wp_kses_allowed_html()WP 3.5.0

Returns a list of allowed HTML tags and their attributes for use in functions like: wp_kses().

The type of list of allowed tags that will be returned is determined by the specified context.

Uses global variables: $allowedposttags, $allowedtags, $allowedentitynames;

Used By: wp_kses()
1 time — 0.000061 sec (very fast) | 50000 times — 1.72 sec (fast)
Hooks from the function

Returns

Array. A list of tags and their attributes in the form of an array.

Usage

wp_kses_allowed_html( $context );
$context(string)

The context for which the obtained list of allowed tags is intended to be used. It can be:

  • post — will leave tags allowed for posts (global variable $allowedposttags). Also common allowed attributes are added to all data - see _wp_add_global_attributes():

    $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags );

  • strip - will strip all tags. Equivalent to the PHP function strip_tags()

  • entities - HTML entities, like   (global variable $allowedentitynames)

  • user_description - basic list of tags ($allowedtags) + tag <a rel="">.

  • data or default - list of basic allowed tags. Used when cleaning comment text (global variable $allowedtags)

Default: ''

Examples

0

#1 Get the default list of allowed tags

Here the list is obtained for the user with the role of Administrator.

The list may differ, depending on the role and the specified context.

$data = wp_kses_allowed_html( $context );

print_r( $data );

/* we get
Array
(
	[a] => Array
		(
			[href] => 1
			[title] => 1
		)

	[abbr] => Array
		(
			[title] => 1
		)

	[acronym] => Array
		(
			[title] => 1
		)

	[b] => Array()
	[blockquote] => Array
		(
			[cite] => 1
		)

	[cite] => Array()
	[code] => Array()
	[del] => Array
		(
			[datetime] => 1
		)

	[em] => Array()
	[i] => Array()
	[q] => Array
		(
			[cite] => 1
		)

	[s] => Array()
	[strike] => Array()
	[strong] => Array()
	[pre] => Array
		(
			[class] => 1
			[name] => 1
			[code] => 1
		)

	[var] => Array()
	[h3] => Array()
	[h4] => Array()
	[img] => Array
		(
			[class] => 1
			[alt] => 1
			[src] => 1
		)

	[li] => Array()
	[ol] => Array()
	[ul] => Array()

)
*/
0

#2 If you specify the context 

// strips all html (empty array)
$data = wp_kses_allowed_html( 'strip' );
/*
Array
(
)
*/

// allows a list of HTML Entities such as 
$data = wp_kses_allowed_html( 'entities' );
/*
Array
(
	[0] => nbsp
	[1] => iexcl
	[2] => cent
	[3] => pound
	[4] => curren
	[5] => yen
	[6] => brvbar
	[7] => sect
	[8] => uml
	[9] => copy
	[10] => ordf
	[11] => laquo
	[12] => not
	[13] => shy
	[14] => reg
	[15] => macr
	[16] => deg
	[17] => plusmn
	[18] => acute
	[19] => micro
	[20] => para
	[21] => middot
	etc. ...
)
*/

// allows all most inline elements and strips all block-level elements except blockquote
$allowed_html = wp_kses_allowed_html( 'data' );

// very permissive: allows pretty much all HTML to pass - same as what's normally applied to the_content by default
$allowed_html = wp_kses_allowed_html( 'post' );

Notes

  • Global. Array. $allowedposttags
  • Global. Array. $allowedtags
  • Global. Array. $allowedentitynames

Changelog

Since 3.5.0 Introduced.
Since 5.0.1 form removed as allowable HTML tag.

wp_kses_allowed_html() code WP 6.9.1

wp-includes/kses.php 
function wp_kses_allowed_html( $context = '' ) {
	global $allowedposttags, $allowedtags, $allowedentitynames;

	if ( is_array( $context ) ) {
		// When `$context` is an array it's actually an array of allowed HTML elements and attributes.
		$html    = $context;
		$context = 'explicit';

		/**
		 * Filters the HTML tags that are allowed for a given context.
		 *
		 * HTML tags and attribute names are case-insensitive in HTML but must be
		 * added to the KSES allow list in lowercase. An item added to the allow list
		 * in upper or mixed case will not recognized as permitted by KSES.
		 *
		 * @since 3.5.0
		 *
		 * @param array[] $html    Allowed HTML tags.
		 * @param string  $context Context name.
		 */
		return apply_filters( 'wp_kses_allowed_html', $html, $context );
	}

	switch ( $context ) {
		case 'post':
			/** This filter is documented in wp-includes/kses.php */
			$tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );

			// 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
			if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
				$tags = $allowedposttags;

				$tags['form'] = array(
					'action'         => true,
					'accept'         => true,
					'accept-charset' => true,
					'enctype'        => true,
					'method'         => true,
					'name'           => true,
					'target'         => true,
				);

				/** This filter is documented in wp-includes/kses.php */
				$tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
			}

			return $tags;

		case 'user_description':
		case 'pre_term_description':
		case 'pre_user_description':
			$tags                = $allowedtags;
			$tags['a']['rel']    = true;
			$tags['a']['target'] = true;
			/** This filter is documented in wp-includes/kses.php */
			return apply_filters( 'wp_kses_allowed_html', $tags, $context );

		case 'strip':
			/** This filter is documented in wp-includes/kses.php */
			return apply_filters( 'wp_kses_allowed_html', array(), $context );

		case 'entities':
			/** This filter is documented in wp-includes/kses.php */
			return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context );

		case 'data':
		default:
			/** This filter is documented in wp-includes/kses.php */
			return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context );
	}
}

kses (html cleanup sanitize)