Sanitize content before save

This should prevent invalid markup from copy-paste
cuny-academic-commons · Feb 18, 2014 · da6db05 · da6db05
1 parent 718f912
commit da6db05
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/includes/functions.php b/includes/functions.php
@@ -102,3 +102,24 @@ function cacap_field_is_visible_for_user( $field_id = 0, $displayed_user_id = 0,
 
 	return ! in_array( $field_id, $hidden_fields_for_user );
 }
+
+function cacap_sanitize_content( $content ) {
+	return wp_kses( $content, array(
+		'a' => array(
+			'href' => array(),
+			'rel' => array(),
+		),
+		'b' => array(),
+		'br' => array(),
+		'div' => array(
+			'align' => array(),
+		),
+		'h1' => array(),
+		'h2' => array(),
+		'h3' => array(),
+		'i' => array(),
+		'p' => array(),
+		'ol' => array(),
+		'ul' => array(),
+	) );
+}
diff --git a/includes/widget.php b/includes/widget.php
@@ -90,6 +90,9 @@ public function save_instance_for_user( $args = array() ) {
 			) );
 		}
 
+		// Sanitize data
+		$r['content'] = cacap_sanitize_content( $r['content'] );
+
 		if ( xprofile_set_field_data( $field_id, absint( $r['user_id'] ), $r['content'] ) ) {
 			return CACAP_Widget_Instance::format_instance( array(
 				'user_id' => $r['user_id'],

diff --git a/includes/widgets/text.php b/includes/widgets/text.php
@@ -33,6 +33,9 @@ public function save_instance_for_user( $args = array() ) {
 			return false;
 		}
 
+		// Sanitize
+		$r['content'] = cacap_sanitize_content( $r['content'] );
+
 		$meta_value = array(
 			'title' => $r['title'],
 			'content' => $r['content'],