wp_kses()WP 1.0.0

Filters content and keeps only allowable HTML tags, their attributes, and attributes values.

The function also removes some HTML entities from the string.

This function expects unslashed string (data)! It means that before using it you need to remove all slashes (see wp_unslash()) that WP automatically adds to any $_POST request (as PHP (PHP's magic quotes) did before version PHP 5.4).

KSES is a recursive acronym which stands for “KSES Strips Evil Scripts" — a subsystem in WordPress (originally written by Ulf Harnhammar), designed to check and clean the text entered by the user. Allows you to set a list of valid tags, styles and protocols, and based on these parameters, remove everything from the user's text that does not correspond to them.

1 time — 0.0003581 sec (fast) | 50000 times — 2.35 sec (fast) | PHP 7.4.25, WP 6.0.1

No Hooks.

Return

String. Filtered content containing only the allowed HTML.

Usage

wp_kses( $string, $allowed_html, $allowed_protocols );
$string(string) (required)
Content to be cleaned up.
$allowed_html(array/string) (required)

A list of allowed HTML elements in submitted content. If you specify a string value, it means a group of predefined tags:

  • post — leave tags valid for posts (global variable $allowedposttags)
  • strip — cut out all tags. The analogue of the strip_tags() function.
  • entities — HTML entities like   (global variable $allowedentitynames)
  • user_description, pre_user_description — same as default, but with allowed rel attribute for links <a rel="">.
  • default or any string — the list of valid tags. Used for clean a comment text: global variable $allowedtags.

The parameter can take a string! Although in the function doc-comments only an array is available. Proof: wp_kses() → wp_kses_split()_wp_kses_split_callback()wp_kses_split2()wp_kses_allowed_html()

$allowed_protocols(array)

List of allowed protocols for links in a content. By default, the following protocols are allowed, see wp_allowed_protocols():

http
https
ftp
ftps
mailto
news
irc
gopher
nntp
feed
telnet
mms
rtsp
svn
tel
fax
xmpp
webcal
urn

These are the basic protocols. It is better to prohibit the javascript Protocol for doubtful users.

Default: array()

Examples

0

#1 Clear the content using WP KSES

Let's leave only the tags 'a' (with 'href' and 'title' attributes), 'br', 'em' and 'strong'. All others will be removed:

$string = wp_unslash( $_POST['text'] );

// valid tags
$allowed_html = array(
	'a' => array(
		'href'  => true,
		'title' => true,
	),
	'br'     => array(),
	'em'     => array(),
	'strong' => array()
);

$text = wp_kses( $string, $allowed_html );

echo $text;
0

#2 Leave the tags that are valid when commenting

$text = "<div>1111</div><strong>222</strong>";
$text = wp_kses( $text, 'default' );
echo $text;

// output
// 1111<strong>222</strong>
0

#3 What tags are in global $allowedtags

Tag and the attributes allowed for it:

a:{href,title}
abbr:{title}
acronym:{title}
b
blockquote:{cite}
cite
code
del:{datetime}
em
i
q:{cite}
s
strike
strong

Notes

Changelog

Since 1.0.0 Introduced.

wp_kses() code WP 6.7.1

function wp_kses( $content, $allowed_html, $allowed_protocols = array() ) {
	if ( empty( $allowed_protocols ) ) {
		$allowed_protocols = wp_allowed_protocols();
	}

	$content = wp_kses_no_null( $content, array( 'slash_zero' => 'keep' ) );
	$content = wp_kses_normalize_entities( $content );
	$content = wp_kses_hook( $content, $allowed_html, $allowed_protocols );

	return wp_kses_split( $content, $allowed_html, $allowed_protocols );
}