function wp_kses($string, $allowed_html, $allowed_protocols = array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'feed', 'gopher', 'mailto'))
{
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$string = wp_kses_hook($string);
$allowed_html_fixed = wp_kses_array_lc($allowed_html);
return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);
}
/**
* Filters content and keeps only allowable HTML elements.
*
* This function makes sure that only the allowed HTML element names, attribute
* names and attribute values plus only sane HTML entities will occur in
* $string. You have to remove any slashes from PHP's magic quotes before you
* call this function.
*
* The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
* 'irc', 'gopher', 'nntp', 'feed', and finally 'telnet. This covers all common
* link protocols, except for 'javascript' which should not be allowed for
* untrusted users.
*
* @since 1.0.0
*
* @param string $string Content to filter through kses
* @param array $allowed_html List of allowed HTML elements
* @param array $allowed_protocols Optional. Allowed protocol in links.
* @return string Filtered content with only allowed HTML elements
*/
function wp_kses($string, $allowed_html, $allowed_protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet'))
{
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$allowed_html_fixed = wp_kses_array_lc($allowed_html);
$string = wp_kses_hook($string, $allowed_html_fixed, $allowed_protocols);
// WP changed the order of these funcs and added args to wp_kses_hook
return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);
}
function wp_kses($string, $allowed_html, $allowed_protocols = array ('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'feed', 'gopher', 'mailto'))
###############################################################################
# This function makes sure that only the allowed HTML element names, attribute
# names and attribute values plus only sane HTML entities will occur in
# $string. You have to remove any slashes from PHP's magic quotes before you
# call this function.
###############################################################################
{
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$string = wp_kses_hook($string);
$allowed_html_fixed = wp_kses_array_lc($allowed_html);
return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);
} # function wp_kses
/**
* Filters content and keeps only allowable HTML elements.
*
* This function makes sure that only the allowed HTML element names, attribute
* names and attribute values plus only sane HTML entities will occur in
* $string. You have to remove any slashes from PHP's magic quotes before you
* call this function.
*
* The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
* 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
* covers all common link protocols, except for 'javascript' which should not
* be allowed for untrusted users.
*
* @since 1.0.0
*
* @param string $string Content to filter through kses
* @param array $allowed_html List of allowed HTML elements
* @param array $allowed_protocols Optional. Allowed protocol in links.
* @return string Filtered content with only allowed HTML elements
*/
function wp_kses($string, $allowed_html, $allowed_protocols = array())
{
if (empty($allowed_protocols)) {
$allowed_protocols = wp_allowed_protocols();
}
$string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$string = wp_kses_hook($string, $allowed_html, $allowed_protocols);
// WP changed the order of these funcs and added args to wp_kses_hook
return wp_kses_split($string, $allowed_html, $allowed_protocols);
}
/**
* Override this method to implement the appropriate sanitization specific to the field type before the value is saved.
*
* This base method provides a generic sanitization similar to wp_kses but values are not encoded.
* Scripts are stripped out leaving allowed tags if HTMl is allowed.
*
* @param string $value The field value to be processed.
* @param int $form_id The ID of the form currently being processed.
*
* @return string
*/
public function sanitize_entry_value($value, $form_id)
{
if (is_array($value)) {
return '';
}
//allow HTML for certain field types
$allow_html = $this->allow_html();
$allowable_tags = gf_apply_filters(array('gform_allowable_tags', $form_id), $allow_html, $this, $form_id);
if ($allowable_tags !== true) {
$value = strip_tags($value, $allowable_tags);
}
$allowed_protocols = wp_allowed_protocols();
$value = wp_kses_no_null($value, array('slash_zero' => 'keep'));
$value = wp_kses_hook($value, 'post', $allowed_protocols);
$value = wp_kses_split($value, 'post', $allowed_protocols);
return $value;
}
/**
* Override this method to implement the appropriate sanitization specific to the field type before the value is saved.
