Exemplo n.º 1
1
/**
 * Filter output of Group Description through WordPress's KSES API.
 *
 * @since BuddyPress (1.1.0)
 *
 * @param string $content
 * @return string
 */
function bp_groups_filter_kses($content = '')
{
    /**
     * Note that we don't immediately bail if $content is empty. This is because
     * WordPress's KSES API calls several other filters that might be relevant
     * to someone's workflow (like `pre_kses`)
     */
    // Get allowed tags using core WordPress API allowing third party plugins
    // to target the specific `buddypress-groups` context.
    $allowed_tags = wp_kses_allowed_html('buddypress-groups');
    // Add our own tags allowed in group descriptions
    $allowed_tags['a']['class'] = array();
    $allowed_tags['img'] = array();
    $allowed_tags['img']['src'] = array();
    $allowed_tags['img']['alt'] = array();
    $allowed_tags['img']['class'] = array();
    $allowed_tags['img']['width'] = array();
    $allowed_tags['img']['height'] = array();
    $allowed_tags['img']['class'] = array();
    $allowed_tags['img']['id'] = array();
    $allowed_tags['code'] = array();
    /**
     * Filter HTML elements allowed for a given context.
     *
     * @since BuddyPress (1.1.0)
     *
     * @param string $allowed_tags Allowed tags, attributes, and/or entities.
     */
    $tags = apply_filters('bp_groups_filter_kses', $allowed_tags);
    // Return KSES'ed content, allowing the above tags
    return wp_kses($content, $tags);
}
Exemplo n.º 2
0
 /**
  * The enhanced default constructor, ends up setting all parameters via the set_ functions
  *  
  * @param string $title (optional) The title of the breadcrumb
  * @param string $template (optional) The html template for the breadcrumb
  * @param string $type (optional) The breadcrumb type
  * @param string $url (optional) The url the breadcrumb links to
  */
 public function __construct($title = '', $template = '', array $type = array(), $url = NULL, $id = NULL)
 {
     //Filter allowed_html array to allow others to add acceptable tags
     $this->allowed_html = apply_filters('bcn_allowed_html', wp_kses_allowed_html('post'));
     //The breadcrumb type
     $this->type = $type;
     //Set the resource id
     $this->set_id($id);
     //Set the title
     $this->set_title($title);
     //Assign the breadcrumb template, need strict comparison as we only want to enter if we had a blank URL, not NULL URL
     if ($template == NULL || $url === '') {
         if ($url == NULL || $url === '') {
             $template = __('<span typeof="v:Breadcrumb"><span property="v:title">%htitle%</span></span>', 'breadcrumb-navxt');
         } else {
             $template = __('<span typeof="v:Breadcrumb"><a rel="v:url" property="v:title" title="Go to %title%." href="%link%" class="%type%">%htitle%</a></span>', 'breadcrumb-navxt');
         }
     }
     //Loose comparison, evaluates to true if URL is '' or NULL
     if ($url == NULL) {
         $this->template_no_anchor = wp_kses(apply_filters('bcn_breadcrumb_template_no_anchor', $template, $this->type, $this->id), $this->allowed_html);
     } else {
         $this->set_template($template);
     }
     //Always NULL if unlinked
     $this->set_url($url);
 }
 /**
  * The enhanced default constructor, ends up setting all parameters via the set_ functions
  *  
  * @param string $title (optional) The title of the breadcrumb
  * @param string $template (optional) The html template for the breadcrumb
  * @param string $type (optional) The breadcrumb type
  * @param string $url (optional) The url the breadcrumb links to
  */
 public function __construct($title = '', $template = '', array $type = array(), $url = '', $id = NULL)
 {
     //Filter allowed_html array to allow others to add acceptable tags
     $this->allowed_html = apply_filters('bcn_allowed_html', wp_kses_allowed_html('post'));
     //The breadcrumb type
     $this->type = $type;
     //Set the resource id
     $this->set_id($id);
