Users with full admin status can add unfiltered html to some forms of content, if that’s the kind of thing that you mean. It really depends where this markup has been added to. You haven’t really given us a lot to go on…
I’ve removed the custom code from my site but I think it’s easy enough to spell it out…
I created a child theme and added a simple form to it using a custom code
template. I have a simple function in it that cleans the input data. When I check the data in the db it has not been cleaned.
I’ve tested this outside of WP over and over again … when I echo the data the values are blank (where I’ve entered <html>) however, when I add the cleaning function to my custom template the <html> is passed to the db. I have not modified the WP core code.
So the markup is within this form’s inputs? Have you had a look at Data_Validation. That offers methods of safely encoding allowed (or stripping) markup etc. Also, are you using the Settings_API for your form?
I’ll have a look at those two items and do some more experimenting.
Thanks for your help.
