KSES is designed to prevent execution of undesired and potentially dangerous tags, not preventing display of the innerHTML. Blocking the content would require –1 Either a custom function that used some kind of string manipulation or xmlDOM manipulation to remove content; or –2 A function that blocked posts that contain the tag with a message … Read more
Note that the WPCS standards for PHPCS are not “official”. I am one of the maintainers, and all that we can do is to do our best to match the standards that WordPress suggests. In this case, I’m unsure how you would escape the output from wp_oembed_get(). The function may indeed need to be escaped … Read more
Found your question as I was searching for an answer. I tried experimenting a bit more with wp_kses and found that lower-casing viewbox in the arguments seems to fix the issue. You don’t have to put the actual attribute on the SVG in lowercase, just the wp_kses() argument. This may be more than you need, … Read more
I wouldn’t call it a benefit or disadvantage, but more of a difference: wp_strip_all_tags simply strips all tags (except for the allowed tags) but does not delete their content by calling the PHP function strip_tags, after removing script and style tags in full, including their contents. wp_kses does no such thing: // Returns ‘alert( “test” … Read more
Let’s go and see what would core do. In default-filters.php here is what content output passes through: add_filter( ‘the_content’, ‘wptexturize’ ); add_filter( ‘the_content’, ‘convert_smilies’ ); add_filter( ‘the_content’, ‘convert_chars’ ); add_filter( ‘the_content’, ‘wpautop’ ); add_filter( ‘the_content’, ‘shortcode_unautop’ ); add_filter( ‘the_content’, ‘prepend_attachment’ ); None of these are dedicated security/escaping functions really. It is similar for comments, which … Read more
This is an older question, but here’s the answer for future generations: WordPress will check the styles against a list of allowed properties and it will still strip the style attribute if none of the styles are safe. The default allow list is: text-align margin color float border background background-color border-bottom border-bottom-color border-bottom-style border-bottom-width border-collapse … Read more
From the SimplePie docs here: there is a strip_htmltags property in the SimplePie object, which among others it has the iframe tag we want to keep. So, apart from the wp_kses, probably we want to remove the tag from the above property. For instance, the $rss = fetch_feed( ‘http://www.someblog.com/feed/’ ); gives us the SimplePie object. … Read more
I would disagree with the solution posted by @JaredCobb, wp_kses() is much more flexible than the method he presented. It can strip out unwanted attributes from tags without destroying the tags themselves. For example, if the user put in <strong class=”foo”>, wp_kses() would return <strong> if you did not allow class, whereas strip_tags() would remove … Read more