     //Set the title
     $this->set_title($title);
     //Set the default anchorless templates value
     $this->template_no_anchor = bcn_breadcrumb::default_template_no_anchor;
     //If we didn't get a good template, use a default template
     if ($template == NULL) {
         $this->set_template(bcn_breadcrumb::get_default_template());
     } else {
         //Loose comparison, evaluates to true if URL is '' or NULL
         if ($url == NULL) {
             $this->template_no_anchor = wp_kses(apply_filters('bcn_breadcrumb_template_no_anchor', $template, $this->type, $this->id), $this->allowed_html);
             $this->set_template(bcn_breadcrumb::get_default_template());
         } else {
             $this->set_template($template);
         }
     }
     //Always NULL if unlinked
     $this->set_url($url);
 }
 private function formatData($data, $section)
 {
     if (!isset($data['elements'])) {
         $data['elements'] = array();
     }
     $data = wp_parse_args($data, $section->getDefaults());
     // Get around id being a reserved keyword. This way we can still use it in render methods for elements
     if (isset($data['custom_id'])) {
         $data['id'] = $data['custom_id'];
     }
     // Format data before rendering
     foreach ($data as $key => $item) {
         if (is_array($item) && count($item) == 5 && ($item[4] == 'linked' || $item[4] == 'unlinked')) {
             $data[$key . '_linked'] = array_pop($item);
             $data[$key] = array_map('esc_html', array($item[0], $item[1], $item[2], $item[3]));
             continue;
         }
         // Convert boolean to string
         if ($item === true) {
             $data[$key] = 'true';
             continue;
         }
         if ($item === false) {
             $data[$key] = 'false';
             continue;
         }
         if (is_string($item) && !current_user_can('unfiltered_html')) {
             $data[$key] = wp_kses($item, wp_kses_allowed_html('post'));
             continue;
         }
     }
     return $data;
 }
 public static function sgPopupDataSanitize($sgPopupData)
 {
     $allowedHtmltags = wp_kses_allowed_html('post');
     $allowedHtmltags['input'] = array('name' => true, 'class' => true, 'id' => true, 'placeholder' => true, 'title' => true, 'value' => true, 'type' => true);
     $allowedHtmltags['iframe'] = array('name' => true, 'class' => true, 'id' => true, 'title' => true, 'src' => true, 'height' => true, 'width' => true);
     return wp_kses($sgPopupData, $allowedHtmltags);
 }
 /**
  * The enhanced default constructor, ends up setting all parameters via the set_ functions
  *  
  * @param string $title (optional) The title of the breadcrumb
  * @param string $template (optional) The html template for the breadcrumb
  * @param string $type (optional) The breadcrumb type
  * @param string $url (optional) The url the breadcrumb links to
  */
 public function bcn_breadcrumb($title = '', $template = '', $type = '', $url = NULL, $id = NULL)
 {
     //Filter allowed_html array to allow others to add acceptable tags
     $this->allowed_html = apply_filters('bcn_allowed_html', wp_kses_allowed_html('post'));
     //The breadcrumb type
     $this->type = $type;
     //Set the resource id
     $this->set_id($id);
     //Set the title
     $this->set_title($title);
     //Assign the breadcrumb template
     if ($template == NULL) {
         if ($url == NULL) {
             $template = $this->template = __('%htitle%', 'breadcrumb-navxt');
         } else {
             $template = __('<a title="Go to %ftitle%." href="%link%" class="%type%">%htitle%</a>', 'breadcrumb-navxt');
         }
     }
     if ($url == NULL) {
         $this->template_no_anchor = wp_kses($template, $this->allowed_html);
     } else {
         $this->set_template($template);
     }
     //Always NULL if unlinked
     $this->set_url($url);
 }
Exemplo n.º 7
0
 /**
  * Sanitize editor
  *
  * @param mixed $new
  * @param mixed $old
