WordPress.org

Forums

[resolved] trying to modify/allow html in profile "description" (11 posts)

  1. MacAddict
    Member
    Posted 7 years ago #

    I'm trying to figure out where/at what point WP strips out html tags from the "description" inside a users profile. The only references I have found are:

    do_action('personal_options_update');

    which I have not been able to find any forum posts on, and the codex only shows it as a hook, which doesn't tell me anything.

    The other place was:

    $user->description = wp_specialchars($user->description);

    Which I understand that wp_specialchars changes the quotes and changes < > to < and > respectively, but I don't see it stripping tags like <p> and <h2>, <h3>, <h4>. I would like the author to be able to include some styling of their information block, but can't seem to get WP to save the tags.

    Thanks for any guidance on where WP might be stripping the tags out.

  2. Austin Matzko
    Member
    Posted 7 years ago #

    It happens when the filter pre_user_description calls wp_filter_kses, which is assigned to it in wp-includes/default-filters.php.

    You can disable this behavior with the following line:
    remove_filter('pre_user_description', 'wp_filter_kses');

  3. MacAddict
    Member
    Posted 7 years ago #

    Thanks a bunch! Nice to have a helpful community to help out with this under the hood stuff...

  4. webmatter
    Member
    Posted 6 years ago #

    Thanks so much ... you saved me a lot of headache!

  5. Be very careful removing that filter. You could get hacked that way.

  6. webmatter
    Member
    Posted 6 years ago #

    How could this happen being hacked this way? What does the filter do to saveguard from hacking? Allowing html in the user description is not really a security flaw, is it? It would be necessary to access the backend in order to make use of it. And there are other areas in the backend which allow html input too .. (?)

  7. Allowing html in the user description is not really a security flaw, is it?

    Allowing untrusted users to add unfiltered HTML anywhere on your site is a security flaw.

    If you have a user who can add any HTML he likes, then it's possible for him to perform a cross site scripting attack. This could let him get your login credentials and login as you or anybody else.

    And there are other areas in the backend which allow html input too ..

    Not unfiltered, there aren't. Only the admin has the right to add unfiltered html, by default. Everybody else gets their html run through kses, to eliminate this threat.

  8. webmatter
    Member
    Posted 6 years ago #

    Thanks for the info! I am wondering .. would it be possible to arrange that at least the admin can add html to the author description? If the filter is activated not even the admin can add html to the description. A detailed author description looks quite awful this way. Again thanks for any info!

  9. webmatter
    Member
    Posted 6 years ago #

    Just wondering ... if I remove the kses filter and add a strip_tags filter instead allowing just <p> and br ... could this be considered safe? Something like this

    remove_filter('pre_user_description', 'wp_filter_kses');
    function strip_tags_filter($text) {
       return strip_tags($text, '<p><br />');
    }
    add_filter('pre_user_description','strip_tags_filter');
  10. 3opkuu
    Member
    Posted 6 years ago #

    i want to allow at least line breaks in user profiles on an intranet blog that's closed to new registrations--so no security concern, but the solution given here didn't work for me. I've tried commenting out $user->description = wp_specialchars($user->description); (no luck) and i tried adding remove_filter('pre_user_description', 'wp_filter_kses'); to the bottom of default-filters.php.

    what am i doing wrong?

  11. Lee Rickler
    Member
    Posted 6 years ago #

    Me too. None of these work for me.
    Any ideas?

Topic Closed

This topic has been closed to new replies.

About this Topic