devinsays/options-framework-theme

HTML rewritten when saved

Closed this issue · 1 comments

mattjiggins commented

Firstly, amazing tool. Love it.

Here's the situation:

  • User edits a field (textarea, text, anything)
  • Basic HTML (and JS, css etc) entered in other fields is rewritten. with paragraph and breaks. For example H3's get converted to P

It really sounds like a sanitation issue, I'm sure it's me. I've tried to reproduce the problem on my own computer but am unable. This has happened with several different users, all using Chrome (Stable).

Any thoughts or suggestions would be greatly appreciated.

I'm using the following for the fields:

$text_only_editor_settings_code = array(
  'wpautop' => false,
  'textarea_rows' => 10,
  'editor_css' => '', 
  'editor_class' => '',
  'teeny' => false,
  'dfw' => false,
  'tinymce' => false,
  'quicktags' => false
);

...

$options[] = array(
  'name' => __('Additional CSS', 'options_framework_theme'),
  'desc' => __('This will be wrapped in a style attribute.', 'options_framework_theme'),
  'id' => 'custom_css',
  'type' => 'editor',
  'settings' => $text_only_editor_settings_code
);

or for fields with a few basic style buttons:

$text_only_editor_settings = array(
    'wpautop' => false,
    'textarea_rows' => 10,
    'editor_css' => '', 
    'editor_class' => '',
    'teeny' => false,
    'dfw' => false,
    'tinymce' => false,
    'quicktags' => true
);

...

$options[] = array(
    'name' => __('Banner', 'options_framework_theme'),
    'id' => 'banner',
    'type' => 'editor',
    'settings' => $text_only_editor_settings
);
devinsays commented

This is the sanitization of the editor field:

function of_sanitize_editor( $input ) {
    if ( current_user_can( 'unfiltered_html' ) ) {
        $output = $input;
    }
    else {
        global $allowedtags;
        $output = wpautop( wp_kses( $input, $allowedtags ) );
    }
    return $output;
}
add_filter( 'of_sanitize_editor', 'of_sanitize_editor' );

$allowedtags tags prevents items like script tags and CSS being saved, but it should allow most markup.

Here's a post about changing default sanitization (or altering the allowed tags): http://wptheming.com/2011/05/options-framework-0-6/

However, I really don't think users should be encouraged to include script tags and CSS in the editor.