WordPress wp_editor removes html tags - how to stop it?

Question

Why does wp_editor remove all my html tags?

This is my code:

/**
 * Outputs the content of the meta box.
 */
function prfx_meta_callback( $post ) {
    // echo 'This is a meta box';
    wp_nonce_field( basename( __FILE__ ), 'prfx_nonce' );
    $prfx_stored_meta = get_post_meta( $post->ID );

    $field_value = get_post_meta( $post->ID, 'meta-textarea', false );

    // Settings that we'll pass to wp_editor
    $args = array (
        'textarea_rows' => 4,
        'teeny'         => true,
        // 'media_buttons' => false,
    );
    ?>

    <p>
        <label for="meta-text" class="prfx-row-title"><?php _e( 'Example Text Input', 'prfx-textdomain' )?></label>
        <input type="text" name="meta-text" id="meta-text" value="<?php if ( isset ( $prfx_stored_meta['meta-text'] ) ) echo $prfx_stored_meta['meta-text'][0]; ?>" />
    </p>

    <label for="meta-textarea" class="prfx-row-title"><?php _e( 'Example Textarea Input', 'prfx-textdomain' )?></label>
    <?php wp_editor( $field_value[0], 'meta-textarea', $args);?>

    <?php
}

/**
 * Saves the custom meta input.
 */
function prfx_meta_save( $post_id ) {
    // Checks save status
    $is_autosave = wp_is_post_autosave( $post_id );
    $is_revision = wp_is_post_revision( $post_id );
    $is_valid_nonce = ( isset( $_POST[ 'prfx_nonce' ] ) && wp_verify_nonce( $_POST[ 'prfx_nonce' ], basename( __FILE__ ) ) ) ? 'true' : 'false';

    // Exits script depending on save status
    if ( $is_autosave || $is_revision || !$is_valid_nonce ) {
        return;
    }

    // Checks for input and sanitizes/saves if needed
    if( isset( $_POST[ 'meta-text' ] ) ) {
        update_post_meta( $post_id, 'meta-text', sanitize_text_field( $_POST[ 'meta-text' ] ) );
    }

    // Checks for input and sanitizes/saves if needed
    if( isset( $_POST[ 'meta-textarea' ] ) ) {
        update_post_meta( $post_id, 'meta-textarea', sanitize_text_field( $_POST[ 'meta-textarea' ] ) );
    }

}
add_action( 'save_post', 'prfx_meta_save' );

How can I stop it from removing html tags?

For instance I type in this:

<img src="http://xxxx.jpg" alt="10168088_719806568132380_3368979362641476670_n" width="300" height="214" class="alignnone size-medium wp-image-96" />

It removes it.

But if I type in plain text without html tags,

abcde.

It saves it.

Any ideas?

Answer 1

sanitize_text_field() cleans your input.

so replace

 update_post_meta( $post_id, 'meta-textarea', sanitize_text_field( $_POST[ 'meta-textarea' ] ) );

with

 update_post_meta( $post_id, 'meta-textarea', stripslashes( $_POST[ 'meta-textarea' ] ) );

may solve your problem.

Answer 2

Sanitize a string from user input or from the db.

Checks for invalid UTF-8, Convert single < characters to entity, strip all tags, remove line breaks, tabs and extra white space, strip octets. try removing the sanitize function from update_post_meta( $post_id, 'meta-textarea', sanitize_text_field( $_POST[ 'meta-textarea' ] ) );