*
* This base method provides a generic sanitization similar to wp_kses but values are not encoded.
* Scripts are stripped out leaving tags allowed by the gform_allowable_tags filter.
*
* @param string $value The field value to be processed.
* @param int $form_id The ID of the form currently being processed.
*
* @return string
*/
public function sanitize_entry_value($value, $form_id)
{
if (is_array($value)) {
return '';
}
/**
* Provisional filter - may be subject to change or removal.
*
* @param bool
* @param int $form_id
* @para GF_Field $this
*/
$sanitize = apply_filters('gform_sanitize_entry_value', true, $form_id, $this);
if (!$sanitize) {
return $value;
}
//allow HTML for certain field types
$allow_html = $this->allow_html();
$allowable_tags = gf_apply_filters(array('gform_allowable_tags', $form_id), $allow_html, $this, $form_id);
if ($allowable_tags !== true) {
$value = strip_tags($value, $allowable_tags);
}
$allowed_protocols = wp_allowed_protocols();
$value = wp_kses_no_null($value, array('slash_zero' => 'keep'));
$value = wp_kses_hook($value, 'post', $allowed_protocols);
$value = wp_kses_split($value, 'post', $allowed_protocols);
return $value;
}
/**
* Sanitize the field choices property.
*
* @param array|null $choices The field choices property.
*
* @return array|null
*/
public function sanitize_settings_choices($choices = null)
{
if (is_null($choices)) {
$choices =& $this->choices;
}
if (!is_array($choices)) {
return $choices;
}
foreach ($choices as &$choice) {
if (isset($choice['isSelected'])) {
$choice['isSelected'] = (bool) $choice['isSelected'];
}
if (isset($choice['price']) && !empty($choice['price'])) {
$price_number = GFCommon::to_number($choice['price']);
$choice['price'] = GFCommon::to_money($price_number);
}
if (isset($choice['text'])) {
$choice['text'] = $this->maybe_wp_kses($choice['text']);
}
if (isset($choice['value'])) {
// Strip scripts but don't encode
$allowed_protocols = wp_allowed_protocols();
$choice['value'] = wp_kses_no_null($choice['value'], array('slash_zero' => 'keep'));
$choice['value'] = wp_kses_hook($choice['value'], 'post', $allowed_protocols);
$choice['value'] = wp_kses_split($choice['value'], 'post', $allowed_protocols);
}
}
return $choices;
}
/**
* Filters content and keeps only allowable HTML elements.
*
* This is the same function as built into WP, but with optional allowing of keeping "&"
*
* @param string $string Content to filter through kses
* @param array $allowed_html List of allowed HTML elements
* @param array $allowed_protocols Optional. Allowed protocol in links.
* @return string Filtered content with only allowed HTML elements
*/
function wp_kses($string, $allowed_html, $allowed_protocols = array(), $skip_normalize_entities = false)
{
if (empty($allowed_protocols)) {
$allowed_protocols = wp_allowed_protocols();
}
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
if (!$skip_normalize_entities) {
$string = wp_kses_normalize_entities($string);
}
$string = wp_kses_hook($string, $allowed_html, $allowed_protocols);
// WP changed the order of these funcs and added args to wp_kses_hook
return wp_kses_split($string, $allowed_html, $allowed_protocols);
}
/**
* Strip scripts and some HTML tags.
*
* @param string $value The field value to be processed.
* @param int $form_id The ID of the form currently being processed.
*
* @return string
*/
public function sanitize_entry_value($value, $form_id)
{
if (is_array($value)) {
return '';
}
$allowable_tags = $this->get_allowable_tags($form_id);
if ($allowable_tags !== true) {
$value = strip_tags($value, $allowable_tags);
}
$allowed_protocols = wp_allowed_protocols();
$value = wp_kses_no_null($value, array('slash_zero' => 'keep'));
$value = wp_kses_hook($value, 'post', $allowed_protocols);
$value = wp_kses_split($value, 'post', $allowed_protocols);
return $value;
}
/**
* Escapes the given string for the KSES filter with the criteria of allowing/disallowing tags and the protocol.
