I added a function that will return the allowed html tags array

if ( ! function_exists( 'allowed_html_tags' ) ) {
  /**
   * Allowed html tags for wp_kses() function
   *
   * @return array Array of allowed html tags.
   */
  function allowed_html_tags() {
    return array(
      'a' => array(
        'href' => array(),
        'title' => array(),
        'class' => array(),
        'data' => array(),
        'rel'   => array(),
      ),
      'br' => array(),
      'em' => array(),
      'ul' => array(
          'class' => array(),
      ),
      'ol' => array(
          'class' => array(),
      ),
      'li' => array(
          'class' => array(),
      ),
      'strong' => array(),
      'div' => array(
        'class' => array(),
        'data' => array(),
        'style' => array(),
      ),
      'span' => array(
        'class' => array(),
        'style' => array(),
      ),
      'img' => array(
          'alt'    => array(),
          'class'  => array(),
          'height' => array(),
          'src'    => array(),
          'width'  => array(),
      ),
      'select' => array(
          'id'   => array(),
          'class' => array(),
          'name' => array(),
      ),
      'option' => array(
          'value' => array(),
          'selected' => array(),
      ),
    );
  }
}

But when I have html in a variable that is populated in a foreach loop, my data attributes get stripped out.

$my_var="<div class="my-class" data-term="$term_id">$content</div>";

wp_kses( $my_var, allowed_html_tags() );

This will return

<div class="my-class">This is my content... no data attribute...</div>

I tried modifying my array to have data-* but that didn’t work.

I hope that you don’t have to modify the allowed array with the full data name (data-term) for this to work…

EDIT

Check Matt Thomason’s answer about the update to the kses data.

2 Answers
2

I hope that you don’t have to modify the allowed array with the full data name (data-term) for this to work…

It appears to be that way. data-term and data aren’t the same attribute after all, and poking around in core I don’t think any sort of regular expressions can be used as supported attributes.

You shouldn’t need to run wp_kses() on your own markup though, you should know it’s safe. wp_kses() is generally just for handling untrusted input from users. Are users going to be submitting data- attributes, and you need to support them all?

You could do something like this instead:

$my_var="<div class="my-class" data-term="" . esc_attr( $term_id ) . '">' . wp_kses_post( $content ) . '</div>';

That uses wp_kses_post() which will use the default allowed html for posts, but it’s only going to apply to whatever $content is.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *