A couple of sanitisation questions

wp_kses()
https://codex.www.ads-software.com/Function_Reference/wp_kses
https://developer.www.ads-software.com/reference/functions/wp_kses/
https://codex.www.ads-software.com/Function_Reference/wp_kses_allowed_html
https://wp-mix.com/wordpress-basic-allowed-html-wp_kses/

ajaxurl
https://eric.blog/2013/06/18/how-to-add-a-wordpress-ajax-nonce/
https://developer.www.ads-software.com/reference/functions/wp_nonce_url/
https://codex.www.ads-software.com/Function_Reference/check_ajax_referer
https://codex.www.ads-software.com/WordPress_Nonces

• This reply was modified 6 years, 11 months ago by johnatanasoff.
• This reply was modified 6 years, 11 months ago by johnatanasoff.

Thanks for that @johnatanasoff. I had already found all of the codex and developer articles but, like a lot of recent articles, they don’t give a great deal of info.

What I’m looking for is a way to easily allow everything with wp_kses(). Those articles don’t even give any details as to what is and isn’t allowed by default.

I’m afraid that none of the ajaxurl articles there give any indication on how to add the nonce to the ajax URL when the js is printed inline by the php code.

@petervandoorn have you tried posting here? https://wordpress.stackexchange.com/

Haven’t done what you are doing and you are a more advanced developer than i am.
Here’s resources that can lead you to a solution:

https://jobs.wordpress.net/
https://jetpack.pro/

• This reply was modified 6 years, 11 months ago by johnatanasoff.
• This reply was modified 6 years, 11 months ago by johnatanasoff.

@johnatanasoff not yet… you’ve gotta start somewhere ??

Cheers

wp_kses() is contextual. As such, it does little by default. Removes some invalid characters (null, EOT, BS, VT, ESC, etc.) and normalizes some HTML entity names. Anything else is accomplished dynamically through the $allowed_html parameter and by hooking “pre_kses”. To know what wp_kses() does in a particular situation, you’d need to determine what callbacks were added to that filter when wp_kses() is called and what they do. You could dump out the array in the global $wp_filter to learn what callbacks are added to all filters and actions, then search for “pre_kses”.

ajaxurl should be the site’s full URL to wp-admin/admin-ajax.php as a string. Ajax requests are typically done through POST requests, so the nonce value would normally be part of the POSTed data, not the request URL. The nonce data key is by default '_ajax_nonce', but it’s up to the particular Ajax handler as to what it accepts.

If the handler is set up to get the nonce from GET, then of course it would need to be appended to the URL. In PHP, add_query_arg() can be used for this, possibly as part of when ajaxurl is defined. This is typically done in a call to wp_localize_script(), but variations abound.

PHP data that is used in JavaScript is typically all passed with wp_localize_script(), so the nonce value could be passed to JS in this call as well, even if it is not appended to ajaxurl but passed as a POSTed data value.

A common way of utilizing Ajax in WP, including passing nonces, is described in the Plugin Handbook. Your specific application may do things differently though.