Safely rendering for WordPress, the OOP way.
- Install
- Usage
- Frequently Asked Questions
- Why some HTML tags are stripped out?
- Is this a plugin?
- What to do when wp.org plugin team tell me to clean up the
vendor
folder? - Can two different plugins use this package at the same time?
- Do you have real life examples that use this package?
- It looks awesome. Where can I find some more goodies like this?
- Support
- Developing
- Running the Tests
- Feedback
- Change log
- Security
- Contributing
- Credits
- License
Installation should be done via composer, details of how to install composer can be found at https://getcomposer.org/.
$ composer require typisttech/wp-kses-view
You should put all WP Kses View
classes under your own namespace to avoid class name conflicts.
<?php
// This is `template.php`.
echo '<h1>Hello World!</h1>';
echo '<p>Using PHP echo</p>';
?>
<p>Or, it can be plain HTML</p>
<script>alert('XSS hacking!');</script>
use TypistTech\WPKsesView\View;
$template = '/path/to/template.php';
$view = new Factory::build($template);
$view->render();
// This echos:
// <h1>Hello World!</h1>
// <p>Using PHP echo</p>
// <p>Or, it can be plain HTML</p>
// alert('XSS hacking!');
Note that <script>
has been sanitized.
// This is `template.php`.
printf(
'%1$s has %2$d dragons.',
$context->name,
$context->dragons
);
use TypistTech\WPKsesView\View;
$template = '/path/to/template.php';
$context = (object) [
'name' => 'Daenerys Targaryen',
'dragons' => 3,
];
$view = new Factory::build($template);
$view->render($context);
// This echos:
// Daenerys Targaryen has 3 dragons.
View
constructor.
- @param string $template Filename of the template to render.
- @param array $allowedHtml List of allowed HTML elements.
$allowedHtml
will later be passed to wp_kses
.
wp_kses_allowed_html('post')
is a good start if you not sure which HTML tags to use.
$template = '/path/to/my/template.php';
$view = new View(
$template,
wp_kses_allowed_html('post')
);
Echo the view safely with optional context object.
- @param mixed $context Optional. Context object for which to render the view.
$view->render();
$view->render($someObject);
Convert the view to safe HTML.
- @param mixed $context Optional. Context object for which to render the view.
$html = $view->toHtml();
$htmlWithContext = $view->toHtml($someObject);
If you pass in a context object, you can reference it in your template as $context
.
Think $context
as the M
in MVC pattern.
A template can be anything, not limited to .php
files. Common use cases are:
.php
.html
.js
If you pass in a context object, you can reference it in your template as $context
.
Think templates are .erb
files under app/view
directory in a Rails app.
This package provides Factory
, ViewAwareTrait
and NullView
to reduce boilerplate code for common use cases.
Check their well-documented source code and their tests to learn more.
This is the heart of this package, removing dangerous HTML tags during rendering.
To allow a HTML tag:
- Add the tag when instantiating a
view
object.
Check wp_kses
's document to learn more.
When in doubt, wp_kses_allowed_html('post')
is a good start.
No, this is a package that should be part of your plugin.
Re-install packages via the following command. This package exports only necessary files to dist
.
$ composer install --no-dev --prefer-dist --optimize-autoloader
Yes, if put all WP Kses View
classes under your own namespace to avoid class name conflicts.
Here you go:
Add your own plugin here
- Articles on Typist Tech's blog
- Tang Rufus' WordPress plugins on wp.org
- More projects on Typist Tech's GitHub profile
- Stay tuned on Typist Tech's newsletter
- Follow Tang Rufus' Twitter account
- Hire Tang Rufus to build your next awesome site
Love wp-kses-view
? Help me maintain it, a donation here can help with it.
Ready to take freelance WordPress jobs. Contact me via the contact form here or, via email info@typist.tech
Contact: Tang Rufus
To setup a developer workable version you should run these commands:
$ composer create-project --keep-vcs --no-install typisttech/wp-kses-view:dev-master
$ cd wp-kses-view
$ composer install
TODO: Re-add tests.
See: https://github.com/TypistTech/wp-kses-view/commit/45f95d3f1f062c51ddbd8a5da7d6e8317fccff97
Please provide feedback! We want to make this package useful in as many projects as possible. Please submit an issue and point out what you do and don't like, or fork the project and make suggestions. No issue is too small.
Please see CHANGELOG for more information on what has changed recently.
If you discover any security related issues, please email wp-kses-view@typist.tech instead of using the issue tracker.
Please see CONTRIBUTING and CODE_OF_CONDUCT for details.
WP Kses View is a Typist Tech project and maintained by Tang Rufus, freelance developer for hire.
Full list of contributors can be found here.
WP Kses View is licensed under the GPLv2 (or later) from the Free Software Foundation. Please see License File for more information.