wp_kses( string $content, array[]|string $allowed_html, string[] $allowed_protocols = array() ): string

Filters text content and strips out disallowed HTML.

Description
- See also
Parameters
Return
More Information
Source
Related
- Uses
- Used By
Changelog
User Contributed Notes
- Feedback

Description

This function makes sure that only the allowed HTML element names, attribute names, attribute values, and HTML entities will occur in the given text string.

This function expects unslashed data.

Top ↑

Parameters

$content string Required: Text content to filter.
$allowed_html array[]|string Required: An array of allowed HTML elements and attributes, or a context name such as 'post'. See wp_kses_allowed_html() for the list of accepted context names.
$allowed_protocols string[] Optional: Array of allowed URL protocols.
Defaults to the result of wp_allowed_protocols() .

Default: array()

Top ↑

Return

string Filtered content containing only the allowed HTML.

Top ↑

More Information

KSES is a recursive acronym which stands for “KSES Strips Evil Scripts”.

For parameter $allowed_protocols, the default allowed protocols are http, https, ftp, mailto, news, irc, gopher, nntp, feed, and telnet. This covers all common link protocols, except for javascript, which should not be allowed for untrusted users.

Top ↑

Source

File: wp-includes/kses.php. View all references

function wp_kses( $content, $allowed_html, $allowed_protocols = array() ) {
	if ( empty( $allowed_protocols ) ) {
		$allowed_protocols = wp_allowed_protocols();
	}

	$content = wp_kses_no_null( $content, array( 'slash_zero' => 'keep' ) );
	$content = wp_kses_normalize_entities( $content );
	$content = wp_kses_hook( $content, $allowed_html, $allowed_protocols );

	return wp_kses_split( $content, $allowed_html, $allowed_protocols );
}

View on Trac View on GitHub

Top ↑

Uses

Uses
Uses	Description
wp_kses_no_null() wp-includes/kses.php	Removes any invalid control characters in a text string.
wp_kses_normalize_entities() wp-includes/kses.php	Converts and fixes HTML entities.
wp_kses_hook() wp-includes/kses.php	You add any KSES hooks here.
wp_kses_split() wp-includes/kses.php	Searches for HTML tags, no matter how malformed.
wp_allowed_protocols() wp-includes/functions.php	Retrieves a list of protocols to allow in HTML attributes.

Top ↑

Used By

Used By
Used By	Description
WP_Site_Health::get_test_persistent_object_cache() wp-admin/includes/class-wp-site-health.php	Tests if the site uses persistent object cache and recommends to use it if not.
Walker_Comment::filter_comment_text() wp-includes/class-walker-comment.php	Filters the comment text.
filter_block_kses_value() wp-includes/blocks.php	Filters and sanitizes a parsed block attribute value to remove non-allowable HTML.
WP_Debug_Data::debug_data() wp-admin/includes/class-wp-debug-data.php	Static function for generating site debug data when required.
WP_Site_Health::get_test_sql_server() wp-admin/includes/class-wp-site-health.php	Tests if the SQL server is up to date.
wp_privacy_generate_personal_data_export_group_html() wp-admin/includes/privacy-tools.php	Generate a single group for the personal data export report.
WP_Customize_Manager::handle_load_themes_request() wp-includes/class-wp-customize-manager.php	Loads themes into the theme browsing/installation UI.
wp_filter_oembed_result() wp-includes/embed.php	Filters the given oEmbed HTML.
Automatic_Upgrader_Skin::feedback() wp-admin/includes/class-automatic-upgrader-skin.php	Stores a message about the upgrade.
WP_Theme_Install_List_Table::install_theme_info() wp-admin/includes/class-wp-theme-install-list-table.php	Prints the info for a theme (to be used in the theme installer modal).
WP_Theme_Install_List_Table::single_row() wp-admin/includes/class-wp-theme-install-list-table.php	Prints a theme from the WordPress.org API.
wp_plugin_update_row() wp-admin/includes/update.php	Displays update information for a plugin.
install_plugin_information() wp-admin/includes/plugin-install.php	Displays plugin information in dialog box form.
_get_plugin_data_markup_translate() wp-admin/includes/plugin.php	Sanitizes plugin data, optionally adds markup, optionally translates.
WP_Plugin_Install_List_Table::display_rows() wp-admin/includes/class-wp-plugin-install-list-table.php
wp_ajax_query_themes() wp-admin/includes/ajax-actions.php	Handles getting themes from themes_api() via AJAX.
wp_kses_data() wp-includes/kses.php	Sanitize content with allowed HTML KSES rules.
wp_filter_post_kses() wp-includes/kses.php	Sanitizes content for allowed HTML tags for post content.
wp_kses_post() wp-includes/kses.php	Sanitizes content for allowed HTML tags for post content.
wp_filter_nohtml_kses() wp-includes/kses.php	Strips all HTML from a text string.
wp_filter_kses() wp-includes/kses.php	Sanitize content with allowed HTML KSES rules.
WP_Theme::sanitize_header() wp-includes/class-wp-theme.php	Sanitizes a theme header.
img_caption_shortcode() wp-includes/media.php	Builds the Caption shortcode output.
wp_sidebar_description() wp-includes/widgets.php	Retrieve description for a sidebar.

Show 19 more used by Hide more used by

Top ↑

Changelog

Changelog
Version	Description
1.0.0	Introduced.

Top ↑

User Contributed Notes

Skip to note 1 content

You must log in to vote on the helpfulness of this noteVote results for this note: 23You must log in to vote on the helpfulness of this note

Contributed by Bart Kuijper — 4 years ago

Many function names in WordPress are self-explanatory and if they aren’t, their documentation usually sheds some light on how they got their name. I find this makes it easier to later recall their names and uses. However, wp_kses is an exception. So for anyone else wondering:

kses comes from the terms XSS (cross-site scripting) and access. It’s also a recursive acronym (every open-source project should have one!) for “kses strips evil scripts”.

