Changes to Textarea and User Biography Sanitization (v2.11.2+)

As of Ultimate Member version 2.11.2, we have updated the sanitization process for the native WordPress Biography (user_description) field and Custom Textarea fields.

These changes were implemented to enhance site security by ensuring only safe, validated HTML is stored in your database, preventing potential vulnerabilities like Cross-Site Scripting (XSS).

---

Sanitization Logic: Version Comparison

The following table outlines how field data is handled depending on your version and whether HTML is enabled in the field settings.

Field Type	Version < 2.11.2 (HTML Disabled)	Version < 2.11.2 (HTML Enabled)	Version ≥ 2.11.2 (HTML Disabled)	Version ≥ 2.11.2 (HTML Enabled)
Biography (user_description)	sanitize_textarea_field()	wp_kses() with UM()->get_allowed_html( 'templates' ) + iframe tag	sanitize_textarea_field()	wp_kses() with 'user_description' allowed tags
Custom Textarea fields	sanitize_textarea_field()	wp_kses() with UM()->get_allowed_html( 'templates' ) + iframe tag	sanitize_textarea_field()	wp_kses() with UM()->get_allowed_html( 'templates' ) allowed tags

---

Technical Details: Sanitization Contexts

1. Biography Field (user_description)

As of v2.11.2, this field uses the strict WordPress Native list. This focuses on basic text formatting. Layout tags like <div> and media tags like <iframe> are no longer allowed by default.

Understanding Tag Attributes

In the list below, keys like href, title, and rel are tag attributes. Only these specific properties are permitted; any other attributes (like class, id, or style) will be automatically stripped from the Biography field.

Allowed Tags & Attributes:

Tag	Allowed attributes
a	href, title, rel, target
abbr	title
acronym	title
b	(none)
blockquote	cite
cite	(none)
code	(none)
del	datetime
em	(none)
i	(none)
q	cite
s	(none)
strike	(none)
strong	(none)

2. Custom Textarea Fields (UM Template Tags)

Custom textarea fields use the Ultimate Member "Template" allowed list. This list is broader but, by default, excludes iframes as of v2.11.2.

Tag	Allowed attributes
style	(none)
link	rel, href, media
svg	xmlns, height, preserveaspectratio, viewbox, width, x, y, fill, stroke, stroke-linecap, stroke-linejoin, stroke-width
path	d, stroke, stroke-width, stroke-linecap, stroke-linejoin, fill
form	action, accept, accept-charset, enctype, method, name, target, novalidate
label	for
select	name, multiple, disabled, readonly, required, autocomplete
option	value, selected, disabled
input	type, name, value, placeholder, readonly, disabled, checked, selected, required, autocomplete, size, step, min, max, minlength, maxlength, pattern
textarea	cols, rows, disabled, name, readonly, required, autocomplete, placeholder
button	type, name, value, placeholder, readonly, disabled, checked, selected, required, autocomplete
img	alt, align, border, height, hspace, loading, longdesc, vspace, src, srcset, usemap, width
h1	align
h2	align
h3	align
h4	align
h5	align
h6	align
p	align, dir, lang
ol	(none)
ul	(none)
li	(none)
time	datetime
section	(none)
table	align, bgcolor, border, cellpadding, cellspacing, dir, rules, summary, width
tbody	align, char, charoff, valign
thead	align, char, charoff, valign
th	abbr, align, axis, bgcolor, char, charoff, colspan, headers, height, nowrap, rowspan, scope, valign, width
tr	align, bgcolor, char, charoff, valign
td	abbr, align, axis, bgcolor, char, charoff, colspan, dir, headers, height, nowrap, rowspan, scope, valign, width
tfoot	align, char, charoff, valign
noscript	(none)
del	(none)
blockquote	cite

Merged with globally allowed tags

Tag	Allowed attributes
a	href, rel, rev, name, target, download (valueless: y)
em	(none)
i	(none)
b	(none)
q	cite
s	(none)
strike	(none)
strong	(none)
br	(none)
div	align, dir, lang
span	dir, align, lang
code	(none)
hr	style

Global Attributes

Global attribute	Allowed
aria-controls	true
aria-current	true
aria-describedby	true
aria-details	true
aria-expanded	true
aria-hidden	true
aria-label	true
aria-labelledby	true
aria-live	true
class	true
data-*	true
dir	true
hidden	true
id	true
lang	true
style	true
title	true
role	true
xml:lang	true

Global Attributes (UM Template List Only)

Unlike the Biography field, tags used in the UM Template context (Custom Textareas) support a wider range of global attributes. If an attribute is not on this list or the specific tag list, it will be stripped.

Tag	Allowed attributes
iframe	allow, frameborder, loading, name, referrerpolicy, sandbox, src, srcdoc, title, width, height, allowfullscreen

UM allowed HTML tags

Ultimate Member manages HTML differently depending on where the data is displayed. For a full technical breakdown of every allowed tag and attribute, please see our dedicated UM Allowed HTML Tags Guide.

---

How to Restore Legacy Functionality

Because we cannot leave the sanitization as it was for everyone due to security reasons, you can manually restore the previous behavior (allowing iframes or broader tags) using a filter in your theme's functions.php.

Option A: Restore iframes and Template Tags to Biography

This snippet allows the Biography field to use the broader UM Template list and explicitly whitelists the <iframe> tag.

[!WARNING] Security Note: Enabling iframes and broader HTML tags is not recommended for sites with untrusted registrations. Only use this if you trust your members, as it allows more permissive HTML to be saved to your database.

Option B: The um_sanitize_form_submission Filter

End-customers can also use the um_sanitize_form_submission filter hook to change sanitized data in a custom way for specific fields to maintain legacy behavior where needed.

---

Troubleshooting FAQ

Why did my YouTube/Vimeo videos disappear?

As of v2.11.2, the <iframe> tag is stripped by default for security. To allow them again, you must use the code snippet provided above.

My custom Biography layout is broken. Why?

The Biography field is now restricted to basic WordPress text tags. Complex layouts using <div> or <span> will be removed unless you use the restoration snippet above to revert to the "UM Template" list.

Can I use the um_sanitize_form_submission filter?

Yes. Starting with version 2.11.3, you can use the um_sanitize_form_submission filter hook to change sanitized data in a custom way for specific fields.