Security Filters
This page documents filters for customizing HTML and SVG sanitization.
| Filter | Description |
|---|---|
unblock/html/forbidden_elements | Forbidden HTML elements |
unblock/html/forbidden_attributes | Forbidden HTML attributes |
unblock/html/allowed_iframe_sources | Allowed iframe sources |
unblock/html/allowed_form_actions | Allowed form actions |
unblock/svg/sanitizer | SVG sanitizer instance |
html/forbidden_elements
Customize forbidden HTML elements that will be removed during sanitization.
| Parameter | Type | Description |
|---|---|---|
$elements | array | Forbidden element names |
Default (24 elements):
- Document:
base,link - Embedding:
embed,object,param - Templates:
slot,template - SVG:
animate,foreignobject,set - Obsolete:
applet,basefont,bgsound,command,frame,frameset,isindex,keygen,noframes,plaintext,xmp
Example: Block Additional Elements
add_filter( 'unblock/html/forbidden_elements', function ( $elements ) {
$elements[] = 'marquee';
$elements[] = 'blink';
$elements[] = 'center';
return $elements;
} );
html/forbidden_attributes
Customize forbidden HTML attributes that will be removed during sanitization.
| Parameter | Type | Description |
|---|---|---|
$attributes | array | Forbidden attribute names |
Default (15 attributes):
- Legacy:
background,dynsrc,lowsrc,ping,http-equiv - React:
dangerouslysetinnerhtml,suppresscontenteditablewarning,suppresshydrationwarning,defaultvalue,defaultchecked,ref,key - DOM:
innerhtml,innertext,textcontent
Note: All on* event handlers (onclick, onload, etc.) are automatically forbidden.
Example: Block Tracking Attributes
add_filter( 'unblock/html/forbidden_attributes', function ( $attributes ) {
$attributes[] = 'data-tracking';
$attributes[] = 'data-analytics';
$attributes[] = 'data-gtm';
return $attributes;
} );
html/allowed_iframe_sources
Whitelist allowed iframe sources via regex patterns. Only iframes matching these patterns are permitted.
| Parameter | Type | Description |
|---|---|---|
$patterns | array | Regex patterns |
Default:
- Google Maps:
#https?://(www\.)?google\.com/maps/embed\?.*#i
Note: WordPress oEmbed providers (YouTube, Vimeo, etc.) are automatically allowed.
Example: Allow Custom Domain
add_filter( 'unblock/html/allowed_iframe_sources', function ( $patterns ) {
$patterns[] = '#^https://app\.myservice\.com/embed/#i';
return $patterns;
} );
Example: Allow Additional Video Platforms
add_filter( 'unblock/html/allowed_iframe_sources', function ( $patterns ) {
$patterns[] = '#^https://(www\.)?dailymotion\.com/embed/#i';
$patterns[] = '#^https://(player\.)?twitch\.tv/#i';
$patterns[] = '#^https://(www\.)?loom\.com/embed/#i';
return $patterns;
} );
html/allowed_form_actions
Whitelist allowed form action URLs.
| Parameter | Type | Description |
|---|---|---|
$actions | array | Allowed action URLs |
Default: [] (empty — no external form actions allowed by default)
Example: Allow Newsletter Service
add_filter( 'unblock/html/allowed_form_actions', function ( $actions ) {
$actions[] = 'https://newsletter.example.com/subscribe';
$actions[] = admin_url( 'admin-post.php' );
return $actions;
} );
svg/sanitizer
Modify the SVG sanitizer instance before processing.
| Parameter | Type | Description |
|---|---|---|
$sanitizer | Sanitizer | enshrined\svgSanitize\Sanitizer instance |
Example: Remove Remote References
add_filter( 'unblock/svg/sanitizer', function ( $sanitizer ) {
$sanitizer->removeRemoteReferences( true );
return $sanitizer;
} );
Example: Allow Additional Elements
add_filter( 'unblock/svg/sanitizer', function ( $sanitizer ) {
$allowed = $sanitizer->getAllowedTags();
$allowed->addTag( 'customElement' );
return $sanitizer;
} );
Removing elements from the forbidden list doesn't make them safe — it just stops Unblock from stripping them. Make sure you understand the security implications before allowing script, style, or event-handler attributes.
Next steps
- Form filters — customize form processing and email
- Assets filters — CSS inlining threshold