Meta Box

Hi Rao,

I really appreciate your thoughts on this.

I understand the need for default sanitization. And believe me, this is what I also want to add to the plugin.

You also pointed out a very important point (point 1), which makes me not pushing the santization so hard. Meta Box is now actively used on 400k+ websites. Any change we make will affect these huge amount of websites. I can't notify the developers (there's no way to let them know because WordPress.org doesn't provide any way to contact to them). So, I decide to not implement a forced / opinionated sanitization at the moment. I have to be very careful about this.

Another thing that people should consider is: Meta Box is not an end-user tools. It's a tool for developers which provides API. So there's nothing like Meta Box --> Users, but it's more like Meta Box --> Developers --> Users. Because of this, developers understand which kind of data they want their users to enter. And thus, a sanitization callback fits this situation.

If you're building a new plugin / solution using Meta Box, why don't you implement this with just a few lines of code instead of depending the default sanitization which might not work smoothly in all cases?

There are also a few things regarding sanitization in WordPress, that I think worth mentioning:

• Admins can enter script and style in the post content, regardless the santiziation of wp_kses_post.
• Customizer API requires (not strictly) developers to enter santiziation callback. If no sanitization callback, then what users enter will be used.
• wp_insert_post doesn't do any sanitization for the content when inserting the post programmatically.

Anyway, there is a default sanitization for some fields (email, url, file_input, checkboxes). For other fields, due to the nature of the complexity, I haven't implemented that. If you have any idea on which proper sanitization for each field type, please let me know.

I've added support for sanitize_callback here. Please try it and let me know if you need any improvement.

Hi Ryan,

Thanks for your feedback. Let me check that again and will get back to you soon.

Thanks for valuable info. I intended to use the latest 2.x version of Twig, but it requires PHP 7.0 which is quite high at the moment. So I decided to use the latest 1.x version only.

Looks like both plugins are using Composer and it doesn't handle the version conflict quite well. The best solution is both plugins should use only stable API from Twig so they don't change across versions. But as you said, 2FAS might use deprecated APIs. I'll take a look at that plugin to see if I can make some hooks to let users choose Twig version or disable bundled Twig in MB Builder.

Hi Doug,

Twig is added to MB Builder 3.1.0, which is available in the AIO 1.9.2. I think you might be right about the conflict with the 2FAS Light plugin. Do you see any error if you disable 2FAS Light or MB Builder?

Hi David,

Making a whitelist of HTML tags might be tricky, since there are a lot of them. For example, if you have a textarea/wysiwyg field, then it nearly impossible to define those tags. Besides, I want to offer flexibility to developers and let them decide what need to be sanitized.

I'll add sanitize_callback parameter to the field settings. So developers can decide what and how to sanitize value.

Hi Rao and David,

The plugin sanitize values for some field types only (file_input, email, url, oembed, checkbox and switch). You can see the code for that here. For other fields, to let users able to enter some HTML, we don't force a sanitize callback. But you can sanitize the value with this code:

add_filter( 'rwmb_text_sanitize', 'sanitize_text_field' );

add_filter( 'rwmb_{$field_type}_sanitize', 'your_sanitize_callback' );