I’m developing a plugin which enables the user to send HTML emails from within the WordPress admin. How should I sanitize the textarea input? It has to be able to contain the whole range of HTML tags that might appear in an HTML email. If I use wp_kses()
then I would have to use a huge list of allowed tags.
The textarea saves its content to the db via custom options.
There is already a huge list built for you, which can be returned by
wp_kses_allowed_html()
based on context, and filtered via thewp_kses_allowed_html
filter, also contextually. Creating that list should not be hard.However, “the whole range of HTML tags that might appear in an HTML email” should be pretty close to the range allowed for an ordinary post so
wp_kses_post()
ought to get you a long way with little effort.