Support » Plugins » trying to modify/allow html in profile “description”

  • Resolved MacAddict

    (@macaddict)


    I’m trying to figure out where/at what point WP strips out html tags from the “description” inside a users profile. The only references I have found are:

    do_action(‘personal_options_update’);

    which I have not been able to find any forum posts on, and the codex only shows it as a hook, which doesn’t tell me anything.

    The other place was:

    $user->description = wp_specialchars($user->description);

    Which I understand that wp_specialchars changes the quotes and changes < > to < and > respectively, but I don’t see it stripping tags like <p> and <h2>, <h3>, <h4>. I would like the author to be able to include some styling of their information block, but can’t seem to get WP to save the tags.

    Thanks for any guidance on where WP might be stripping the tags out.

Viewing 10 replies - 1 through 10 (of 10 total)
  • It happens when the filter pre_user_description calls wp_filter_kses, which is assigned to it in wp-includes/default-filters.php.

    You can disable this behavior with the following line:
    remove_filter('pre_user_description', 'wp_filter_kses');

    Thanks a bunch! Nice to have a helpful community to help out with this under the hood stuff…

    Thanks so much … you saved me a lot of headache!

    Be very careful removing that filter. You could get hacked that way.

    How could this happen being hacked this way? What does the filter do to saveguard from hacking? Allowing html in the user description is not really a security flaw, is it? It would be necessary to access the backend in order to make use of it. And there are other areas in the backend which allow html input too .. (?)

    Allowing html in the user description is not really a security flaw, is it?

    Allowing untrusted users to add unfiltered HTML anywhere on your site is a security flaw.

    If you have a user who can add any HTML he likes, then it’s possible for him to perform a cross site scripting attack. This could let him get your login credentials and login as you or anybody else.

    And there are other areas in the backend which allow html input too ..

    Not unfiltered, there aren’t. Only the admin has the right to add unfiltered html, by default. Everybody else gets their html run through kses, to eliminate this threat.

    Thanks for the info! I am wondering .. would it be possible to arrange that at least the admin can add html to the author description? If the filter is activated not even the admin can add html to the description. A detailed author description looks quite awful this way. Again thanks for any info!

    Just wondering … if I remove the kses filter and add a strip_tags filter instead allowing just <p> and br … could this be considered safe? Something like this

    remove_filter('pre_user_description', 'wp_filter_kses');
    function strip_tags_filter($text) {
       return strip_tags($text, '<p><br />');
    }
    add_filter('pre_user_description','strip_tags_filter');

    i want to allow at least line breaks in user profiles on an intranet blog that’s closed to new registrations–so no security concern, but the solution given here didn’t work for me. I’ve tried commenting out $user->description = wp_specialchars($user->description); (no luck) and i tried adding remove_filter(‘pre_user_description’, ‘wp_filter_kses’); to the bottom of default-filters.php.

    what am i doing wrong?

    Me too. None of these work for me.
    Any ideas?

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘trying to modify/allow html in profile “description”’ is closed to new replies.