I need to sanitize the output of admin_notices which uses certain things like
a
id
href
title
strong
Is it good idea to use wp_kses_post function?
Reading docs I am uncertain what HTML tags are allowed https://developer.wordpress.org/reference/functions/wp_kses_post/
To check the list of allowed tags and attributes for wp_kses_post you can use
echo '<pre>';
print_r( wp_kses_allowed_html( 'post' ) );
echo '</pre>';
die();
In your case, where only a and strong allowed, you can use wp_kses function (docs) instead
$allowed_html = [
'a' => [
'id' => true,
'href' => true,
'title' => true,
],
'strong' => [],
];
$clear_post = wp_kses( $post, $allowed_html );
wp_kses_post allows all HTML that is permitted in post content. So it will load a large array which is redundant in your case. As you need only some specific HTML tags to be sanitized, you should use the wp_kses function as you have control here and you can mention which HTML tags should be allowed. You can do as follows-
$allowed_tags = [
'a' => [
'id' => true,
'href' => true,
'title' => true,
],
'strong' => [],
];
$sanitized_post = wp_kses( $post, $allowed_tags );
Related
I've run into a problem that it looks like a few people have faced but no one has posted a solution for.
The problem occurs after creating a Custom Post Type & Custom Taxonomy when I use the wp_nav_menu() function. I only see this error on my archive page, where I get the error:
Notice: Undefined property: WP_Post_Type::$term_id in C:\WebServer\Bolton\wp-includes\nav-menu-template.php on line 350
The problem stops when I change my taxonomy hierarchical to false, although I need it true. I've also been able to stop the error by editing the WordPress core file:
/wp-includes/nav-menu-template.php
Lines 349-361, if I wrap it in is_single()
// LINES 349 - 361
if (is_single()) {
$desc = $queried_object->term_id;
do {
$possible_taxonomy_ancestors[ $queried_object->taxonomy ][] = $desc;
if ( isset( $term_to_ancestor[ $desc ] ) ) {
$_desc = $term_to_ancestor[ $desc ];
unset( $term_to_ancestor[ $desc ] );
$desc = $_desc;
} else {
$desc = 0;
}
} while ( ! empty( $desc ) );
}
So nav-menu-template is unable to get a queried object ID because it's on an archive page and giving an error because of it. The menu still displays correctly although with a big notice right across the navigation.
The notice goes away with my edited Wordpress nav-menu-template file, although a version update will break that so I need to fix the core problem.
The call to wp_nav_menu() can be plain or with any parameter (name, ID, etc.) the error is the same.
Thank you for your time.
Ps. This is my first posted question, I apologise if I've done anything incorrectly.
Below is my CPT & Taxonomy registration:
// Register CPT's
$args = [
'label' => 'Services',
'public' => true,
'has_archive' => true,
'menu_icon' => 'dashicons-hammer',
'taxonomy' => 'locations'
];
register_post_type ("Services", $args);
// Register taxonomies
$labels = [
'name' => 'Locations',
'singular_name' => 'Location',
];
$args = [
'hierarchical' => true,
'labels' => $labels,
'public' => true,
'query_var' => true,
];
register_taxonomy ("locations", "services", $args);
I have created a custom endpoint, that basically just grabs a few different posts from each category and returns it. This endpoint works fine, but the schema of each post being returned is not the same as when you just hit the default, built-in /posts endpoint. What do I have to do to keep the schemas consistent?
I have a feeling get_posts is the problem, but I have been doc crawling, and I cant seem to find anything that uses the same schema as /posts does.
// How the endpoint is built.
function anon_content_api_posts($category) {
$posts = get_posts(
array(
'posts_per_page' => 3,
'tax_query' => array(
array(
'taxonomy' => 'content_category',
'field' => 'term_id',
'terms' => $category->term_id,
)
)
)
);
$posts = array_map('get_extra_post_data', $posts); // just me appending more data to each post.
