• I have my website set up so that everyone who creates an account can post from the front-end. However, after I did some testing I found out that they can add whatever HTML they like into the articles. Thus allowing great security threats.

    How do I disable the HTML that is posted by using the front-end editor?

    Is it possible to allow a few tags to still be used? For example <b></b> <i></i> etc.


Viewing 1 replies (of 1 total)
  • You can’t disable the user from typing in HTML but you can strip it and javascript out after they have submitted it.

    For the Frontend Version 1.1 use the filters wpuf_add_post_args and wpuf_edit_post_args and code to suit what you want left in or taken out.
    See wpuf-edit-post.php and wpuf-add-post.php for details of these filters.

    Of other note you have to restrict users to only the ‘Basic’ text editor as the ‘Rich Text’ editors use HTML.

    Mind you WordPress does sanitize out most HTML/Javascript nasties using WordPress functions such as sanitize_post() so your concerns are already mostly addressed.

Viewing 1 replies (of 1 total)
  • The topic ‘Disable HTML from the front-end posting’ is closed to new replies.