Pixeldust Drupal Support Service

WYSIWYG Editor escaping output

So I am a plugin developer and my plugin approval request is pending.
In my plugin settings, there is a WYSIWYG editor where admin is allowed to add HTML of his own
I save the editor content in wp_options table & on the front end I output the HTML using get_option().

WP review team is asking me to escape the output of WYSIWYG editor using wp_kses().
The problem is wp_kses() function needs second argument of HTML tags/attributes & there is no way I can manually mention all the HTML tags and attributes.
There are infinite number of possible tags and attributes in HTML.
Also since its a WYSIWYG editor, admin can add his own HTML attribute & tags like

<input customdata="asd"/>

How do you expect me to mention "customdata" attribute in the argument?

The other wp_kses variation which I came across is wp_kses_post() but it also has limited number of tags and attributes.

My plugin cannot survive without WYSIWYG editor and custom HTML. The main purpose of the plugin is to allow admins to add their own HTML to a form.
There is no available WP Function which serves my purpose and do the escaping at the same time. I am aware of the rule, sanitize early and escape late but the escaping isn’t possible here with the predefined WP functions.
I am stuck at this for a month now.

To make plugin secure, I’ve made sure:

  1. The editor can be only accessed via admin
  2. While saving data, the request is coming from admin and there is a nonce check.

$299 Affordable Web Design WordPress

This article was republished from its original source.
Call Us: 1(800)730-2416

Pixeldust is a 20-year-old web development agency specializing in Drupal and WordPress and working with clients all over the country. With our best in class capabilities, we work with small businesses and fortune 500 companies alike. Give us a call at 1(800)730-2416 and let’s talk about your project.

Let's Talk About a Project

FREE Drupal SEO Audit

Test your site below to see which issues need to be fixed. We will fix them and optimize your Drupal site 100% for Google and Bing. (Allow 30-60 seconds to gather data.)

Powered by

WYSIWYG Editor escaping output

On-Site Drupal SEO Master Setup

We make sure your site is 100% optimized (and stays that way) for the best SEO results.

With Pixeldust On-site (or On-page) SEO we make changes to your site’s structure and performance to make it easier for search engines to see and understand your site’s content. Search engines use algorithms to rank sites by degrees of relevance. Our on-site optimization ensures your site is configured to provide information in a way that meets Google and Bing standards for optimal indexing.

This service includes:

  • Pathauto install and configuration for SEO-friendly URLs.
  • Meta Tags install and configuration with dynamic tokens for meta titles and descriptions for all content types.
  • Install and fix all issues on the SEO checklist module.
  • Install and configure XML sitemap module and submit sitemaps.
  • Install and configure Google Analytics Module.
  • Install and configure Yoast.
  • Install and configure the Advanced Aggregation module to improve performance by minifying and merging CSS and JS.
  • Install and configure Schema.org Metatag.
  • Configure robots.txt.
  • Google Search Console setup snd configuration.
  • Find & Fix H1 tags.
  • Find and fix duplicate/missing meta descriptions.
  • Find and fix duplicate title tags.
  • Improve title, meta tags, and site descriptions.
  • Optimize images for better search engine optimization. Automate where possible.
  • Find and fix the missing alt and title tag for all images. Automate where possible.
  • The project takes 1 week to complete.
MASTER YOUR DRUPAL SEO
Pixeldust and Pantheon Drupal Development
256