wp_kses( string $string, array[]|string $allowed_html, string[] $allowed_protocols = array() )

Filters text content and strips out disallowed HTML.

Contents

Description Description

This function makes sure that only the allowed HTML element names, attribute names, attribute values, and HTML entities will occur in the given text string.

This function expects unslashed data.

Top ↑

See also See also

Top ↑

Parameters Parameters

$string

(string) (Required) Text content to filter.

$allowed_html

(array[]|string) (Required) An array of allowed HTML elements and attributes, or a context name such as 'post'. See wp_kses_allowed_html() for the list of accepted context names.

$allowed_protocols

(string[]) (Optional) Array of allowed URL protocols.

Default value: array()

Top ↑

Return Return

(string) Filtered content containing only the allowed HTML.

Top ↑

More Information More Information

KSES is a recursive acronym which stands for “KSES Strips Evil Scripts”.

For parameter $allowed_protocols, the default allowed protocols are http, https, ftp, mailto, news, irc, gopher, nntp, feed, and telnet. This covers all common link protocols, except for javascript, which should not be allowed for untrusted users.

Top ↑

Source Source

File: wp-includes/kses.php 

function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
	if ( empty( $allowed_protocols ) ) {
		$allowed_protocols = wp_allowed_protocols();
	}

	$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
	$string = wp_kses_normalize_entities( $string );
	$string = wp_kses_hook( $string, $allowed_html, $allowed_protocols );

	return wp_kses_split( $string, $allowed_html, $allowed_protocols );
}

Expand full source code Collapse full source code View on Trac View on GitHub

Top ↑

Top ↑

Used By Used By

Used By
Used By Description
wp-includes/class-walker-comment.php: Walker_Comment::filter_comment_text()

Filters the comment text.
wp-includes/blocks.php: filter_block_kses_value()

Filters and sanitizes a parsed block attribute value to remove non-allowable HTML.
wp-admin/includes/class-wp-debug-data.php: WP_Debug_Data::debug_data()

Static function for generating site debug data when required.
wp-admin/includes/class-wp-site-health.php: WP_Site_Health::get_test_sql_server()

Test if the SQL server is up to date.
wp-admin/includes/privacy-tools.php: wp_privacy_generate_personal_data_export_group_html()

Generate a single group for the personal data export report.
wp-includes/class-wp-customize-manager.php: WP_Customize_Manager::handle_load_themes_request()

Load themes into the theme browsing/installation UI.
wp-includes/embed.php: wp_filter_oembed_result()

Filters the given oEmbed HTML.
wp-admin/includes/class-automatic-upgrader-skin.php: Automatic_Upgrader_Skin::feedback()

Stores a message about the upgrade.
wp-admin/includes/class-wp-theme-install-list-table.php: WP_Theme_Install_List_Table::install_theme_info()

Prints the info for a theme (to be used in the theme installer modal).
wp-admin/includes/class-wp-theme-install-list-table.php: WP_Theme_Install_List_Table::single_row()

Prints a theme from the WordPress.org API.
wp-admin/includes/update.php: wp_plugin_update_row()

Displays update information for a plugin.
wp-admin/includes/plugin-install.php: install_plugin_information()

Display plugin information in dialog box form.
wp-admin/includes/plugin.php: _get_plugin_data_markup_translate()

Sanitizes plugin data, optionally adds markup, optionally translates.
wp-admin/includes/class-wp-plugin-install-list-table.php: WP_Plugin_Install_List_Table::display_rows()
wp-admin/includes/ajax-actions.php: wp_ajax_query_themes()

Ajax handler for getting themes from themes_api().
wp-includes/kses.php: wp_kses_data()

Sanitize content with allowed HTML KSES rules.
wp-includes/kses.php: wp_filter_post_kses()

Sanitizes content for allowed HTML tags for post content.
wp-includes/kses.php: wp_kses_post()

Sanitizes content for allowed HTML tags for post content.
wp-includes/kses.php: wp_filter_nohtml_kses()

Strips all HTML from a text string.
wp-includes/kses.php: wp_filter_kses()

Sanitize content with allowed HTML KSES rules.
wp-includes/class-wp-theme.php: WP_Theme::sanitize_header()

Sanitize a theme header.
wp-includes/media.php: img_caption_shortcode()

Builds the Caption shortcode output.
wp-includes/widgets.php: wp_sidebar_description()

Retrieve description for a sidebar.
Show 18 more used by Hide more used by

Top ↑

Changelog Changelog

Changelog
Version Description
1.0.0 Introduced.

Top ↑

User Contributed Notes User Contributed Notes

  1. Skip to note 1 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 20You must log in to vote on the helpfulness of this note
    Contributed by Bart Kuijper

    Many function names in WordPress are self-explanatory and if they aren’t, their documentation usually sheds some light on how they got their name. I find this makes it easier to later recall their names and uses. However, wp_kses is an exception. So for anyone else wondering:

    kses comes from the terms XSS (cross-site scripting) and access. It’s also a recursive acronym (every open-source project should have one!) for “kses strips evil scripts”.

  2. Skip to note 2 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 12You must log in to vote on the helpfulness of this note
    Contributed by Codex

    Allowed HTML tags array
    This is an example of how to format an array of allowed HTML tags and attributes.

    array(
    'a' => array(
        'href' => array(),
        'title' => array()
    ),
    'br' => array(),
    'em' => array(),
    'strong' => array(),
);
  3. Skip to note 3 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 4You must log in to vote on the helpfulness of this note
    Contributed by Abdul Hadi

    WordPress wp_kses is an HTML filtering mechanism. If you need to escape your output in a specific (custom) way, wp_kses function in WordPress will come handy.

    <?php
$str = 'Check Kses function I am <strong>stronger</strong> and cooler every single day <a href="#" rel="nofollow ugc">Click Here</a>';
echo $str;
$arr = array( 'br' => array(), 'p' => array(), 'strong' => array() );
echo 'String using wp_kses function....' . wp_kses( $str, $arr );
?>

    Output:
    Before wp_kses: Check Kses function I am stronger and cooler every single day Click Here
    After wp_kses: String using wp_kses function…. Check Kses function I am stronger and cooler every single day Click Here

    It will display a resultant string as shown in the output screen. It only reflects the allowed tags strong, br, p as defined in wp_kses function and anchor tag is removed. So, no link for click Here text is formed.

  5. Skip to note 5 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 1You must log in to vote on the helpfulness of this note
    Contributed by Tom Sneddon 
    // Allowed img tag and support svg base64 data like:  <img src="data:image/svg+xml;base64,__base64_code__" />
function wpdocs_allowed_html() {
	return array(
		'img' => array(
			'title' => array(),
			'src'	=> array(),
			'alt'	=> array(),
		)
	);
}

function wpdocs_allowed_protocols() {
	return array(
		'data' 	=> array(),
		'http'	=> array(),
		'https' => array(),
	);
}

function wpdocs_output_img() {
	$html = '';
	ob_start();
	?>

	<img src="data:image/svg+xml;base64,Your_base64_code" title="img_title" alt="alt_info" />

	<?php 
	$html = ob_get_contents();
	ob_end_clean();
	return $html;
}

$allowed_html      = wpdocs_allowed_html();
$allowed_protocols = wpdocs_allowed_protocols();
$wpdocs_img        = wpdocs_output_img();

echo wp_kses( $wpdocs_img, $allowed_html, $allowed_protocols )

    Expand full source codeCollapse full source code

You must log in before being able to contribute a note or feedback.