Support » Plugin: Post Type Archive Descriptions » Please do not sanitize on output, removes valid HTML

  • Resolved FriendlyWP


    Thanks for the plugin, it’s great! I just noticed an issue however. When I include a shortcode that outputs a dropdown form, the form html is being stripped by your plugin. This shortcode works everywhere else I use it (in post/page content, widgets, term descriptions) – just not when using get_the_archive_description() or the_archive_description().

    I have traced this back to lines 347 and 390 of your plugin:

    return wp_kses_post( $description );

    I understand why you’d want to use that when saving to the database (on input) but by also using it on the returned description you’re stripping valid HTML that’s been generated by the shortcode. If I remove wp_kses_post on those two lines, the shortcode works as expected. Would it be possible to remove that from future versions?

    This StackExchange post goes into a lot of detail on input vs output and wp_kses_post and I think we’d be safe with just the input being sanitized. Thanks for your consideration!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author mrwweb


    Thanks for this super clear message, @mmcginnis. This makes sense to me, and I’ll try to get this change out in the medium future. I’m currently out of the office for a bit, and this is a low priority, but the size of the change is small.

    I’m 95% sure I’ll do this, though, so if you make this change in your local copy, things should be ok the next time the plugin updates (just check the changelog to confirm!).

    Thanks @mrwweb will do! Let me know if you need any help testing or whatever, happy to do whatever I can. Cheers, Michelle

    Plugin Author mrwweb


    @mmcginnis I just pushed version 1.1.5 that has this change in it for you. I hope you find it useful!

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.