return $posts;
}
function anon_content_api_resources() {
$data = array();
$categories = get_categories(
array(
'taxonomy' => 'content_category',
)
);
foreach($categories as $category) {
$category->posts = anon_content_api_posts($category);
array_push($data, $category);
}
return $data;
}
Custom endpoint schema
ID:
author:
comment_count:
comment_status:
featured_image_url:
filter:
guid:
menu_order:
ping_status:
pinged:
post_author:
post_content:
post_content_filtered:
post_date:
post_date_gmt:
post_excerpt:
post_mime_type:
post_modified:
post_modified_gmt:
post_name:
post_parent:
post_password:
post_status:
post_title:
post_type:
to_ping:
Default /posts schema
_links:
author:
categories:
comment_status:
content:
date:
date_gmt:
excerpt:
featured_image_url:
featured_media:
format:
guid:
id:
link:
meta:
modified:
modified_gmt:
ping_status:
slug:
status:
sticky:
task_category:
template:
title:
type:
Any help would be appreciated!
Although this question is older, I had a difficult time finding the answer to getting the schema myself, so I wanted to share what I found.
Short Answer (to getting the schema information back): Use OPTIONS method on the route request
You are dealing with an endpoint that already exists /wp/v2/posts, so you probably want to modify the response of the existing route which you can do with register_rest_field() (this should keep the appropriate schema for all exposed post columns / fields, but allows you to modify the schema for the fields you are now exposing as well):
Something like this:
function demo_plugin_extend_route_rest_api()
{
register_rest_field(
'post',
'unexposed_column_in_wp_posts_table',
array(
'get_callback' => function( $post_arr ) {
$post_obj = get_post( $post_arr['id'] );
return $post_obj->unexposed_column_in_wp_posts_table;
},
'update_callback' => function( $unexposed_column_in_wp_posts_table, $post_obj ) {
$ret = wp_update_post(
array(
// ID is the name of the column in the posts table
// unexposed_column_in_wp_posts_table should be replaced throughout with the unexposed column in the posts table
'ID' => $post_obj->ID,
'unexposed_column_in_wp_posts_table' => $unexposed_column_in_wp_posts_table
)
);
if ( false === $ret )
{
return new WP_Error(
'rest_post_unexposed_column_in_wp_posts_table_failed',
__( 'Failed to update unexposed_column_in_wp_posts_table.' ),
array( 'status' => 500 )
);
}
return true;
},
'schema' => array(
'description' => __( 'Post unexposed_column_in_wp_posts_table' ),
'type' => 'integer'
),
)
);
}
// Not-in-class call (use only this add_action or the one below, but not both)
add_action( 'rest_api_init', 'demo_plugin_extend_route_rest_api' );
// In-class call
add_action( 'rest_api_init', array($this, 'demo_plugin_extend_route_rest_api') );
If what you are really wanting is to create a new route and endpoint with custom tables (or another endpoint to the posts table), something like this should work:
function demo_plugin_custom_rest_api()
{
// Adding Custom Endpoints (add tables and fields not currently exposed)
// register_rest_route()
// $namespace (string) (Required) The first URL segment after core prefix.
// Should be unique to your package/plugin.
// $route (string) (Required) The base URL for route you are adding.
// $args (array) (Optional) Either an array of options for the endpoint, or an
// array of arrays for multiple methods. Default value: array()
// array: If using schema element to define the schema, or multiple methods,
// then wrap the 'methods', 'args', and 'permission_callback' in an array,
// otherwise they do not need to be wrapped in an array. Best practice
// would be to wrap them in an array though
// 'methods' (array | string): GET, POST, DELETE, PUT, PATCH, etc.
// 'args' (array)
// '<schema property name>' (array) (ie. parameter name - if not including a schema
// then can include field names as valid parameters as a way to
// describe them):
// 'default': Used as the default value for the argument, if none is supplied
// Note: (if defined, then it will validate and sanitize regardless of if
// the parameter is passed in query).
// 'required': If defined as true, and no value is passed for that argument, an
// error will be returned. No effect if a default value is set, as the argument
// will always have a value.
// 'description': Field Description
// 'type': Data Type
// 'validate_callback' (function): Used to pass a function that will be passed the
// value of the argument. That function should return true if the value is valid,
// and false if not.
// 'sanitize_callback' (function): Used to pass a function that is used to sanitize
// the value of the argument before passing it to the main callback.
// 'permission_callback' (function): Checks if the user can perform the
// action (reading, updating, etc) before the real callback is called
// 'schema' (callback function) (optional): Defines the schema.
