wp_kses( string $string, array[]|string $allowed_html, string[] $allowed_protocols = array() )
Filters text content and strips out disallowed HTML.
Contents
Description
This function makes sure that only the allowed HTML element names, attribute names, attribute values, and HTML entities will occur in the given text string.
This function expects unslashed data.
See also
- wp_kses_post(): for specifically filtering post content and fields.
- wp_allowed_protocols(): for the default allowed protocols in link URLs.
Parameters
- $string
-
(string) (Required) Text content to filter.
- $allowed_html
-
(array[]|string) (Required) An array of allowed HTML elements and attributes, or a context name such as 'post'. See wp_kses_allowed_html() for the list of accepted context names.
- $allowed_protocols
-
(string[]) (Optional) Array of allowed URL protocols.
Default value: array()
Return
(string) Filtered content containing only the allowed HTML.
More Information
KSES is a recursive acronym which stands for “KSES Strips Evil Scripts”.
For parameter $allowed_protocols
, the default allowed protocols are http, https, ftp, mailto, news, irc, gopher, nntp, feed, and telnet. This covers all common link protocols, except for javascript, which should not be allowed for untrusted users.
Source
File: wp-includes/kses.php
function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { if ( empty( $allowed_protocols ) ) { $allowed_protocols = wp_allowed_protocols(); } $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); $string = wp_kses_normalize_entities( $string ); $string = wp_kses_hook( $string, $allowed_html, $allowed_protocols ); return wp_kses_split( $string, $allowed_html, $allowed_protocols ); }
Expand full source code Collapse full source code View on Trac View on GitHub
Changelog
Version | Description |
---|---|
1.0.0 | Introduced. |
User Contributed Notes
You must log in before being able to contribute a note or feedback.
Many function names in WordPress are self-explanatory and if they aren’t, their documentation usually sheds some light on how they got their name. I find this makes it easier to later recall their names and uses. However,
wp_kses
is an exception. So for anyone else wondering:kses
comes from the terms XSS (cross-site scripting) and access. It’s also a recursive acronym (every open-source project should have one!) for “kses strips evil scripts”.Allowed HTML tags array
This is an example of how to format an array of allowed HTML tags and attributes.
Top ↑
Feedback
From what is shown in the core code, the attributes are typically set to true, rather than array(), so more like this:
array( 'a' => array( 'href' => true, 'title' => true, ), 'br' => array(), 'em' => array(), 'strong' => array(), );
— By nosilver4u —WordPress wp_kses is an HTML filtering mechanism. If you need to escape your output in a specific (custom) way, wp_kses function in WordPress will come handy.
Output:
Before
wp_kses
: Check Kses function I am stronger and cooler every single day Click HereAfter
wp_kses
: String using wp_kses function…. Check Kses function I am stronger and cooler every single day Click HereIt will display a resultant string as shown in the output screen. It only reflects the allowed tags
strong
,br
,p
as defined inwp_kses
function and anchor tag is removed. So, no link for click Here text is formed.See
wp_kses_allowed_html()
and /wp-includes/kses.php to get a list of the possible default values of the allowed HTML tags.Expand full source codeCollapse full source code