmlDOM manipulation to remove content; or –2 A function that blocked posts that contain the tag with a message … Read more
Note that the WPCS standards for PHPCS are not “official”. I am one of the maintainers, and all that we can do is to do our best to match the standards that WordPress suggests. In this case, I’m unsure how you would escape the output from wp_oembed_get(). The function may indeed need to be escaped … Read more