// NOTE: Can view this schema information by making OPTIONS method request.
// $override (bool) (Optional) If the route already exists, should we override it? True overrides,
// false merges (with newer overriding if duplicate keys exist). Default value: false
//
// View your describe page at: /wp-json/demo-plugin/v1
// View your JSON data at: /wp-json/demo-plugin/v1/demo-plugin_options
// View your schema at (with OPTIONS method) at: /wp-json/demo-plugin/v1/demo-plugin_options
// Note: For a browser method to see OPTIONS Request in Firefox:
// Inspect the JSON data endpoint (goto endpoint and click F12)
// > goto Network
// > find a GET request
// > click it
// > goto headers section
// > click Edit and Resend
// > change Method to OPTIONS
// > click Send
// > double click on last OPTIONS request
// > goto Response (the JSON data returned shows your schema)
register_rest_route(
'demo-plugin/v1',
'/demo-plugin_options/',
array(
// GET array options
array(
'methods' => array('GET'),
'callback' => function ( WP_REST_Request $request ){
// Get Data (here we are getting from options, but could be any data retrieval)
$options_data = get_option('demo_option_name');
// Set $param
$param = $request->get_params();
// Do Other things based upon Params
return $options_data;
},
'args' => array(
// Valid Parameters
'element_1' => array(
'description'=> 'Element text field',
'type'=> 'string',
),
'element_color' => array(
'description'=> 'Element color select box',
'type'=> 'string',
)
)
),
// POST array options
array(
'methods' => array('POST'),
'callback' => function ( WP_REST_Request $request ){
// Get Data (here we are getting from options, but could be any data retrieval)
$options_data = get_option('demo_option_name');
// Set $param
$param = $request->get_params();
// Do Other things based upon Params
if (is_array($param) && isset($param))
{
foreach ($param as $k=>$v)
{
// $param is in an array($key => array($key => $value), ...)
if (is_array($v) && array_key_exists($k, $options_data) && array_key_exists($k, $v))
{
$options_data[$k] = $v;
}
}
}
update_option('demo_option_name', $options_data);
return $options_data;
},
'args' => array(
'element_1' => array(
'default' => '',
'required' => false,
'description'=> 'Element text field',
'type'=> 'string',
'validate_callback' => function($param, $request, $key) { //validation function },
'sanitize_callback' => function($param, $request, $key) { //sanitization function }
),
'element_color' => array(
'default' => 'red',
'required' => true,
'description'=> 'Element color select box',
'type'=> 'integer',
'validate_callback' => function($param, $request, $key) {
$colors = array('red', 'blue');
return in_array($param, $colors);
},
'sanitize_callback' => function($param, $request, $key) {
// If it includes a default, and sanitize callback for other properties above are set, it seems to need it here as well
return true;
})
),
'permission_callback' => function () {
// See Capabilities here: https://wordpress.org/support/article/roles-and-capabilities/
$approved = current_user_can( 'activate_plugins' );
return $approved;
}
),
'schema' => function() {
$schema = array(
// This tells the spec of JSON Schema we are using which is draft 4.
'$schema' => 'http://json-schema.org/draft-04/schema#',
// The title property marks the identity of the resource.
'title' => 'demo-plugin_options',
'type' => 'object',
// In JSON Schema you can specify object properties in the properties attribute.