  * @param int   $post_id
  * @param array $field
  *
  * @return string
  */
 static function value($new, $old, $post_id, $field)
 {
     $prefix = 'wppf-';
     $the_field_id = $prefix . $field['id'];
     $allowed_html = apply_filters('wppf_editor_field_allowed_html', wp_kses_allowed_html('post'));
     return wp_kses($_POST[$the_field_id], $allowed_html);
 }
Exemplo n.º 8
0
 public function create_feedback($params)
 {
     global $un_settings;
     if (isset($params['title']) && $params['title']) {
         $title = $params['title'];
     }
     $content = $params['description'];
     if (empty($params['title'])) {
         $title = substr($content, 0, 150) . (strlen($content) < 150 ? '' : "…");
     }
     $id = wp_insert_post(array('post_type' => FEEDBACK, 'post_title' => wp_kses(apply_filters('un_feedback_title', $title, $params), wp_kses_allowed_html()), 'post_content' => wp_kses(apply_filters('un_feedback_content', $content, $params), wp_kses_allowed_html()), 'post_status' => un_get_option(UN_PUBLISH_DIRECTLY) ? 'publish' : 'pending', 'post_author' => 0));
     $email = isset($params['email']) ? trim($params['email']) : '';
     if ($email) {
         add_post_meta($id, '_email', $email);
     }
     if (is_user_logged_in()) {
         add_post_meta($id, '_author', get_current_user_id());
     }
     if (isset($params['name']) && trim($params['name'])) {
         add_post_meta($id, '_name', wp_kses(trim($params['name']), wp_kses_allowed_html()));
     }
     wp_set_post_terms($id, $params['type'], FEEDBACK_TYPE);
     do_action('un_feedback_created', $id, $params);
     $this->send_admin_message($id, $params);
 }
Exemplo n.º 9
0
 /**
  * The enhanced default constructor, ends up setting all parameters via the set_ functions
  *  
  * @param string $title (optional) The title of the breadcrumb
  * @param string $template (optional) The html template for the breadcrumb
  * @param string $type (optional) The breadcrumb type
  * @param string $url (optional) The url the breadcrumb links to
  */
 public function __construct($title = '', $template = '', $type = '', $url = NULL, $id = NULL)
 {
     //Filter allowed_html array to allow others to add acceptable tags
     $this->allowed_html = apply_filters('bcn_allowed_html', wp_kses_allowed_html('post'));
     //The breadcrumb type
     $this->type = $type;
     //Set the resource id
     $this->set_id($id);
     //Set the title
     $this->set_title($title);
     //Assign the breadcrumb template
     if ($template == NULL) {
         if ($url == NULL) {
             $template = __('<span typeof="v:Breadcrumb"><span property="v:title">%htitle%</span></span>', 'breadcrumb-navxt');
         } else {
             $template = __('<span typeof="v:Breadcrumb"><a rel="v:url" property="v:title" title="Go to %title%." href="%link%" class="%type%">%htitle%</a></span>', 'breadcrumb-navxt');
         }
     }
     if ($url == NULL) {
         $this->template_no_anchor = wp_kses(apply_filters('bcn_breadcrumb_template_no_anchor', $template, $this->type, $this->id), $this->allowed_html);
     } else {
         $this->set_template($template);
     }
     //Always NULL if unlinked
     $this->set_url($url);
 }
 /**
  * removes all tags which a WP Post wouldn't allow in its content normally
  * @param string $value
  * @return string
  */
 function prepare_for_set($value)
 {
     if (!current_user_can('unfiltered_html')) {
         $value = wp_kses("{$value}", wp_kses_allowed_html('post'));
     }
     return parent::prepare_for_set($value);
 }
Exemplo n.º 11
0
/**
 * A lazy way to build, configure and display a new pagination.
 *
 * @param string $pagination The pagination type, can be one of the following:
 *    - Posts
 *    - Post
 *    - Comments
 *    - Custom
 * @param array $args Configuration options to modify the pagination settings.
 * @param bool $echo Whether to display or return the output. True will display, false will return.
