wp_kses_post()WP 2.9.0

Sanitizes the passed string (content), leaving in it only allowed post content HTML tags for the current user.

This function is a wrapper for such code:

wp_kses( $data, 'post' );

This function can be used to sanitize raw user input data passed in $_POST:

$some_array = array_map( 'wp_kses_post', $_POST['some_array'] );

This function expects unslashed string (data)! It means that before using it you need to remove all slashes, see wp_unslash(), that WP automatically adds to any global data, for example $_POST, see wp_magic_quotes().

Uses: wp_kses()
1 time — 0.000492 sec (fast) | 50000 times — 10.07 sec (slow) | PHP 7.1.5, WP 4.8

No Hooks.


String. Filtered post content with allowed HTML tags and attributes intact.


wp_kses_post( $data );
$data(string) (required)
Post content to filter.



#1 Sanitize the string

Function demonstration: clears string $str of unwanted HTML tags.

$str = $str = wp_unslash( $_POST['text'] );
$str = wp_kses_post( $str );

// now $str can be safely written to the database or displayed
var_dump( wp_kses_post( '' ) );                 // string(0) ""
var_dump( wp_kses_post( '\'foo<foo>' ) );       // string(4) "'foo"
var_dump( wp_kses_post( '\'foo <p>bar</p>' ) ); // string(15) "'foo <p>bar</p>"

#2 More examples

See examples of wp_kses().


Since 2.9.0 Introduced.

wp_kses_post() code WP 6.5.3

function wp_kses_post( $data ) {
	return wp_kses( $data, 'post' );