Quantcast
Viewing all articles
Browse latest Browse all 8245

HannibalBector on "Correct way to escape custom text area (while allowing urls)."

Hello there!

I'm developing my first WordPress theme and I have a helluva good time figuring things out. But I'm bit stumped on this seemingly simple problem!

  1. Let's say I have a text area in the customizer.
  2. I have sanitized the input using wp_kses_post and force_balance_tags.

Now I want to escape the output BUT I want to allow anyone using my theme to add links <a href="#">Link</a> to this text area. Esc_html, esc_atr or any of the other escapes won't allow this. Sanitize_text_field won't allow this either. So what's the correct way to handle this? Am I missing something? Or should I forget about escaping /sanitization output?

BTW regarding wp_kses_post on output:

Note that the kses system can be resource-intensive, and should therefore not be run as an output sanitization filter directly, but as a filter to data after it has been input and processed, before it is saved in the database. WordPress runs kses on the pre_comment_content filter, for example, to filter the HTML before saving the comment.
http://codex.wordpress.org/Data_Validation#Output_Sanitization

Any help/thoughts will be appreciated! Thank you!

Best regards,

Michael


Viewing all articles
Browse latest Browse all 8245

Trending Articles