 */
function carbon_pagination($pagination, $args = array(), $echo = true)
{
    $output = Carbon_Pagination_Presenter::display($pagination, $args, false);
    if (!$echo) {
        return $output;
    }
    echo wp_kses($output, wp_kses_allowed_html('post'));
}
Exemplo n.º 12
0
 public function sanitize_settings()
 {
     parent::sanitize_settings();
     if (is_multisite() || !current_user_can('manage_options')) {
         $allowed_tags = wp_kses_allowed_html('post');
         $this->content = wp_kses($this->content, $allowed_tags);
     }
 }
Exemplo n.º 13
0
 /**
  * Allow <input> and <script> tags
  *
  */
 function phn_sanitize_content($content)
 {
     $wp_allowed_html = wp_kses_allowed_html('post');
     $custom_allowed_html = array('input' => array('name' => array(), 'id' => array(), 'value' => array(), 'class' => array(), 'type' => array(), 'onblur' => array(), 'onfocus' => array()), 'script' => array('type' => array(), 'src' => array()));
     $allowed_html = $wp_allowed_html + $custom_allowed_html;
     $sanitized_content = wp_kses($content, $allowed_html);
     return $sanitized_content;
 }
 public static function sanitize_output($content)
 {
     $allowed = wp_kses_allowed_html('post');
     $options = get_option('iwt_options');
     if (array_key_exists('contentelements', $options) && json_decode($options['contentelements']) != null) {
         $allowed = json_decode($options['contentelements'], true);
     }
     return wp_kses((string) $content, $allowed);
 }
 /**
  * Display the admin notices
  */
 public function admin_notices()
 {
     if (!empty($notices)) {
         foreach ($notices as $notice) {
             echo '<div class="' . esc_attr($notice['type']) . '">
       <p>' . wp_kses($notice['message'], wp_kses_allowed_html('post')) . '</p>
       </div>';
         }
     }
 }
Exemplo n.º 16
0
    /**
     * Display the admin notices
     */
    public function admin_notices()
    {
        if (!empty($this->notices)) {
            foreach ($this->notices as $notice) {
                echo '<div class="' . $notice['msg_type'] . '">
          <p>' . wp_kses($notice['msg'], wp_kses_allowed_html('post')) . '</p>
				</div>';
            }
        }
    }
 function update($new_instance, $old_instance)
 {
     $instance = $old_instance;
     $instance['ci_title'] = sanitize_text_field($new_instance['ci_title']);
     $instance['ci_image'] = esc_url_raw($new_instance['ci_image']);
     $instance['ci_align'] = sanitize_key($new_instance['ci_align']);
     $instance['ci_about'] = wp_kses($new_instance['ci_about'], wp_kses_allowed_html('post'));
     ci_register_string_translation('About Me - Title', $instance['ci_title'], 'Widgets');
     ci_register_string_translation('About Me - Text', $instance['ci_about'], 'Widgets');
     return $instance;
 }
 /**
  * Test that we add extra attributes to our allowed html for wp_kses_post
  *
  * @since 1.0.0
  *
  * @param null
  * @return null
  */
 public function test_add_allowed_html()
 {
     // Now we should have added some extra attributes
     $after = wp_kses_allowed_html('post');
     // Ensure we can use 'data-toggle' attributes for anchors
     $a_data_toggle_exists_after = isset($after['a']['data-toggle']);
     $this->assertTrue($a_data_toggle_exists_after);
     // Ensure we can use data-category attributes for divs
     $div_data_category_exists_after = isset($after['div']['data-category']);
     $this->assertTrue($div_data_category_exists_after);
 }
Exemplo n.º 19
0
 public static function kses_html($html)
 {
     if (function_exists('wp_kses_allowed_html')) {
         $allowed_post_html = wp_kses_allowed_html('post');
     } else {
         global $allowedposttags;
         $allowed_post_html = $allowedposttags;
     }
     $allow = array_merge($allowed_post_html, array('link' => array('href' => true, 'rel' => true, 'type' => true), 'style' => array('type' => true)));
     return wp_kses($html, $allow);
 }
Exemplo n.º 20
0
function pix_sanitize_editor($content)
{
    if ('' === $content) {
        return '';
    }
    if (current_user_can('unfiltered_html')) {
        return wp_kses($content, wp_kses_allowed_html('post'));
    } else {
        return stripslashes(wp_filter_post_kses(addslashes($content)));
    }
}
    /**
     * Display the admin notices
     */
    public function admin_notices()
    {
        $notices = apply_filters('woocommerce_pos_admin_notices', self::$notices);
        if (!empty($notices)) {
            foreach ($notices as $notice) {
                echo '<div class="' . esc_attr($notice['type']) . '">
          <p>' . wp_kses($notice['message'], wp_kses_allowed_html('post')) . '</p>
				</div>';
            }
        }
    }
Exemplo n.º 22
0
function wpsight_year_shortcode($atts)
{
    $defaults = array('before' => '&copy; ', 'after' => '', 'first' => '', 'wrap' => 'span');
    extract(shortcode_atts($defaults, $atts));
    $first_year = !empty($first) && $first != date('Y') ? $first . ' &ndash; ' : false;
    $output = sprintf('%1$s%4$s%3$s%2$s', $before, $after, date('Y'), $first_year);
    // Optionally wrap shortcode in HTML tags
    if (!empty($wrap) && $wrap != 'false' && in_array($wrap, array_keys(wp_kses_allowed_html('post')))) {
        $output = sprintf('<%2$s class="the-year">%1$s</%2$s>', $output, $wrap);
    }
    return apply_filters('wpsight_year_shortcode', $output, $atts);
}
 /**
  * Validate the given data, assuming it is from a textarea field.