'properties' => array(
'element_1' => array(
'description' => esc_html__( 'Element text field', 'demo-plugin' ),
'type' => 'string',
'context' => array( 'view', 'edit', 'embed' ),
'readonly' => false,
),
'element_color' => array(
'description' => esc_html__( 'Element color select box', 'demo-plugin' ),
'type' => 'string',
'readonly' => false,
),
),
);
return $schema;
})
);
}
// Not-in-class call (use only this add_action or the one below, but not both)
add_action( 'rest_api_init', 'demo_plugin_custom_rest_api' );
// In-class call
add_action( 'rest_api_init', array($this, 'demo_plugin_custom_rest_api') );
Of course, this is just a basic outline. Here is a caveat:
According to the documentation listed below, it is best to use a Controller Pattern class extension method (rather than the method I outlined above): https://developer.wordpress.org/rest-api/extending-the-rest-api/adding-custom-endpoints/#the-controller-pattern
These were very helpful links in finally putting this all together for myself:
REST API Handbook: https://developer.wordpress.org/rest-api/
See Sub-Pages:
REST API Modifying Responses,
REST API Adding Custom Endpoints,
REST API Schema
Register REST Field Function: https://developer.wordpress.org/reference/functions/register_rest_field/
Register REST Route Function: https://developer.wordpress.org/reference/functions/register_rest_route/
I tried using l()
watchdog('my_module', 'My message for /admin/reports/dblog', WATCHDOG_NOTICE,
$link = l(t('A hyperlink'),
'/node/386/group?realname=&uid=&state=All&order=created&sort=desc',
array('attributes'=>array('target'=>'blank'))) );
but the hyperlink is encoded "node/386/group%3Frealname%3D%26uid%3D%26state%3DAll%26order%3Dcreated%26sort%3Ddesc" which I understand is because l() is supposed to generate urls from drupal paths.
Can I decode it before it's rendered or what's the proper way of inserting that hyperlink?
You should use query key for generating the path as shown below
<?php
global $base_url;
print l(
'',
$base_url . $node_url,
array(
'attributes' => array(
'id' => 'my-id',
'class' => 'my-class'
),
'query' => array(
'foo' => 'bar'
),
'fragment' => 'refresh',
'html' => TRUE
)
);
?>
This will generate a link like
<img src="http://www.example.com/files/image.jpg"/>
Source: https://api.drupal.org/api/drupal/includes%21common.inc/function/l/7.x
Just use this:
$link = l(t('A hyperlink'), '/node/386/group', array('attributes'=>array('target'=>'blank'))));
watchdog('my_module', 'Link !field_link.', array('!field_link' => $link));
I added a custom meta field to my cpt taxonomy with "{$taxonomy}_add_form_fields".
So far it is working fine (add, edit and save) but I cant find this field in the API /wp-json/wp/v2/rest_base.
Is this a filter issue or do i "ADD" this field to the API?
... This answers a slightly different question than the one above ...
You need to enable the REST API where you defined the taxonomy.
Just add 'show_in_rest_api' => true
Something like this:
<?php
add_action( 'init', 'create_book_tax' );
function create_book_tax() {
register_taxonomy(
'genre',
'book',
array(
'label' => __( 'Genre' ),
'rewrite' => array( 'slug' => 'genre' ),
'hierarchical' => true,
'show_in_rest_api' => true // <-- Do This!
)
);
}
?>
You register the meta field calling register_term_meta, observe that using show_in_rest key not only set to true, but at least with an schema description, it is available both in queries to get the data, and to get the schema of that endpoint with OPTIONS method.
register_term_meta('replica', 'nice_field', [
'type' => 'string',
'description' => 'a nice description',
'single' => true,
'show_in_rest' => [
'schema' => [
'type' => 'string',
'format' => 'url',
'context' => ['view', 'edit'],
'readonly' => true,
]
],
]);
Using the schema key its currently documented only for non scalar types, but it's valid for scalar values too.
I had a similar issue. The answers here seem to point to the way to expose the taxonomy itself via the REST API, but not the custom fields created via ${taxonomy}_add_form_fields.
After some more research, I concluded that one should extend the REST API to modify the responses and explicitly add these custom taxonomy fields.
So, in my case, this was the solution:
// Add a custom field to the taxonomy form
function my_add_extra_fields_func()
{
$tpl = '
<div class="form-field form-required">
<label for="link">Field Label</label>
<input type="text" name="link" id="link" />
<p>Some help text</p>
</div>
';
echo $tpl;
}
add_action('taxonomySlug_add_form_fields', 'my_add_extra_fields_func');
// Save the custom field to database in the options table
function my_save_extra_fields_func($term_id)
{
$term_item = get_term($term_id, 'taxonomySlug');
$term_slug = $term_item->slug;
$link = sanitize_text_field($_POST['link']);
update_option('taxonomySlug_link_' . $term_slug, $link);
}
add_action('create_taxonomySlug', 'my_save_extra_fields_func');
/**
* This is the part that addresses the question
* of making the custom field visible in the API
*/
// Expose the taxonomy custom field via REST API
add_action( 'rest_api_init', function () {
register_rest_field( 'taxonomySlug', 'extra_fields', array(
'get_callback' => function( $term_as_arr ) {
$term_slug = $term_as_arr['slug'];
$link = get_option('taxonomySlug_link_' . $term_slug);
return $link;
})
);
});
* taxonomySlug = the slug of my taxonomy
Currently using WordPress 4.4.2, I'm in the process of developing some custom Visual Composer elements.
