WordPress at a glance

wp_kses() WP 1.0.0

Filters content and keeps only allowable HTML tags, their attributes, and attributes values.

The function also removes some HTML entities from the string.

This function expects unslashed string (data)! It means that before using it you must remove all slashes (see wp_unslash()) that WP automatically adds to any $_POST request (as PHP (PHP's magic quotes) did before version PHP 5.4).

KSES is a recursive acronym which stands for “KSES Strips Evil Scripts".

Works based on: wp_kses_allowed_html()
✈ 1 time = 0.000364s = fast | 50000 times = 2.26s = fast | PHP 7.1.1, WP 4.7.2

No Hooks.

Return

String. Filtered content containing only the allowed HTML.

Usage

wp_kses( $string, $allowed_html, $allowed_protocols );
$string(string) (required)
Content to be cleaned up.
$allowed_html(array/string) (required)

A list of allowed HTML elements in submitted content. If you specify a string value, it means a group of predefined tags:

  • post — leave tags valid for posts (global variable $allowedposttags)
  • strip — cut out all tags. The analogue of the strip_tags() function.
  • entities — HTML entities like   (global variable $allowedentitynames)
  • user_description, pre_user_description — same as default, but with allowed rel attribute for links <a rel="">.
  • default or any string — the list of valid tags. Used for clean a comment text: global variable $allowedtags.

The parameter can take a string! Although in the function doc-comments only an array is available. Proof: wp_kses() → wp_kses_split()_wp_kses_split_callback()wp_kses_split2()wp_kses_allowed_html()

$allowed_protocols(array)

List of allowed protocols for links in a content. By default, the following protocols are allowed, see wp_allowed_protocols():

http
https
ftp
ftps
mailto
news
irc
gopher
nntp
feed
telnet
mms
rtsp
svn
tel
fax
xmpp
webcal
urn

These are the basic protocols. It is better to prohibit the javascript Protocol for doubtful users.

Default: array()

Examples

#1. Clear the content using WP KSES

Let's leave only the tags 'a' (with 'href' and 'title' attributes), 'br', 'em' and 'strong'. All others will be removed:

$string = wp_unslash( $_POST['text'] );

// valid tags
$allowed_html = array(
	'a' => array(
		'href'  => true,
		'title' => true,
	),
	'br'     => array(),
	'em'     => array(),
	'strong' => array()
);

$text = wp_kses( $string, $allowed_html );

echo $text;

#2. Leave the tags that are valid when commenting

$text = "<div>1111</div><strong>222</strong>";
$text = wp_kses( $text, 'default' );
echo $text;

// output
// 1111<strong>222</strong>

#3. What tags are in global $allowedtags

Array(
	[a] => Array(
		[href] => 1
		[title] => 1
	)

	[abbr] => Array(
		[title] => 1
	)

	[acronym] => Array(
		[title] => 1
	)

	[b] => Array()

	[blockquote] => Array(
		[cite] => 1
	)

	[cite] => Array()

	[code] => Array()

	[del] => Array(
		[datetime] => 1
	)

	[em] => Array()

	[i] => Array()

	[q] => Array(
		[cite] => 1
	)

	[s] => Array()

	[strike] => Array()

	[strong] => Array()
)

Code of wp kses: wp-includes/kses.php VER 5.1.1

<?php
function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
	if ( empty( $allowed_protocols ) ) {
		$allowed_protocols = wp_allowed_protocols();
	}
	$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
	$string = wp_kses_normalize_entities( $string );
	$string = wp_kses_hook( $string, $allowed_html, $allowed_protocols );
	return wp_kses_split( $string, $allowed_html, $allowed_protocols );
}

Related Functions

From tag: kses (html cleanup sanitize)

More from category: Sanitizing, Escaping

No comments
    Hello, !     Log In . Register