WordPress at a glance
function is not described

wp_allowed_protocols() WP 3.3.0

Retrieve a list of protocols to allow in HTML attributes.

Hooks from the function

String[]. Array of allowed protocols. This covers all common link protocols, except for 'javascript' which should not be allowed for untrusted users.




  • See: wp_kses()
  • See: esc_url()


Since 3.3.0 Introduced.
Since 4.3.0 Added 'webcal' to the protocols array.
Since 4.7.0 Added 'urn' to the protocols array.
Since 5.3.0 Added 'sms' to the protocols array.
Since 5.6.0 Added 'irc6' and 'ircs' to the protocols array.

Code of wp_allowed_protocols() WP 5.7

function wp_allowed_protocols() {
	static $protocols = array();

	if ( empty( $protocols ) ) {
		$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'irc6', 'ircs', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'sms', 'svn', 'tel', 'fax', 'xmpp', 'webcal', 'urn' );

	if ( ! did_action( 'wp_loaded' ) ) {
		 * Filters the list of protocols allowed in HTML attributes.
		 * @since 3.0.0
		 * @param string[] $protocols Array of allowed protocols e.g. 'http', 'ftp', 'tel', and more.
		$protocols = array_unique( (array) apply_filters( 'kses_allowed_protocols', $protocols ) );

	return $protocols;