The Support Forums will be in read-only mode for a scheduled maintenance window on 01 September 2016 14:00 UTC - 20:00 UTC. More information.

Does WordPress strip HTML before inserting text into the database? (6 posts)

  1. wyrd33
    Posted 10 years ago #

    I'm looking at programming up a plugin that's a mixture of bbcode and syntax highlighting, and have been looking at how WordPress currently filters out HTML and other text. I'm actually shocked to see this, so I want to confirm: Is WordPress formatting text before it's putting it into the database?

    Also from what I can tell, it has different formatting rules for admins and regular users (e.g. some random joe commenting is limited on what HTML tags they can use, but I can use anything). Where in the source code is it making this distinction at?

  2. Lester Chan
    Posted 10 years ago #

    you can check out default-filters.php to see what is filtered.

  3. maerk
    Posted 10 years ago #

    Also kses.php, which I think is in wp-includes, but I can't be sure.

    Basically, some HTML is stripped -- you can change what is left and what is taken out. For comments it's a good idea, because if someone can insert a script tag, they can steal the cookies belonging to your domain on people's computers, meaning they could get your login credientials.

    In posts, I believe that hardly any HTML is stripped, except for script tags.

  4. wyrd33
    Posted 10 years ago #

    kses was what I was looking for. Thanks. Starting at line 523:

    function kses_init_filters() {
    add_filter('pre_comment_author', 'wp_filter_kses');
    add_filter('pre_comment_content', 'wp_filter_kses');
    add_filter('content_save_pre', 'wp_filter_post_kses');
    add_filter('title_save_pre', 'wp_filter_kses');

  5. maerk
    Posted 10 years ago #

    Generally, it's a good idea to leave the comment filters in place. As I said, you don't want script tags anywhere near your comments!

  6. wyrd33
    Posted 10 years ago #

    I appreciate the warning.

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.