The documentation for wp_insert_post()
says:
wp_insert_post()
passes data through sanitize_post(), which itself
handles all necessary sanitization and validation (kses, etc.).
If we dig through it, we can find the responsible filter as:
add_filter('content_save_pre', 'wp_filter_post_kses');
within the kses_init_filters()
function.
When the kses is initialized with kses_init()
it runs:
kses_remove_filters();
if ( ! current_user_can( 'unfiltered_html' ) ) {
kses_init_filters();
}
where we can see that it’s only activated if the current user doesn’t have the unfiltered_html
capability. So most likely you’re running your post inserts that way.
Instead of removing the corresponding content_save_pre
filter, during this post insert, we should consider allowing the data-original
image attribute. At least that sounds a little bit more secure.
The kses default allowed <img>
attributes are:
'img' => array(
'alt' => true,
'align' => true,
'border' => true,
'height' => true,
'hspace' => true,
'longdesc' => true,
'vspace' => true,
'src' => true,
'usemap' => true,
'width' => true,
),
We can modify it to support the data-original
attribute, through the wp_kses_allowed_html
filter:
// Modify allowed HTML through custom filter
add_filter( 'wp_kses_allowed_html', 'wpse_kses_allowed_html', 10, 2 );
// Insert
$pid = wp_insert_post($post_info);
// Remove custom filter
remove_filter( 'wp_kses_allowed_html', 'wpse_kses_allowed_html', 10 );
where our custom callback is:
function wpse_kses_allowed_html( $allowed, $context )
{
if( 'post' !== $context )
return $allowed;
$allowed['img']['data-original'] = true;
return $allowed;
}