This appears to improve the security of this

  • Nice, straightforward plugin.

    Replacing the public function save_filters() function with the following appears to sanitize the input:

    public function save_filters() {
		
		// Contributor level user or higher required
		if ( !current_user_can('edit_posts') )
			return;
			
		//disable WordPress sanitization to allow more than just $allowedtags from /wp-includes/kses.php
		remove_filter('pre_user_description', 'wp_filter_kses');
		//add sanitization 
		add_filter( 'pre_user_description', 'wp_filter_post_kses');
	}

    Credit for the sanitize snippet to: https://badlywired.com/2015/03/allow-html-in-user-description/ (although it may be seen on 1 or 2 other posts/sites).

    • This topic was modified 7 years, 3 months ago by lectest1.
    • This topic was modified 7 years, 3 months ago by lectest1.
  • The topic ‘This appears to improve the security of this’ is closed to new replies.