wordpress

WordPress: Take Control of HTML Tag Filtering

One of the important ways in which we protect websites from hackers, spammers, and other such baddies is by preventing them from injecting malicious code into our databases. WordPress provides us with some built in security functions that stop this type of thing by automatically stripping certain code tags out of entries to our database and allowing others. On occasion though, we may want some control over what is allowed and not allowed in our entries or comments, and today we’re going to explore just how to do that!

KSES Filtering

WordPress uses an HTML filtering mechanism known as KSES, which parses through variables looking for HTML. It will allow tags that are part of a safe whitelist, and strip out all the rest. The tags considered safe have been decided for us and are kept in a WP global variable called $allowedtags. The stripping function itself which is provided by WordPress is wp_kses(). The basic implementation goes something like this:

global $allowedtags;
$filtered = wp_kses($unfiltered, $allowedtags);

Simple enough right? Unfiltered content goes in, filtered content comes out, and the filtering is determined by $allowedtags. The pre-determined contents of the $allowedtags variable itself is put together something like this:

$allowedtags = array(
    'a' => array(
        'href' => array (),
        'title' => array ()),
    'abbr' => array(
        'title' => array ()),
    'acronym' => array(
        'title' => array ()),
    'b' => array(),
    'blockquote' => array(
        'cite' => array ()),
    'cite' => array (),
    'del' => array(
        'datetime' => array ()),
    'em' => array (), 'i' => array (),
    'q' => array(
        'cite' => array ()),
    'strike' => array(),
    'strong' => array(),
);

The variable contains an array of tags, and each tag contains an array of allowed parameters, and each parameter contains an empty array. Tags with no allowed parameters will also have an empty array.

So now that we know a bit about what’s going on, let’s take a look at how we can take control for ourselves.

Modifying Allowed Tags

Because WP has kept the list of allowed tags in a global variable, getting in and adding to the variable couldn’t be easier! Let’s say we have a tech blog and we want to allow pre tags into our comments so that commenters can discuss and troubleshoot their code. First we call up the global $allowedtags variable, then we tack on the tag we want to add to it, respecting it’s existing structure. Next we wrap it in a custom function, which we filter into WP’s comment handling:

// Add to the allowed tags array and hook into WP comments
function gawd_allowed_tags() {
	global $allowedtags;
	$allowedtags['pre'] = array('style'=>array());
}
add_action('comment_post', 'gawd_allowed_tags');

If we wanted to make our changes available everywhere and not just limited to one aspect of our site, we can hook into WP’s init call like so:

add_action('init', 'gawd_allowed_tags', 10);

And that’s all there is to it!

Digging In Further

For more in-depth info on KSES functions in WordPress, check out these suggested links:

Happy coding!

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *