So I just found this great WPSE thread about security for themes/plugins. It answered most of my questions but it was created before the new wp_editor()
function was built.
I have two TinyMCE editors on my Theme Options and I’m wondering whether I need to use esc_html()
or esc_textarea()
in a validation callback before saving the theme option. It seems to me that TinyMCE takes care of a lot of that stuff (as well as the Settings API security that’s taken care of), but there’s still not a lot of documentation out there about wp_editor()
.
Any resources and answers appreciated.
esc_html()
andesc_textarea()
are, appropriate to their names, escaping functions and really meant for display rather than sanitizing or validating. I would usewp_kses()
orwp_kses_post()
(which is justwp_kses()
with the global$allowedposttags
) to sanitize input from awp_editor()
field before saving.The TinyMCE has an Filter for all allowed tags. You can change the tags, there are set in standard for your options and the editor filter the tags. Its not necassary, that you filter after save.
Example for enhanced tags:
You can also filter the tags, all tags inside the array
$initArray
is allowed.Its easy to kill tags fromthe array.
unset( $initArray['pre'] )
read the items inside the array via
var_dump( $initArray );
Best