Posted 7 months ago #
Hello scribu,
Ordinarily I would display meta fields with text data (no html) like
<?php echo esc_html( strip_tags( get_post_meta( $post->ID, 'some_text', true ) )); ?>.
If I use editable_post_meta() instead, I assume the field value will be output unescaped. Is that true? Is there any way I can strip and escape like before?
Thanks for any advice you can provide. S
Finally, someone that cares about security. :)
You can use the 'post_meta' filter:
function my_custom_field_escaping( $content, $post_id, $key ) {
if ( 'some_key' == $key )
return strip_tags( $content );
return $content;
}
add_filter( 'post_meta', 'my_custom_field_escaping', 10, 3 );
Posted 7 months ago #
Got it, thanks.
I'll see if I can escape based on the $type parameter if my filter function…
You must log in to post.