It seems (however), that whenever I want to use a textarea_html param (So the end-user can use the wysiwyg editor) I cannot seem to grab it's contents when rendering the template.
Contents of 'titled_content_box.php'
// called during vc_before_init
function integrate_titled_content_box(){
register_titled_content_box();
add_shortcode( 'titled_content_box', 'titled_content_box_func');
}
//Mapping of titled-contentbox
function register_titled_content_box(){
vc_map( array(
"name" => __( "Content box with Title", "mytheme"),
"base" => "titled_content_box",
"class" => "",
"category" => "Content",
"params" => array(
array(
"type" => "textfield",
"holder" => "div",
"class" => "",
"heading" => __( "Title", "mytheme"),
"param_name" => "title",
"value" => __("Box title", "mytheme"),
"description" => __("The title covering the content box", "mytheme")
),
array(
"type" => "textarea_html",
"holder" => "div",
"class" => "",
"heading" => __( "Description", "mytheme"),
"param_name" => "content",
"value" => '<p>Placeholder</p>',
"description" => __("The content", "mytheme")
)
)
));
}
// Setting values where necessary and fetching the template
function titled_content_box_func( $atts ){
extract( shortcode_atts( array(
'title' => 'title',
'content' => 'content'
), $atts) );
return include_vc_template('titled_content_box.php', $atts);
}
add_action ( 'vc_before_init', 'integrate_titled_content_box');
contents of the template used at the return statement:
<div class="titled-content-box">
<div class="title"><span><?php echo $atts['title']; ?></span></div>
<div class="content">
<?php echo $atts['content']; ?>
</div>
</div>
Does anyone know why my content-field is not loaded? The element itself is loaded, I can use it in VC... even the Title will be loaded and if I replace the field with a textbox, all still works fine and dandy...
My end-user wants to format his content and is not able to use html formatting.
The only function not included is the 'include_vc_template' function, but all that does is pretty much fetching a string-defined php-file on a predetermined location and injects the $atts array. In all other elements I've made that works perfectly fine.
However, for completeness i'll include it here;
function include_vc_template($template, $atts){
if(is_file(__DIR__.'/vc_templates/'.$template)){
ob_start();
include __DIR__.'/vc_templates/'.$template;
return ob_get_clean();
}
return false;
}
As this is a project i'm working on in my spare-time I can't help but to feel annoyed by a functionality not working as-documented... Most searches I've done simply referred my back to wpbakery's knowledge base page for vc_map()... Any pointers at all would be great!
Update you template callback function to:
function titled_content_box_func( $atts, $content ) {
$atts = shortcode_atts( array(
'title' => 'title',
), $atts) );
$atts['content'] = $content;
return include_vc_template('titled_content_box.php', $atts);
}
Update: 07-11-2016:
I would recommend using also vc_map_get_attributes function, which also combines all default values with your provided values.
As you can see in previous PHP function we used title attribute with default value title which is not compatible with the default value from vc_map (__("Box title", "mytheme")) and actually this is an error.
To avoid that errors please use vc_map_get_attributes function for $atts variable.
function titled_content_box_func( $atts, $content, $tag ) {
$atts = vc_map_get_attributes($tag, $atts);
$atts['content'] = $content;
return include_vc_template('titled_content_box.php', $atts);
}
The content is outputted but not a 100% correct, because it also mixes up the HMTL and creates extra paragraphs.
correct code is:
function titled_content_box_func( $atts, $content = null, $tag ) {
$atts = shortcode_atts( array(
'title' => 'title',
), $atts) );
$content = wpb_js_remove_wpautop($content, true); // fix unclosed/unwanted paragraph tags in $content
return include_vc_template('titled_content_box.php', $atts);
}