wp_kses() WordPress Function

The wp_kses() function is a security function that allows you to specify which HTML tags and attributes are allowed in a string. It is useful for preventing cross-site scripting (XSS) attacks.

wp_kses( string $string, array[]|string $allowed_html, string[] $allowed_protocols = array() ) #

Filters text content and strips out disallowed HTML.

Contents

Description

This function makes sure that only the allowed HTML element names, attribute names, attribute values, and HTML entities will occur in the given text string.

This function expects unslashed data.

Top ↑

See also

Top ↑

Parameters

$string

(string)(Required)Text content to filter.

$allowed_html

(array[]|string)(Required)An array of allowed HTML elements and attributes, or a context name such as 'post'. See wp_kses_allowed_html() for the list of accepted context names.

$allowed_protocols

(string[])(Optional)Array of allowed URL protocols.

Default value: array()

Top ↑

Return

(string) Filtered content containing only the allowed HTML.

Top ↑

More Information

KSES is a recursive acronym which stands for “KSES Strips Evil Scripts”.

For parameter $allowed_protocols, the default allowed protocols are http, https, ftp, mailto, news, irc, gopher, nntp, feed, and telnet. This covers all common link protocols, except for javascript, which should not be allowed for untrusted users.

Top ↑

Source

File: wp-includes/kses.php

function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
	if ( empty( $allowed_protocols ) ) {
		$allowed_protocols = wp_allowed_protocols();
	}

	$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
	$string = wp_kses_normalize_entities( $string );
	$string = wp_kses_hook( $string, $allowed_html, $allowed_protocols );

	return wp_kses_split( $string, $allowed_html, $allowed_protocols );
}

Expand full source codeCollapse full source codeView on TracView on GitHub

Top ↑

Top ↑

Used By

Used By
Used ByDescription
wp-includes/class-walker-comment.php:Walker_Comment::filter_comment_text()

Filters the comment text.

wp-includes/blocks.php:filter_block_kses_value()

Filters and sanitizes a parsed block attribute value to remove non-allowable HTML.

wp-admin/includes/class-wp-debug-data.php:WP_Debug_Data::debug_data()

Static function for generating site debug data when required.

wp-admin/includes/class-wp-site-health.php:WP_Site_Health::get_test_sql_server()

Test if the SQL server is up to date.

wp-admin/includes/privacy-tools.php:wp_privacy_generate_personal_data_export_group_html()

Generate a single group for the personal data export report.

wp-includes/class-wp-customize-manager.php:WP_Customize_Manager::handle_load_themes_request()

Loads themes into the theme browsing/installation UI.

wp-includes/embed.php:wp_filter_oembed_result()

Filters the given oEmbed HTML.

wp-admin/includes/class-automatic-upgrader-skin.php:Automatic_Upgrader_Skin::feedback()

Stores a message about the upgrade.

wp-admin/includes/class-wp-theme-install-list-table.php:WP_Theme_Install_List_Table::install_theme_info()

Prints the info for a theme (to be used in the theme installer modal).

wp-admin/includes/class-wp-theme-install-list-table.php:WP_Theme_Install_List_Table::single_row()

Prints a theme from the WordPress.org API.

wp-admin/includes/update.php:wp_plugin_update_row()

Displays update information for a plugin.

wp-admin/includes/plugin-install.php:install_plugin_information()

Displays plugin information in dialog box form.

wp-admin/includes/plugin.php:_get_plugin_data_markup_translate()

Sanitizes plugin data, optionally adds markup, optionally translates.

wp-admin/includes/class-wp-plugin-install-list-table.php:WP_Plugin_Install_List_Table::display_rows()
wp-admin/includes/ajax-actions.php:wp_ajax_query_themes()

Ajax handler for getting themes from themes_api().

wp-includes/kses.php:wp_kses_data()

Sanitize content with allowed HTML KSES rules.

wp-includes/kses.php:wp_filter_post_kses()

Sanitizes content for allowed HTML tags for post content.

wp-includes/kses.php:wp_kses_post()

Sanitizes content for allowed HTML tags for post content.

wp-includes/kses.php:wp_filter_nohtml_kses()

Strips all HTML from a text string.

wp-includes/kses.php:wp_filter_kses()

Sanitize content with allowed HTML KSES rules.

wp-includes/class-wp-theme.php:WP_Theme::sanitize_header()

Sanitizes a theme header.

wp-includes/media.php:img_caption_shortcode()

Builds the Caption shortcode output.

wp-includes/widgets.php:wp_sidebar_description()

Retrieve description for a sidebar.

Show 18 more used byHide more used by

Top ↑

Changelog

Changelog
VersionDescription
1.0.0Introduced.
Download the latest version of WordPress from https://wordpress.org/

The content displayed on this page has been created in part by processing WordPress source code files which are made available under the GPLv2 (or a later version) license by the Free Software Foundation. In addition to this, the content includes user-written examples and information. All material is subject to review and curation by the WPPaste.com community.