*
* @remark Attributes are not supported at this moment.
* @param array $aAllowedTags e.g. array( 'noscript', 'style', )
* @param array $aDisallowedTags e.g. array( 'table', 'tbody', 'thoot', 'thead', 'th', 'tr' )
* @since 2.0.0
*/
public static function escapeKSESFilter($sString, $aAllowedTags = array(), $aDisallowedTags = array(), $aAllowedProtocols = array())
{
foreach ($aAllowedTags as $sTag) {
$aFormatAllowedTags[$sTag] = array();
// activate the inline style attribute.
}
$aAllowedHTMLTags = AmazonAutoLinks_Utility::uniteArrays($aFormatAllowedTags, $GLOBALS['allowedposttags']);
// the first parameter takes over the second.
foreach ($aDisallowedTags as $sTag) {
if (isset($aAllowedHTMLTags[$sTag])) {
unset($aAllowedHTMLTags[$sTag]);
}
}
if (empty($aAllowedProtocols)) {
$aAllowedProtocols = wp_allowed_protocols();
}
$sString = addslashes($sString);
// the original function call was doing this - could be redundant but haven't fully tested it
$sString = stripslashes($sString);
// wp_filter_post_kses()
$sString = wp_kses_no_null($sString);
// wp_kses()
$sString = wp_kses_js_entities($sString);
// wp_kses()
$sString = wp_kses_normalize_entities($sString);
// wp_kses()
$sString = wp_kses_hook($sString, $aAllowedHTMLTags, $aAllowedProtocols);
// WP changed the order of these funcs and added args to wp_kses_hook
$sString = wp_kses_split($sString, $aAllowedHTMLTags, $aAllowedProtocols);
$sString = addslashes($sString);
// wp_filter_post_kses()
$sString = stripslashes($sString);
// the original function call was doing this - could be redundant but haven't fully tested it
return $sString;
}
function EscapeAndFilterPostKSES($strString, $arrAllowedTags = array(), $arrDisallowedTags = array(), $arrAllowedProtocols = array())
{
// $arrAllowedTags : e.g. array( 'noscript' => array(), 'style' => array() );
// $arrDisallowedTags : e.g. array( 'table', 'tbody', 'thoot', 'thead', 'th', 'tr' );
global $allowedposttags;
// $arrAllowedHTML = array_replace_recursive( $allowedposttags, $arrAllowedTags ); // the second parameter takes over the first.
// $arrAllowedHTML = wp_parse_args( $arrAllowedTags, $allowedposttags ); // the first parameter takes over the second.
$arrAllowedHTML = $this->oUtil->UniteArraysRecursive($arrAllowedTags, $allowedposttags);
// the first parameter takes over the second.
foreach ($arrDisallowedTags as $strTag) {
if (isset($arrAllowedHTML[$strTag])) {
unset($arrAllowedHTML[$strTag]);
}
}
if (empty($arrAllowedProtocols)) {
$arrAllowedProtocols = wp_allowed_protocols();
}
$strString = addslashes($strString);
// the original function call was doing this - could be redundant but haven't fully tested it
$strString = stripslashes($strString);
// wp_filter_post_kses()
$strString = wp_kses_no_null($strString);
// wp_kses()
$strString = wp_kses_js_entities($strString);
// wp_kses()
$strString = wp_kses_normalize_entities($strString);
// wp_kses()
$strString = wp_kses_hook($strString, $arrAllowedHTML, $arrAllowedProtocols);
// WP changed the order of these funcs and added args to wp_kses_hook
$strString = wp_kses_split($strString, $arrAllowedHTML, $arrAllowedProtocols);
$strString = addslashes($strString);
// wp_filter_post_kses()
$strString = stripslashes($strString);
// the original function call was doing this - could be redundant but haven't fully tested it
return $strString;
}