HTML Encode in textarea before KSES?

By: Michael M | Asked: 05/14/2023
ForumsCategory: Code HelpHTML Encode in textarea before KSES?
Michael M asked 11 months ago

Hi!   Trying to create a textarea that accepts code submissions from users. Example:

/* A simple string copy */

#include <stdio.h>
#include <string.h>

int main(void)
char str[80];
strcpy(str, "copy str example");
return 0;

KSES strips the <stdio.h> elements completely, so how to keep them ?

Perhaps have a filter that encodes the < and > symbols found within ``` or code tags into the HTML encoded equivalents?

#include &lt;stdio.h&gt;

Has anyone done this before ? Maybe there's a simpler way :).

Really we'd be happy to get the unfiltered textarea content in a filter, then it would be trivial to HTML encode before the KSES sweep.


Rob LeVineRob LeVine replied 11 months ago

Is it an option to have user upload their code to something like pastebin and then the user inputs the URL for their code submission?

Michael Mulholland replied 11 months ago

Neat thought, but no. Needs to be handled through the single form / site.

Something like this hook might be handy in these cases, to toggle the frontend KSES: frm_allow_unfiltered_html ($formid, $fieldid, $loggedin_userid)

Even simpler might be a Formidable plugin that enables auto HTML encode/decode inside code blocks for posts and edits. This is probably only the

OR more generically a plugin that allows regex or find/replace filtering on text before KSES, and again on Edit ! Though I guess with a suitable filter hook just before the KSES, such a thing could be implemented by the users fairly simply, and probably me more versatile for many uses.

Seems like such a filter should exist and I'm missing something in the docs. Still reading.... !

1 Answers
Michael M answered 11 months ago

Where there's a will, there's a way !   So far, the combination of these 3 filters handles things: add_filter( 'pre_kses', 'modify_pre_kses_defaults', 10, 3 ); // apply htmlspecialchars() to the textarea content  add_filter( 'frm_add_entry_meta', 'custom_change_field_value'); // apply htmlspecialchars_decode() to the textarea content add_filter( 'frm_new_post', 'form_new_or_edit', 10, 2);  // apply htmlspecialchars_decode() to the textarea content The code content is filtered out with regex in each of those functions- like this:      // If inside ``` code block, then return htmlspecialchars($string);    $string = "the string from textarea content";   // the regex pattern   $search = "/```(.*?)```/is";     // first look for all CODE tags and their content    preg_match_all($search, $string, $matches);          // now replace all the CODE tags and their content with a htmlspecialchars() content  (or htmlspecialchars_decode)     foreach($matches[1] as $match){        $replace = htmlspecialchars($match); // or htmlspecialchars_decode         // now replace the previously found CODE block        $string = str_replace($match, $replace, $string);    }          return $string;``` Unless some edge case pops up, this looks like a reasonable fix.  

Michael Mulholland replied 11 months ago

Argh. I give up. Trying to share the solution, but the forum formatting system is totally not having it 🙂

Victor Font replied 11 months ago

When you want to post code, use pastebin or gist and post the link.

Making the Best WordPress Plugin even better - Together

Take on bigger projects with confidence knowing you have access to an entire community of Formidable Experts and Professionals who have your back when the going gets tough. You got this!
Join the community