  * @access  public
  * @since   6.0.0
  * @return  void
  */
 public function validate_field_textarea($v, $k)
 {
     // Allow iframe, object and embed tags in textarea fields.
     $allowed = wp_kses_allowed_html('post');
     $allowed['iframe'] = array('src' => true, 'width' => true, 'height' => true, 'id' => true, 'class' => true, 'name' => true);
     $allowed['object'] = array('src' => true, 'width' => true, 'height' => true, 'id' => true, 'class' => true, 'name' => true);
     $allowed['embed'] = array('src' => true, 'width' => true, 'height' => true, 'id' => true, 'class' => true, 'name' => true);
     // Allow script tags in the Google Analytics field.
     if (is_array($k) && isset($k['id']) && in_array($k['id'], $this->get_script_supported_fields())) {
         $allowed['script'] = array('type' => true, 'id' => true, 'class' => true);
     }
     return wp_kses($v, $allowed);
 }
Exemplo n.º 24
0
 public function sanitize_settings()
 {
     parent::sanitize_settings();
     if ($this->nextButton) {
         $this->nextButton['imageUrl'] = wp_strip_all_tags($this->nextButton['imageUrl']);
         $allowed_tags = wp_kses_allowed_html('post');
         $this->nextButton['text'] = wp_kses($this->nextButton['text'], $allowed_tags);
         $this->nextButton['type'] = wp_strip_all_tags($this->nextButton['type']);
         if (isset($this->nextButton['conditionalLogic']) && is_array($this->nextButton['conditionalLogic'])) {
             $this->nextButton['conditionalLogic'] = $this->sanitize_settings_conditional_logic($this->nextButton['conditionalLogic']);
         }
     }
 }
Exemplo n.º 25
0
/**
 * Callback for Voce_Settings_API for showing a dropdown of pages
 *
 * @param type $value value of setting
 * @param type $setting setting object
 * @param type $setting_args args from setting
 */
function eventbrite_venue_page_settings_cb($value, $setting, $setting_args)
{
    $dropdown = wp_dropdown_pages(array('echo' => false, 'name' => esc_attr($setting->get_field_name()), 'show_option_none' => __('&mdash; Select &mdash;', 'eventbrite-parent'), 'option_none_value' => '0', 'selected' => get_eventbrite_setting($setting->setting_key, '0')));
    if (!$dropdown) {
        echo '<p>' . sprintf(__("You don't have any published pages. To use this feature <a href='%s'>create a new page</a> then come back here and update this.", 'eventbrite-parent') . '</p>', esc_url(admin_url('post-new.php?post_type=page')));
        return;
    } else {
        printf('<div class="page-select">%s</div>', $dropdown);
    }
    if (!empty($setting_args['description'])) {
        echo sprintf('<span class="description">%s</span>', wp_kses($setting_args['description'], wp_kses_allowed_html()));
    }
    printf('<p><a href="%1$s">%2$s</a></p>', esc_url(admin_url('post-new.php?post_type=page')), __('Create new page', 'eventbrite-parent'));
}
Exemplo n.º 26
0
function wpsight_icon_shortcode($atts)
{
    $defaults = array('type' => 'thumbs-up', 'class' => '', 'size' => '', 'before' => '', 'after' => '', 'wrap' => 'span');
    extract(shortcode_atts($defaults, $atts));
    // Replace icon- just in case
    $type = str_replace('icon-', '', $type);
    // Set font-size
    $size = !empty($size) ? ' style="font-size:' . $size . '"' : false;
    $output = sprintf('%1$s<i class="icon-%3$s %4$s"></i>%2$s', $before, $after, $type, $class);
    // Optionally wrap shortcode in HTML tags
    if (!empty($wrap) && $wrap != 'false' && in_array($wrap, array_keys(wp_kses_allowed_html('post')))) {
        $output = sprintf('<%2$s class="wpsight-icon-sc"%3$s>%1$s</%2$s>', $output, $wrap, $size);
    }
    return apply_filters('wpsight_icon_shortcode', $output, $atts);
}
 /**
  * Custom admin columns implementation
  *
  * @access public
  * @param string $column
  * @return array
  */
 public static function custom_columns_manage($column)
 {
     $object = get_post_meta(get_the_ID(), REALIA_TRANSACTION_PREFIX . 'object', true);
     $object_id = get_post_meta(get_the_ID(), REALIA_TRANSACTION_PREFIX . 'object_id', true);
     $post = get_post($object_id);
     $payment_type = get_post_meta(get_the_ID(), REALIA_TRANSACTION_PREFIX . 'payment_type', true);
     $object = unserialize($object);
     switch ($column) {
         case 'price':
             echo wp_kses($object['price_formatted'], wp_kses_allowed_html('post'));
