[ 'class' => true, 'style' => true, ], 'span' => [ 'class' => true, 'style' => true, ], 'a' => [ 'href' => true, 'class' => true, 'title' => true, 'target' => true, 'style' => true, ], 'h1' => [ 'class' => true, 'style' => true, ], 'h2' => [ 'class' => true, 'style' => true, ], 'h3' => [ 'class' => true, 'style' => true, ], 'ol' => [ 'class' => true, 'style' => true, ], 'ul' => [ 'class' => true, 'style' => true, ], 'li' => [ 'class' => true, 'style' => true, ], 'strong' => [ 'class' => true, 'style' => true, ], 'em' => [ 'class' => true, 'style' => true, ], 'strike' => [], 'br' => [], 'blockquote' => [ 'class' => true, 'style' => true, ], 'table' => [ 'class' => true, 'style' => true, ], 'tr' => [ 'class' => true, 'style' => true, ], 'th' => [ 'class' => true, 'style' => true, ], 'td' => [ 'class' => true, 'style' => true, ], 'del' => [], ]; public function __construct( WPFunctions $wp ) { $this->wp = $wp; } public function sanitize(string $html): string { // Because wpKses break shortcodes we prefix shortcodes with http protocol $html = str_replace('href="[', 'href="http://[', $html); $this->wp->addFilter('safecss_filter_attr_allow_css', [$this, 'allowRgbInCss'], 10, 2); $html = $this->wp->wpKses($html, $this->allowedHtml); $this->wp->removeFilter('safecss_filter_attr_allow_css', [$this, 'allowRgbInCss'], 10); $html = str_replace('href="http://[', 'href="[', $html); return $html; } /** * At the moment rgb() is not allowed to use in the style attribute. `style="color:rgb(0,0,0);"` gets * sanitized if you use wp_kses. We hook into safecss_filter_attr_allow_css to allow for rgb. The code * follows the precedent WordPress sets for the usage of var(), calc() etc. in safecss_filter_attr() */ public function allowRgbInCss($allowed, $cssString): bool { if ($allowed) { return (bool)$allowed; } $cssString = preg_replace( '/\b(?:rgb)(\((?:[^()]|(?1))*\))/', '', $cssString ); return !preg_match( '%[\\\(&=}]|/\*%', $cssString ); } public function sanitizeURL(string $url): string { return $this->wp->escUrlRaw($url); } }