wp_kses_bad_protocol( string $content, string[] $allowed_protocols ): string
Sanitizes a string and removed disallowed URL protocols.
Description
This function removes all non-allowed protocols from the beginning of the string. It ignores whitespace and the case of the letters, and it does understand HTML entities. It does its work recursively, so it won’t be fooled by a string like javascript:javascript:alert(57)
.
Parameters
-
$content
string Required -
Content to filter bad protocols from.
-
$allowed_protocols
string[] Required -
Array of allowed URL protocols.
Return
string Filtered content.
Source
File: wp-includes/kses.php
.
View all references
function wp_kses_bad_protocol( $content, $allowed_protocols ) {
$content = wp_kses_no_null( $content );
// Short-circuit if the string starts with `https://` or `http://`. Most common cases.
if (
( str_starts_with( $content, 'https://' ) && in_array( 'https', $allowed_protocols, true ) ) ||
( str_starts_with( $content, 'http://' ) && in_array( 'http', $allowed_protocols, true ) )
) {
return $content;
}
$iterations = 0;
do {
$original_content = $content;
$content = wp_kses_bad_protocol_once( $content, $allowed_protocols );
} while ( $original_content !== $content && ++$iterations < 6 );
if ( $original_content !== $content ) {
return '';
}
return $content;
}
Changelog
Version | Description |
---|---|
1.0.0 | Introduced. |