So I’m a plugin developer and my plugin approval request is pending.
In my plugin settings, there’s a WYSIWYG editor the place admin is allowed so as to add HTML of his personal
I save the editor content material in wp_options desk & on the entrance finish I output the HTML utilizing get_option().
WP assessment staff is asking me to flee the output of WYSIWYG editor utilizing wp_kses().
The issue is wp_kses() perform wants second argument of HTML tags/attributes & there is no such thing as a approach I can manually point out all of the HTML tags and attributes.
There are infinite variety of doable tags and attributes in HTML.
Additionally since its a WYSIWYG editor, admin can add his personal HTML attribute & tags like
<enter customdata="asd"/>
How do you count on me to say "customdata" attribute within the argument?
The opposite wp_kses variation which I got here throughout is wp_kses_post() but it surely additionally has restricted variety of tags and attributes.
My plugin can not survive with out WYSIWYG editor and customized HTML. The primary objective of the plugin is to permit admins so as to add their very own HTML to a type.
There is no such thing as a accessible WP Perform which serves my objective and do the escaping on the identical time. I’m conscious of the rule, sanitize early and escape late however the escaping is not doable right here with the predefined WP capabilities.
I’m caught at this for a month now.
To make plugin safe, I’ve made certain:
- The editor may be solely accessed by way of admin
- Whereas saving knowledge, the request is coming from admin and there’s a nonce verify.