             break;
         case 'id':
             echo get_the_ID();
             break;
         case 'object':
             echo sprintf('<a href="%s">%s</a>', get_permalink($object_id), get_the_title($object_id));
             break;
         case 'success':
             if ($object['success'] == 'true') {
                 echo '<div class="dashicons-before dashicons-yes green"></div>';
             } else {
                 echo '<div class="dashicons-before dashicons-no red"></div>';
             }
             break;
         case 'type':
             switch ($payment_type) {
                 case 'pay_for_featured':
                     echo __('Feature property', 'realia');
                     break;
                 case 'sticky_post':
                     echo __('Sticky post', 'realia');
                     break;
                 case 'pay_per_post':
                     echo __('Pay per post', 'realia');
                     break;
                 case 'package':
                     echo __('Package', 'realia');
                     break;
                 default:
                     echo esc_html($payment_type);
                     break;
             }
             break;
         case 'gateway':
             echo esc_attr($object['gateway']);
             break;
     }
 }
function h5ab_custom_styling_site()
{
    $allowedHTML = wp_kses_allowed_html('post');
    $wholeSiteExternal = isset($_POST['h5ab-whole-site-custom-external']) ? $_POST['h5ab-whole-site-custom-external'] : null;
    $wholeSiteExternal = str_replace("'", '"', $wholeSiteExternal);
    $wholeSiteStyling = isset($_POST['h5ab-whole-site-custom-styling']) ? $_POST['h5ab-whole-site-custom-styling'] : null;
    $wholeSiteExternalKSES = wp_kses(stripslashes($wholeSiteExternal), H5AB_Custom_Styling::$h5ab_custom_styling_kses);
    $wholeSiteStylingKSES = wp_kses(stripslashes($wholeSiteStyling), $allowedHTML);
    $h5abCustomCSSTheme = isset($_POST['h5ab-css-custom-theme']) ? trim(strip_tags($_POST['h5ab-css-custom-theme'])) : null;
    $updatedExternal = update_option('h5abCustomExternal', $wholeSiteExternalKSES);
    $updatedStyling = update_option('h5abCustomStyling', $wholeSiteStylingKSES);
    $h5abCustomCSSTheme = sanitize_text_field($h5abCustomCSSTheme);
    $updatedTheme = update_option('h5abCustomStylingTheme', $h5abCustomCSSTheme);
    $success = $updatedExternal || $updatedStyling || $updatedTheme || $updatedExternal && $updatedTheme || $updatedTheme && $updatedStyling || $updatedExternal && $updatedStyling && $updatedTheme ? true : false;
    $message = $success ? 'Settings successfully saved' : 'Settings could not be saved';
    $response = array('success' => $success, 'message' => esc_attr($message));
    return $response;
}
 /**
  * Save post
  */
 public function save_post($post_id)
 {
     if (filter_has_var(INPUT_POST, 'orbis_subscription_cancel')) {
         $nonce = filter_input(INPUT_POST, 'orbis_subscription_cancel_nonce', FILTER_SANITIZE_STRING);
         if (wp_verify_nonce($nonce, 'orbis_subscription_cancel')) {
             global $wpdb;
             $result = $wpdb->update($wpdb->orbis_subscriptions, array('cancel_date' => current_time('mysql')), array('post_id' => $post_id), array('%s'), array('%d'));
             // Comment
             $user = wp_get_current_user();
             $comment_content = sprintf(__("This subscription is just '%s' by %s.", 'orbis_subscriptions'), __('canceled', 'orbis_subscriptions'), $user->display_name);
             $content = wp_kses_post(filter_input(INPUT_POST, 'orbis_subscription_cancel_content', FILTER_UNSAFE_RAW), wp_kses_allowed_html());
             if (!empty($content)) {
                 $comment_content .= "\r\n\r\n";
                 $comment_content .= $content;
             }
             $data = array('comment_post_ID' => $post_id, 'comment_content' => $comment_content, 'comment_author' => 'Orbis', 'comment_type' => 'orbis_comment');
             wp_insert_comment($data);
         }
     }
 }
Exemplo n.º 30
0
/**
 * Escapes text for HTML output, allowing certain tags
 *
 * Takes an arbitrary string and ensures it's safe for output into HTML. Unlike
 * `esc_html`, this allows a certain subset of tags, allowing it to be used for
 * strings which need to have some HTML in them (such as translated text).
