WordPress.org
Get WordPress
WordPress.org

WordPress Developer Resources

wp_kses_bad_protocol()

wp_kses_bad_protocol( string $content, string[] $allowed_protocols ): string

In this article

Back to top

Sanitizes a string and removed disallowed URL protocols.

Description

This function removes all non-allowed protocols from the beginning of the string. It ignores whitespace and the case of the letters, and it does understand HTML entities. It does its work recursively, so it won’t be fooled by a string like javascript:javascript:alert(57).

Parameters

$contentstringrequired
Content to filter bad protocols from.
$allowed_protocolsstring[]required
Array of allowed URL protocols.

Return

string Filtered content.

Source

function wp_kses_bad_protocol( $content, $allowed_protocols ) {
	$content = wp_kses_no_null( $content );

	// Short-circuit if the string starts with `https://` or `http://`. Most common cases.
	if (
		( str_starts_with( $content, 'https://' ) && in_array( 'https', $allowed_protocols, true ) ) ||
		( str_starts_with( $content, 'http://' ) && in_array( 'http', $allowed_protocols, true ) )
	) {
		return $content;
	}

	$iterations = 0;

	do {
		$original_content = $content;
		$content          = wp_kses_bad_protocol_once( $content, $allowed_protocols );
	} while ( $original_content !== $content && ++$iterations < 6 );

	if ( $original_content !== $content ) {
		return '';
	}

	return $content;
}

View all references View on Trac View on GitHub

UsesDescription
wp_kses_no_null()wp-includes/kses.php

Removes any invalid control characters in a text string.

wp_kses_bad_protocol_once()wp-includes/kses.php

Sanitizes content from bad protocols and other characters.

Used byDescription
wp_kses_one_attr()wp-includes/kses.php

Filters one HTML attribute and ensures its value is allowed.

esc_url()wp-includes/formatting.php

Checks and cleans a URL.

safecss_filter_attr()wp-includes/kses.php

Filters an inline style attribute and removes disallowed rules.

wp_kses_hair()wp-includes/kses.php

Builds an attribute list from string containing attributes.

WP_Http::request()wp-includes/class-wp-http.php

Send an HTTP request to a URI.

wp_http_validate_url()wp-includes/http.php

Validates a URL for safe use in the HTTP API.

Show 1 moreShow less

Changelog

VersionDescription
1.0.0Introduced.

User Contributed Notes

You must log in before being able to contribute a note or feedback.