Opened 11 years ago
Closed 10 years ago
#5183 closed enhancement (wontfix)
Disallow HTML tags in profile fields
| Reported by: |
henrywright
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Core | Keywords: | |
| Cc: |
Description
An enhancement suggestion would be to disallow HTML tags in profile fields by default.
add_filter( 'xprofile_data_value_before_save', 'wp_filter_nohtml_kses' );
Not sure if this is the best approach but this will strip HTML before the field data is saved to the database.
I recently had some users enter rather shoddy HTML in their profile which caused problems with my theme display.
Change History (7)
@
@
#3
@
10 years ago
Hi DJPaul
Sorry for the delay in getting back to you.
I think it depends on the tag. Try inserting a link <a href="..">...</a> - I just tried inserting one in a single line input xProfile field and it was allowed to go through. I'm not sure of the exact tag that slipped through originally but seem to remember the HTML was malformed and played havoc with my theme.
#5
@
10 years ago
- Keywords 2nd-opinion added
henry.wright - We do allow certain HTML elements to be used in profile fields. We use the default values from wp_kses:
https://core.trac.wordpress.org/browser/tags/3.8.1/src/wp-includes/kses.php#L372
Is there a certain HTML element that is causing a lot of problems with theme display?
I would say this is a wontfix unless there is a glaring bug that I'm not seeing.
Hi henrywright,
What type of profile field are you entering HTML in, and can you provide an example? I just very quickly tried to insert italic tags into a text field, but the HTML is being escaped on output in both the frontend view and in the profile editor.