Log in to add feedback
Skip to note 2 content

You must log in to vote on the helpfulness of this noteVote results for this note: 14You must log in to vote on the helpfulness of this note

Contributed by Codex — 8 years ago
Allowed HTML tags array
This is an example of how to format an array of allowed HTML tags and attributes.
```
array(
    'a' => array(
        'href' => array(),
        'title' => array()
    ),
    'br' => array(),
    'em' => array(),
    'strong' => array(),
);
```
Top ↑
Feedback
- From what is shown in the core code, the attributes are typically set to true, rather than array(), so more like this: array( 'a' => array( 'href' => true, 'title' => true, ), 'br' => array(), 'em' => array(), 'strong' => array(), ); — By nosilver4u — 2 years ago
Log in to add feedback
Skip to note 3 content

You must log in to vote on the helpfulness of this noteVote results for this note: 6You must log in to vote on the helpfulness of this note

Contributed by Abdul Hadi — 3 years ago
WordPress wp_kses is an HTML filtering mechanism. If you need to escape your output in a specific (custom) way, wp_kses function in WordPress will come handy.
```
<?php
$str = 'Check Kses function I am <strong>stronger</strong> and cooler every single day <a href="#" rel="nofollow ugc">Click Here</a>';
echo $str;
$arr = array( 'br' => array(), 'p' => array(), 'strong' => array() );
echo 'String using wp_kses function....' . wp_kses( $str, $arr );
?>
```
Output:
Before wp_kses: Check Kses function I am stronger and cooler every single day Click Here
After wp_kses: String using wp_kses function…. Check Kses function I am stronger and cooler every single day Click Here

It will display a resultant string as shown in the output screen. It only reflects the allowed tags strong, br, p as defined in wp_kses function and anchor tag is removed. So, no link for click Here text is formed.
Log in to add feedback
Skip to note 4 content

You must log in to vote on the helpfulness of this noteVote results for this note: 2You must log in to vote on the helpfulness of this note

Contributed by J.D. Grimes — 9 years ago

See wp_kses_allowed_html() and /wp-includes/kses.php to get a list of the possible default values of the allowed HTML tags.

Log in to add feedback

Contributed by TomS Caprice — 2 years ago

// Allowed img tag and support svg base64 data like:  <img src="data:image/svg+xml;base64,__base64_code__" />
function wpdocs_allowed_html() {
	return array(
		'img' => array(
			'title' => array(),
			'src'	=> array(),
			'alt'	=> array(),
		)
	);
}

function wpdocs_allowed_protocols() {
	return array(
		'data' 	=> array(),
		'http'	=> array(),
		'https' => array(),
	);
}

function wpdocs_output_img() {
	$html = '';
	ob_start();
	?>

	<img src="data:image/svg+xml;base64,Your_base64_code" title="img_title" alt="alt_info" />

	<?php 
	$html = ob_get_contents();
	ob_end_clean();
	return $html;
}

$allowed_html      = wpdocs_allowed_html();
$allowed_protocols = wpdocs_allowed_protocols();
$wpdocs_img        = wpdocs_output_img();

echo wp_kses( $wpdocs_img, $allowed_html, $allowed_protocols )

Skip to note 6 content

You must log in to vote on the helpfulness of this noteVote results for this note: 1You must log in to vote on the helpfulness of this note

Contributed by Rene Hermenau — 10 months ago
If you want to keep certain style properties you have to use another filter.
Unortunately wp_kses will check the style properties against a list of allowed properties and it will still strip the style attribute if none of the styles are safe.

E.g. Use this filter if you want to keep the `display` property within a `style`:
a
```
add_filter( 'safe_style_css', function( $styles ) {
    $styles[] = 'display';
    return $styles;
} );
```
Check kses.php for default:
https://core.trac.wordpress.org/browser/trunk/src/wp-includes/kses.php
Log in to add feedback

Contributed by Mahdi Yazdani — 11 months ago

Sanitize SVG markup for front-end display using wp_kses, and a list of allowed HTML elements and attributes specific to a SVG tag.

/**
* Sanitize SVG markup for front-end display.
*
* @param  string $svg SVG markup to sanitize.
* @return string 	  Sanitized markup.
*/
function prefix_sanitize_svg( $svg = '' ) {
	$allowed_html = [
		'svg'  => [
			'xmlns'       => [],
			'fill'        => [],
			'viewbox'     => [],
			'role'        => [],
			'aria-hidden' => [],
			'focusable'   => [],
			'height'      => [],
			'width'       => [],
		],
		'path' => [
			'd'    => [],
			'fill' => [],
		],
	];

	return wp_kses( $svg, $allowed_html );
}

Skip to note 8 content

You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note

Contributed by jeffersonreal — 3 weeks ago
If you are using wp_kses to escape SVG, be warned `wp_kses()` will strip camelcased attributes in your args. Make sure your args are converted to lowercase for their uppercase equivalents. For example:
```
$args = array(
	'svg'            => array(
		'viewbox'             => true, // viewBox
		'preserveaspectratio' => true, // preserveAspectRatio
	),
	'lineargradient' => array(             // linearGradient
		'gradientunits'     => true,   // gradientUnits
		'gradienttransform' => true,   // gradientTransform
		'spreadmethod'      => true,   // spreadMethod
	),
);
```
Log in to add feedback

You must log in before being able to contribute a note or feedback.

Developer Resources

wp_kses( string $content, array[]|string $allowed_html, string[] $allowed_protocols = array() ): string

Contents

Description

See also

Parameters

Return

More Information

Source

Changelog

User Contributed Notes

Feedback