wp_kses()
Filters content and keeps only allowable HTML tags, their attributes, and attributes values.
The function also removes some HTML entities from the string.
This function expects unslashed string (data)! It means that before using it you need to remove all slashes (see wp_unslash()) that WP automatically adds to any $_POST request (as PHP (PHP's magic quotes) did before version PHP 5.4).
KSES is a recursive acronym which stands for “KSES Strips Evil Scripts" — a subsystem in WordPress (originally written by Ulf Harnhammar), designed to check and clean the text entered by the user. Allows you to set a list of valid tags, styles and protocols, and based on these parameters, remove everything from the user's text that does not correspond to them.
No Hooks.
Return
String
. Filtered content containing only the allowed HTML.
Usage
wp_kses( $string, $allowed_html, $allowed_protocols );
- $string(string) (required)
- Content to be cleaned up.
- $allowed_html(array/string) (required)
A list of allowed HTML elements in submitted content. If you specify a string value, it means a group of predefined tags:
post
— leave tags valid for posts (global variable $allowedposttags)strip
— cut out all tags. The analogue of the strip_tags() function.entities
— HTML entities like
(global variable $allowedentitynames)user_description
,pre_user_description
— same asdefault
, but with allowed rel attribute for links <a rel="">.default
orany string
— the list of valid tags. Used for clean a comment text: global variable $allowedtags.
The parameter can take a string! Although in the function doc-comments only an array is available. Proof: wp_kses() → wp_kses_split() → _wp_kses_split_callback() → wp_kses_split2() → wp_kses_allowed_html()
- $allowed_protocols(array)
List of allowed protocols for links in a content. By default, the following protocols are allowed, see wp_allowed_protocols():
http https ftp ftps mailto news irc gopher nntp feed telnet mms rtsp svn tel fax xmpp webcal urn
These are the basic protocols. It is better to prohibit the javascript Protocol for doubtful users.
Default: array()
Examples
#1 Clear the content using WP KSES
Let's leave only the tags 'a' (with 'href' and 'title' attributes), 'br', 'em' and 'strong'. All others will be removed:
$string = wp_unslash( $_POST['text'] ); // valid tags $allowed_html = array( 'a' => array( 'href' => true, 'title' => true, ), 'br' => array(), 'em' => array(), 'strong' => array() ); $text = wp_kses( $string, $allowed_html ); echo $text;
#2 Leave the tags that are valid when commenting
$text = "<div>1111</div><strong>222</strong>"; $text = wp_kses( $text, 'default' ); echo $text; // output // 1111<strong>222</strong>
#3 What tags are in global $allowedtags
Tag and the attributes allowed for it:
a:{href,title} abbr:{title} acronym:{title} b blockquote:{cite} cite code del:{datetime} em i q:{cite} s strike strong
Notes
- See: wp_kses_post() for specifically filtering post content and fields.
- See: wp_allowed_protocols() for the default allowed protocols in link URLs.
Changelog
Since 1.0.0 | Introduced. |
wp_kses() wp kses code WP 6.7.1
function wp_kses( $content, $allowed_html, $allowed_protocols = array() ) { if ( empty( $allowed_protocols ) ) { $allowed_protocols = wp_allowed_protocols(); } $content = wp_kses_no_null( $content, array( 'slash_zero' => 'keep' ) ); $content = wp_kses_normalize_entities( $content ); $content = wp_kses_hook( $content, $allowed_html, $allowed_protocols ); return wp_kses_split( $content, $allowed_html, $allowed_protocols ); }