WordPress.org

Support

Support » Plugins and Hacks » Does WordPress strip HTML before inserting text into the database?

Does WordPress strip HTML before inserting text into the database?

  • I’m looking at programming up a plugin that’s a mixture of bbcode and syntax highlighting, and have been looking at how WordPress currently filters out HTML and other text. I’m actually shocked to see this, so I want to confirm: Is WordPress formatting text before it’s putting it into the database?

    Also from what I can tell, it has different formatting rules for admins and regular users (e.g. some random joe commenting is limited on what HTML tags they can use, but I can use anything). Where in the source code is it making this distinction at?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Lester Chan
    Participant

    @gamerz

    you can check out default-filters.php to see what is filtered.

    Also kses.php, which I think is in wp-includes, but I can’t be sure.

    Basically, some HTML is stripped — you can change what is left and what is taken out. For comments it’s a good idea, because if someone can insert a script tag, they can steal the cookies belonging to your domain on people’s computers, meaning they could get your login credientials.

    In posts, I believe that hardly any HTML is stripped, except for script tags.

    kses was what I was looking for. Thanks. Starting at line 523:

    function kses_init_filters() {
    add_filter(‘pre_comment_author’, ‘wp_filter_kses’);
    add_filter(‘pre_comment_content’, ‘wp_filter_kses’);
    add_filter(‘content_save_pre’, ‘wp_filter_post_kses’);
    add_filter(‘title_save_pre’, ‘wp_filter_kses’);
    }

    Generally, it’s a good idea to leave the comment filters in place. As I said, you don’t want script tags anywhere near your comments!

    I appreciate the warning.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Does WordPress strip HTML before inserting text into the database?’ is closed to new replies.