By default, Post formatting is enabled in USP Pro. Post Formatting enables users to include HTML tags and line breaks in their post submissions. When a user submits a post, they can include any tags that normally are allowed by WordPress when writing posts in the WP Admin Area. This quick tutorial explains how to define your own custom set of allowed HTML tags. It also explains how to disable post formatting completely, so that no tags are allowed in post content.

Define your own set of allowed tags

To define which HTML tags should be allowed in submitted post content, visit the USP Pro ▸ Advanced settings and add your tag(s) to the option, Post Formatting. For example, you could add the following comma-separated list of tags:

p, ul, ol, strong, em

That would allow users to include only <p>, <ul>, <ol>, <strong>, and <em> tags in post content. No other tags would be allowed. You can enter as many tags as you would like (separated by commas, do not include angle brackets < >).

You may allow any HTML tags that you wish, but please be aware that some tags (e.g., <script>, <html>, <head>, et al) should not be allowed for security reasons. If in doubt, leave the Post Formatting option blank to use WordPress’ default set of allowed HTML tags.

Note: the “Post Formatting” setting applies to submitted post content and excerpts.

Do not allow any tags in post content

To prevent users from including any HTML tags, simply change the Post Formatting option to some nonexistent tag, for example:

disable_post_formatting

With that, users will not be able to add any tags to their submitted post (or excerpt) content.

Notes

FYI here is a pretty comprehensive list of HTML tags considered “safe” for all submitted posts:

article, header, footer, h1, h2, h3, h4, h5, p, ul, ol, dl, dt, d, div, span, br, table, tr, td, th, thead, tbody, tfoot, blockquote, pre, code, img, a, strong, b, em, i, center

Not recommended (unsafe) for unmoderated posts:

html, head, body, script, style, meta, link

It’s best to never allow these tags in any submitted post content.

For more information about how USP sanitizes submitted content, check out the function sanitize_content() in the USP Pro source code.

Related