wp_kses( string $string, array[]|string $allowed_html, string[] $allowed_protocols = array() )

Filters text content and strips out disallowed HTML.

Description Description

This function makes sure that only the allowed HTML element names, attribute names, attribute values, and HTML entities will occur in the given text string.

This function expects unslashed data.

See also See also

Top ↑

Parameters Parameters


(string) (Required) Text content to filter.


(array[]|string) (Required) An array of allowed HTML elements and attributes, or a context name such as 'post'. See wp_kses_allowed_html() for the list of accepted context names.


(string[]) (Optional) Array of allowed URL protocols.

Default value: array()

Top ↑

Return Return

(string) Filtered content containing only the allowed HTML.

Top ↑

More Information More Information

KSES is a recursive acronym which stands for “KSES Strips Evil Scripts”.

For parameter $allowed_protocols, the default allowed protocols are http, https, ftp, mailto, news, irc, gopher, nntp, feed, and telnet. This covers all common link protocols, except for javascript, which should not be allowed for untrusted users.

Top ↑

Source Source

File: wp-includes/kses.php

function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
	if ( empty( $allowed_protocols ) ) {
		$allowed_protocols = wp_allowed_protocols();

	$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
	$string = wp_kses_normalize_entities( $string );
	$string = wp_kses_hook( $string, $allowed_html, $allowed_protocols );

	return wp_kses_split( $string, $allowed_html, $allowed_protocols );

Top ↑

Changelog Changelog

Version Description
1.0.0 Introduced.

Top ↑

User Contributed Notes User Contributed Notes

  1. Skip to note 1 content
    Contributed by Bart Kuijper

    Many function names in WordPress are self-explanatory and if they aren’t, their documentation usually sheds some light on how they got their name. I find this makes it easier to later recall their names and uses. However, wp_kses is an exception. So for anyone else wondering:

    kses comes from the terms XSS (cross-site scripting) and access. It’s also a recursive acronym (every open-source project should have one!) for “kses strips evil scripts”.

You must log in before being able to contribute a note or feedback.