PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

Using KSES to clean user input

  1. ckovacs
    Member

    Hey guys,

    I've been struggling with finding the best way to clean user-contributed posts on submit, for security purposes. Posting with the form will only be available for logged-in users.

    Basically, I've got a few custom fields in addition to the normal title/content that is being created on form submit, and I want to make sure that neither malicious users nor bots can inject any Bad Code or tags.

    My thinking is that the best way to do this is to leverage KSES (see examples here) to do so, using a filter. As far as I can figure out, this

    add_filter('custom_field_content','wp_filter_kses');

    would be the way to go, but the next step -- actually applying that filter to the three custom fields that users will be filling in on the gravity form -- is where I get a little lost. I understand I need a custom function in functions.php -- I'm reasonably capable with that sort of thing -- but hooks and filters still mystify me a bit.

    Any help would be much appreciated. I'm pretty sure it's not all that hard, but my I can't quite get my head around it.

    Thanks!

    Posted 8 years ago on Tuesday January 11, 2011 | Permalink
  2. Here's a general idea of how to do this (notes in the code sample):

    http://pastie.org/1450360

    Posted 8 years ago on Tuesday January 11, 2011 | Permalink
  3. Do all fields need to be kses'd or sanitized like that, or does GravityForms handle some? I haven't been filtering my post fields, or for example, an Address Field that I add to meta data. I haven't gone live yet, so do I need to sanitize everything, or perhaps just the meta data?

    Posted 8 years ago on Wednesday January 12, 2011 | Permalink
  4. ckovacs
    Member

    Thanks, David. I'll have a bash with that.

    adcstudio, as I understand it, if the post data is going in to the default Wordpress fields (like content or title), it's going to be automatically filtered by WP.

    Posted 8 years ago on Wednesday January 12, 2011 | Permalink