Secure Validation of wp_editor in Theme Options

So I just found this great WPSE thread about security for themes/plugins. It answered most of my questions but it was created before the new wp_editor() function was built.

I have two TinyMCE editors on my Theme Options and I’m wondering whether I need to use esc_html() or esc_textarea() in a validation callback before saving the theme option. It seems to me that TinyMCE takes care of a lot of that stuff (as well as the Settings API security that’s taken care of), but there’s still not a lot of documentation out there about wp_editor().

Read More

Any resources and answers appreciated.

Related posts

Leave a Reply

2 comments

  1. esc_html() and esc_textarea() are, appropriate to their names, escaping functions and really meant for display rather than sanitizing or validating. I would use wp_kses() or wp_kses_post() (which is just wp_kses() with the global $allowedposttags) to sanitize input from a wp_editor() field before saving.

  2. The TinyMCE has an Filter for all allowed tags. You can change the tags, there are set in standard for your options and the editor filter the tags. Its not necassary, that you filter after save.

    Example for enhanced tags:

    function fb_change_mce_options( $initArray ) {
        // Comma separated string od extendes tags
        // Command separated string of extended elements
        $ext = 'pre[id|name|class|style],iframe[align|longdesc|name|width|height|frameborder|scrolling|marginheight|marginwidth|src]';
        if ( isset( $initArray['extended_valid_elements'] ) ) {
            $initArray['extended_valid_elements'] .= ',' . $ext;
        } else {
            $initArray['extended_valid_elements'] = $ext;
        }
        // set tiny paramter verify_html
        $initArray['verify_html'] = true;
        return $initArray;
    }
    add_filter( 'tiny_mce_before_init', 'fb_change_mce_options' );
    

    You can also filter the tags, all tags inside the array $initArray is allowed.
    Its easy to kill tags fromthe array.
    unset( $initArray['pre'] )

    read the items inside the array via var_dump( $initArray );

    Best