wp_kses( string $content, array[]|string $allowed_html, string[] $allowed_protocols = array() ): string

Filters text content and strips out disallowed HTML.

Description

This function makes sure that only the allowed HTML element names, attribute names, attribute values, and HTML entities will occur in the given text string.

This function expects unslashed data.

See also

Parameters

$contentstringrequired
Text content to filter.
$allowed_htmlarray[]|stringrequired
An array of allowed HTML elements and attributes, or a context name such as 'post'. See wp_kses_allowed_html() for the list of accepted context names.
$allowed_protocolsstring[]optional
Array of allowed URL protocols.
Defaults to the result of wp_allowed_protocols() .

Default:array()

Return

string Filtered content containing only the allowed HTML.

More Information

KSES is a recursive acronym which stands for “KSES Strips Evil Scripts”.

For parameter $allowed_protocols, the default allowed protocols are http, https, ftp, mailto, news, irc, gopher, nntp, feed, and telnet. This covers all common link protocols, except for javascript, which should not be allowed for untrusted users.

Source

function wp_kses( $content, $allowed_html, $allowed_protocols = array() ) {
	if ( empty( $allowed_protocols ) ) {
		$allowed_protocols = wp_allowed_protocols();
	}

	$content = wp_kses_no_null( $content, array( 'slash_zero' => 'keep' ) );
	$content = wp_kses_normalize_entities( $content );
	$content = wp_kses_hook( $content, $allowed_html, $allowed_protocols );

	return wp_kses_split( $content, $allowed_html, $allowed_protocols );
}

Changelog

VersionDescription
1.0.0Introduced.

User Contributed Notes

  1. Skip to note 10 content

    Many function names in WordPress are self-explanatory and if they aren’t, their documentation usually sheds some light on how they got their name. I find this makes it easier to later recall their names and uses. However, wp_kses is an exception. So for anyone else wondering:

    kses comes from the terms XSS (cross-site scripting) and access. It’s also a recursive acronym (every open-source project should have one!) for “kses strips evil scripts”.

  2. Skip to note 11 content

    Allowed HTML tags array
    This is an example of how to format an array of allowed HTML tags and attributes.

    array(
        'a' => array(
            'href' => array(),
            'title' => array()
        ),
        'br' => array(),
        'em' => array(),
        'strong' => array(),
    );
  3. Skip to note 12 content

    WordPress wp_kses is an HTML filtering mechanism. If you need to escape your output in a specific (custom) way, wp_kses function in WordPress will come handy.

    <?php
    $str = 'Check Kses function I am <strong>stronger</strong> and cooler every single day <a href="#" rel="nofollow ugc">Click Here</a>';
    echo $str;
    $arr = array( 'br' => array(), 'p' => array(), 'strong' => array() );
    echo 'String using wp_kses function....' . wp_kses( $str, $arr );
    ?>

    Output:
    Before wp_kses: Check Kses function I am stronger and cooler every single day Click Here
    After wp_kses: String using wp_kses function…. Check Kses function I am stronger and cooler every single day Click Here

    It will display a resultant string as shown in the output screen. It only reflects the allowed tags strong, br, p as defined in wp_kses function and anchor tag is removed. So, no link for click Here text is formed.

  4. Skip to note 14 content
    // Allowed img tag and support svg base64 data like:  <img src="data:image/svg+xml;base64,__base64_code__" />
    function wpdocs_allowed_html() {
    	return array(
    		'img' => array(
    			'title' => array(),
    			'src'	=> array(),
    			'alt'	=> array(),
    		)
    	);
    }
    
    function wpdocs_allowed_protocols() {
    	return array(
    		'data' 	=> array(),
    		'http'	=> array(),
    		'https' => array(),
    	);
    }
    
    function wpdocs_output_img() {
    	$html = '';
    	ob_start();
    	?>
    
    	<img src="data:image/svg+xml;base64,Your_base64_code" title="img_title" alt="alt_info" />
    
    	<?php 
    	$html = ob_get_contents();
    	ob_end_clean();
    	return $html;
    }
    
    $allowed_html      = wpdocs_allowed_html();
    $allowed_protocols = wpdocs_allowed_protocols();
    $wpdocs_img        = wpdocs_output_img();
    
    echo wp_kses( $wpdocs_img, $allowed_html, $allowed_protocols )
  5. Skip to note 15 content

    If you want to keep certain style properties you have to use another filter.
    Unortunately wp_kses will check the style properties against a list of allowed properties and it will still strip the style attribute if none of the styles are safe.

    E.g. Use this filter if you want to keep the `display` property within a `style`:
    a

    add_filter( 'safe_style_css', function( $styles ) {
        $styles[] = 'display';
        return $styles;
    } );

    Check kses.php for default:
    https://core.trac.wordpress.org/browser/trunk/src/wp-includes/kses.php

  6. Skip to note 16 content

    If you are using wp_kses to escape SVG, be warned `wp_kses() ` will strip camelcased attributes in your args. Make sure your args are converted to lowercase for their uppercase equivalents. For example:

    $args = array(
    	'svg'            => array(
    		'viewbox'             => true, // viewBox
    		'preserveaspectratio' => true, // preserveAspectRatio
    	),
    	'lineargradient' => array(             // linearGradient
    		'gradientunits'     => true,   // gradientUnits
    		'gradienttransform' => true,   // gradientTransform
    		'spreadmethod'      => true,   // spreadMethod
    	),
    );
  7. Skip to note 17 content

    Sanitize SVG markup for front-end display using wp_kses, and a list of allowed HTML elements and attributes specific to a SVG tag.

    /**
    * Sanitize SVG markup for front-end display.
    *
    * @param  string $svg SVG markup to sanitize.
    * @return string 	  Sanitized markup.
    */
    function prefix_sanitize_svg( $svg = '' ) {
    	$allowed_html = [
    		'svg'  => [
    			'xmlns'       => [],
    			'fill'        => [],
    			'viewbox'     => [],
    			'role'        => [],
    			'aria-hidden' => [],
    			'focusable'   => [],
    			'height'      => [],
    			'width'       => [],
    		],
    		'path' => [
    			'd'    => [],
    			'fill' => [],
    		],
    	];
    
    	return wp_kses( $svg, $allowed_html );
    }

You must log in before being able to contribute a note or feedback.