While coding a theme for submission at WordPress.org theme directory, I was trying to allow theme users to add custom code like adsense ads or google analytics for website analytics, however options framework uses sanitization to clear the code before it adds it to the wordpress database using the global variable of WordPress “$allowedposttags”. This post will try to explain how to stop textarea script code sanitization in Options Framework.
How to stop textarea script code sanitization in Options Framework for WordPress
- Add script, embed or any other tag of your choice to the sanitization list so that it gets approved, a very lengthy process but safer one
- Remove sanitization of textarea completely from options framework
So we will focus on the second way and completely turn off the sanitization for textarea from the options framework admin panel settings.
However if you want to see how to simply add the script tag in sanitization bypass list only, use this code (in “class-options-sanitization.php” directly):
(you can add embed, script or anything else too in the list, however this is not how I did in that theme and this is a complicated way, you may need to tweak a lot and still it may not fit all situations):
add_action('admin_init','optionscheck_change_santiziation', 100); function optionscheck_change_santiziation() { remove_filter( 'of_sanitize_textarea', 'of_sanitize_textarea' ); add_filter( 'of_sanitize_textarea', 'custom_sanitize_textareaa' ); } function custom_sanitize_textarea($input) { global $allowedposttags; $custom_allowedtags["embed"] = array( "src" => array(), "type" => array(), "allowfullscreen" => array(), "allowscriptaccess" => array(), "height" => array(), "width" => array() ); $custom_allowedtags["script"] = array(); $custom_allowedtags = array_merge($custom_allowedtags, $allowedposttags); $output = wp_kses( $input, $custom_allowedtags); return $output; }
How to bypass sanitization for textarea in options framework for WordPress
To bypass the sanitization for textarea so that we can add custom code like html of any sort or javascript script or embed code, iframe and so on, follow this:
add_action('admin_init','optionscheck_change_santiziation', 100); function optionscheck_change_santiziation() { remove_filter( 'of_sanitize_textarea', 'of_sanitize_textarea' ); add_filter( 'of_sanitize_textarea', 'custom_sanitize_textareaa' ); } function custom_sanitize_textareaa($input) { return $input; }
Hope it helps, let me know if you’re still facing any issues or if you want me to fix it for you!
Update:
It’s better to check if the user is allowed to pass the unfiltered html code instead of simply returning the $input (Thanks to Devin, the author of Options Framework, for pointing it out in comments). The updated code looks like this (without completely removing the sanitization for everyone, rather allow nonsanitized code entering for the admins and related users only):
add_action('admin_init','optionscheck_change_santiziation', 100); function optionscheck_change_santiziation() { remove_filter( 'of_sanitize_textarea', 'of_sanitize_textarea' ); add_filter( 'of_sanitize_textarea', 'custom_sanitize_textareaa' ); } function custom_sanitize_textareaa($input) { return of_sanitize_editor( $input ); }
The above code uses “of_sanitize_editor” function of options framework:
function of_sanitize_editor( $input ) { if ( current_user_can( 'unfiltered_html' ) ) { $output = $input; } else { global $allowedposttags; $output = wp_kses( $input, $allowedposttags ); } return $output; } add_filter( 'of_sanitize_editor', 'of_sanitize_editor' );
Reference: https://github.com/devinsays/options-framework-plugin/blob/master/includes/class-options-sanitization.php#L122
Please let me know if this works for your or if you face any difficulty or have a suggestion to improve it further.