Found your question as I was searching for an answer. I tried experimenting a bit more with wp_kses and found that lower-casing viewbox in the arguments seems to fix the issue. You don’t have to put the actual attribute on the SVG in lowercase, just the wp_kses() argument. This may be more than you need, … Read more
I wouldn’t call it a benefit or disadvantage, but more of a difference: wp_strip_all_tags simply strips all tags (except for the allowed tags) but does not delete their content by calling the PHP function strip_tags, after removing script and style tags in full, including their contents. wp_kses does no such thing: // Returns ‘alert( “test” … Read more
Let’s go and see what would core do. In default-filters.php here is what content output passes through: add_filter( ‘the_content’, ‘wptexturize’ ); add_filter( ‘the_content’, ‘convert_smilies’ ); add_filter( ‘the_content’, ‘convert_chars’ ); add_filter( ‘the_content’, ‘wpautop’ ); add_filter( ‘the_content’, ‘shortcode_unautop’ ); add_filter( ‘the_content’, ‘prepend_attachment’ ); None of these are dedicated security/escaping functions really. It is similar for comments, which … Read more
This is an older question, but here’s the answer for future generations: WordPress will check the styles against a list of allowed properties and it will still strip the style attribute if none of the styles are safe. The default allow list is: text-align margin color float border background background-color border-bottom border-bottom-color border-bottom-style border-bottom-width border-collapse … Read more
From the SimplePie docs here: there is a strip_htmltags property in the SimplePie object, which among others it has the iframe tag we want to keep. So, apart from the wp_kses, probably we want to remove the tag from the above property. For instance, the $rss = fetch_feed( ‘http://www.someblog.com/feed/’ ); gives us the SimplePie object. … Read more
I would disagree with the solution posted by @JaredCobb, wp_kses() is much more flexible than the method he presented. It can strip out unwanted attributes from tags without destroying the tags themselves. For example, if the user put in <strong class=”foo”>, wp_kses() would return <strong> if you did not allow class, whereas strip_tags() would remove … Read more