Why does aria-hidden="true" get removed when using sanitizing callback wordpress

Question

I am using this snippet.

function html_sanitize_text( $input ) {
    return wp_kses_post( force_balance_tags( $input ) );
}

I am using this to sanitze html in the Wordpress customizer.

The html inside this text field is <i class="fa fa-laptop" aria-hidden="true"></i>

when saving my changes in the customizer - then refresh - then go back to this field inside the customizer, Wordpress strips/removes aria-hidden="true".

Any idea why? and how to work around this?

Thanks

Any reason you are not using wp_kses? http://codex.wordpress.org/Function_Reference/wp_kses you can pass through what to ignore that way and it wont strip it your aria-hidden code then — Simon Pollard, Apr 22 '16 at 16:21
No reason at all... wasn't sure what was the best way to display html and sanitize it. @SimonPollard — breezy, Apr 22 '16 at 16:23
Give it a go, you have more control with that function, give me a shout if you need any more help :) A lot of wp functions are variations of others in an attempt to make life easier but sometimes its nice to have some control. — Simon Pollard, Apr 22 '16 at 16:25

score 3 · Answer 1 · edited May 23 '17 at 11:52

3

If you go to the wp core pag about wp_kses_post, it mentions that it only allows "post content with allowed HTML tags".

Upon further investigation, if you look at the kses.php file, the section about allowable tags and attributes does not include aria-hidden, so I assume it gets cleaned out of the html by the function.

Also in regard to sanitizing your input, is simply using mysqli_real_escape_string() (in reference to this post) not sufficient?

edited May 23 '17 at 11:52

Community

1
1

answered Apr 22 '16 at 16:26

Wold

952
1
13
25

Thanks dude. Your information helped me come up with a solution for my problem. – breezy Apr 22 '16 at 16:54
1

No problem, glad to help. – Wold Apr 22 '16 at 16:56

score 0 · Answer 2 · answered Apr 22 '16 at 16:57

I ended up solving my problem with this function. Please correct or edit if it can be better.

function html_sanitize_text($input) {

    $filtered = wp_kses($unfiltered, $allowed_html, $allowed_protocols);

    $allowed_html = array(
        'aria-hidden' => array(),
        'i' => array(
            'class' => array(),
            'aria-hidden' => array()
        ),
    );

    return $input;
}

This doesn't strip out aria-hidden="true" from my input field in the Customizer when saving my changes.

Posted this in case someone in the future has this issue when using the font awesome library in Wordpress.

Why does aria-hidden="true" get removed when using sanitizing callback wordpress

2 Answers2