wp_kses_bad_protocol( string $string, string[] $allowed_protocols ): string

Sanitizes a string and removed disallowed URL protocols.


Description

This function removes all non-allowed protocols from the beginning of the string. It ignores whitespace and the case of the letters, and it does understand HTML entities. It does its work recursively, so it won’t be fooled by a string like javascript:javascript:alert(57).


Top ↑

Parameters

$string string Required
Content to filter bad protocols from.
$allowed_protocols string[] Required
Array of allowed URL protocols.

Top ↑

Return

string Filtered content.


Top ↑

Source

File: wp-includes/kses.php. View all references

function wp_kses_bad_protocol( $string, $allowed_protocols ) {
	$string     = wp_kses_no_null( $string );
	$iterations = 0;

	do {
		$original_string = $string;
		$string          = wp_kses_bad_protocol_once( $string, $allowed_protocols );
	} while ( $original_string != $string && ++$iterations < 6 );

	if ( $original_string != $string ) {
		return '';
	}

	return $string;
}


Top ↑

Changelog

Changelog
Version Description
1.0.0 Introduced.

Top ↑

User Contributed Notes

You must log in before being able to contribute a note or feedback.