WordPress at a glance
function is not described

wp_kses_bad_protocol() WP 1.0.0

Sanitizes a string and removed disallowed URL protocols.

This function removes all non-allowed protocols from the beginning of the string. It ignores whitespace and the case of the letters, and it does understand HTML entities. It does its work recursively, so it won't be fooled by a string like javascript:javascript:alert(57).

No Hooks.


String. Filtered content.


wp_kses_bad_protocol( $string, $allowed_protocols );
$string(string) (required)
Content to filter bad protocols from.
$allowed_protocols(string[]) (required)
Array of allowed URL protocols.


Since 1.0.0 Introduced.

Code of wp_kses_bad_protocol() WP 5.7.2

function wp_kses_bad_protocol( $string, $allowed_protocols ) {
	$string     = wp_kses_no_null( $string );
	$iterations = 0;

	do {
		$original_string = $string;
		$string          = wp_kses_bad_protocol_once( $string, $allowed_protocols );
	} while ( $original_string != $string && ++$iterations < 6 );

	if ( $original_string != $string ) {
		return '';

	return $string;