wp_kses doesn’t work

  • Hello, I’m building a plugin that features a textarea where the user can insert a snippet of code (for example Adsense code). When I try to sanitize the input using wp_kses and the Jetpack plugin is enabled, the snippet code is shuffled. If Jetpack is disabled then my plugin works fine. Here is my php code for ensuring strings are safe to use when WordPress calls the function that sanitizes the option’s value.

    // List of allowed tags and attributes 
		add_filter( 'safe_style_css', function( $styles ) {
			$styles[] = 'display';
			return $styles;
		} );
		$allow_html = array (
			'a' => array (
				'href' => array(),
			),
			'center' => true,
			'img' => array (
				'src' => array(),
				'alt' => array(),
				'style' => array()
			),
			'ins' => array( 
				'class' => array(),
				'style' => array ( 'display'=>array(), 'width'=>array(), 'height'=>array() ), 
				'data-ad-client' => array(),
				'data-ad-slot' => array() ),
			'noscript' => array(),
			'script' => array (
				'async' => array(),
				'src' => array() ),
		);
		
		$sane['script'] = mb_strimwidth( wp_kses( $input['script'], $allow_html ), 0, 511 );

    If I remove wp_kses function call from the line of code above with

    $sane['script'] = mb_strimwidth( $input['script'], 0, 511 );

    then my plugin works fine with Jetpack too. Where is the problem?

Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    It’s clear to me that jetpack has hooked into wp_kses for some reason. It’s not that uncommon a practice. You’d need to check with the jetpack developers to confirm this. Even so, there should be no reason to “shuffle” input. You may have stumbled upon a jetpack bug. OTOH, wp_kses() is intended to remove bad things from HTML, which normally includes inline scripts, so the jetpack hook may have no intention of accommodating scripts. It may take more investigation to confirm it’s a real bug, but I think the jetpack people might like to hear of this if it checks out.

Viewing 1 replies (of 1 total)
  • The topic ‘wp_kses doesn’t work’ is closed to new replies.