 *
 * Allowed tags can be passed in one of two formats. The verbose form is the
 * traditional kses form of
 * `[ 'element' => array( 'attr' => true, 'otherattr' => true ) ]` which
 * specifies tags and their attributes.
 *
 * The concise form, useful for inline usage on output, is in the form of
 * `[ 'element', 'otherelement' ]` - This concise form takes the attribute list
 * from WP core's attribute whitelist for a good-enough list for most usages.
 * This can also be passed as a comma separated string.
 *
 * (You can also mix these forms, so something like
 * `[ 'a', 'code', 'x-panel' => array( 'src' => true ) ] )` is perfectly valid.)
 *
 * For example:
 *
 *     whitelist_html( __( 'Hello <a href="http://example.com">World!</a>' ), 'a' );
 *
 * This example would strip any tag except `a`, but would allow the default
 * attributes on it (`href` and `title`).
 *
 * The default attributes and tags are based on {@see wp_kses_allowed_html} with
 * the blank (default) "context". These are the tags in {@see $allowedtags}. To
 * get all allowed post tags, pass `'post'` as the `$context` parameter, or pass
 * the tags you need in the `$allowedtags` array. If a specified tag is not in
 * the list, no attributes will be allowed.
 *
 * @link https://www.tollmanz.com/wp-kses-performance/
 *
 * @param string $text Content to escape
 * @param array $allowedtags Allowed tags, see description.
 * @param string $context kses context to use, {@see wp_kses_allowed_html}.
 * @return string Escaped string for output into HTML context.
 */
function whitelist_html($text, $allowedtags = array(), $context = '')
{
    $actually_allowed = array();
    $default_list = wp_kses_allowed_html($context);
    // Split comma-separated string
    if (is_string($allowedtags)) {
        $allowedtags = array_map('trim', explode(',', $allowedtags));
    }
    foreach ($allowedtags as $key => $tag) {
        if (is_array($tag) && is_string($key)) {
            // kses-formatted of `'element' => [ 'attr' => true ]
            // `$tag` is actually the attrs, and `$key` is the tag name
            $actually_allowed[$key] = $tag;
            continue;
        }
        if (!is_string($tag)) {
            // Not concise form, what even is this?
            _doing_it_wrong('whitelist_html', '$allowedtags must consist of strings or kses-style arrays');
            continue;
        }
        // Grab default attributes for the tag
        $attrs = array();
        if (isset($default_list[$tag])) {
            $attrs = $default_list[$tag];
        }
        // Add to allowed list
        $actually_allowed[$tag] = $attrs;
    }
    // Do the sanitization dance
    $sanitized = wp_kses($text, $actually_allowed);
    /**
     * Filter a string to be output into HTML, allowing some tags
     *
     * @param string $sanitized The text after it has been escaped.
     * @param string $text The text before it has been escaped.
     * @param string $allowedtags Tags requested to whitelist.
     * @param string
     */
    return apply_filters('whitelist_html', $sanitized, $text, $allowedtags, $context);
}