bypass sanitize_post from wp_insert_post


The problem:

wp_insert_post() is an awesome function, but, it seems to filter HTML to unauthenticated users by calling sanitize_post().  So, if you’re logged in as an admin / editor – the function seems to operate fine. However, if you’re a random user who is not logged in, the function seems to filter all ‘unsafe’ HTML out.

Moreover, when your plugin is executed thanks to the worpress “cron”, it seems it used the currently logged user. So if an unlogged visitor trigger the action, the sanitize_post() function will be called.

The solution:

You have to set current_user in order to avoide the call to sanitize_post():

$current_user = wp_get_current_user();
$current_user_id = $current_user->ID;
wp_set_current_user( $id );

//set current user back to its original state
wp_set_current_user( $current_user_id );
Posted in Wordpress Tagged with: ,

Leave a Reply