So I am a plugin developer and my plugin approval request is pending.
In my plugin settings, there is a WYSIWYG editor where admin is allowed to add HTML of his own
I save the editor content in wp_options table & on the front end I output the HTML using get_option().
WP review team is asking me to escape the output of WYSIWYG editor using wp_kses().
The problem is wp_kses() function needs second argument of HTML tags/attributes & there is no way I can manually mention all the HTML tags and attributes.
There are infinite number of possible tags and attributes in HTML.
Also since its a WYSIWYG editor, admin can add his own HTML attribute & tags like
<input customdata="asd"/>
How do you expect me to mention "customdata" attribute in the argument?
The other wp_kses
variation which I came across is wp_kses_post()
but it also has limited number of tags and attributes.
My plugin cannot survive without WYSIWYG editor and custom HTML. The main purpose of the plugin is to allow admins to add their own HTML to a form.
There is no available WP Function which serves my purpose and do the escaping at the same time. I am aware of the rule, sanitize early and escape late but the escaping isn’t possible here with the predefined WP functions.
I am stuck at this for a month now.
To make plugin secure, I’ve made sure:
- The editor can be only accessed via admin
- While saving data, the request is coming from admin and there is a nonce check.