[wp-hackers] Saving input from untrusted users

Philip M. Hofer (Frumph) philip at frumph.net
Tue Dec 21 22:56:12 UTC 2010

Nacin, what would the function wp_filter_nohtml_kses() be used for then, 
thats what i'm using and I might be using it wrong

----- Original Message ----- 
From: "Andrew Nacin" <wp at andrewnacin.com>
To: <wp-hackers at lists.automattic.com>
Sent: Tuesday, December 21, 2010 2:51 PM
Subject: Re: [wp-hackers] Saving input from untrusted users

> On Tue, Dec 21, 2010 at 12:12 PM, Ken (WraithKenny) 
> <ken.adcstudio at gmail.com
>> wrote:
>> Reading 'sanitize_text_field()' it looks like the sanitize functions
>> call kses functions so I guess I don't need to call it twice.
> Not in the case of sanitize_text_field(). That function is to sanitize 
> text.
> kses is to sanitize HTML. I'm simplifying this here, of course, but here:
> So, you'd use sanitize_text_field() if you don't expect HTML at all in the
> input. It doesn't call kses at all, just strips a whole lot of bad stuff.
> (It does use a kses utility function in the process, but only to make sure
> it doesn't destroy content in the process.)
> You'd use kses if you are receiving HTML (a perfect example would be a
> comment; in practice this will typically be textareas) and need to make 
> sure
> that nothing malicious is getting in. Thus a whitelist of HTML, 
> attributes,
> and values.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list