Filters text content and strips out disallowed HTML.

Description

This function makes sure that only the allowed HTML element names, attribute names, attribute values, and HTML entities will occur in the given text string.

This function expects unslashed data.

See also

• wp_kses_post(): for specifically filtering post content and fields.
• wp_allowed_protocols(): for the default allowed protocols in link URLs.

Parameters

$contentstringrequired

Text content to filter.

$allowed_htmlarray[]|stringrequired

An array of allowed HTML elements and attributes, or a context name such as 'post'. See wp_kses_allowed_html() for the list of accepted context names.

$allowed_protocolsstring[]optional

Array of allowed URL protocols.
Defaults to the result of wp_allowed_protocols() .

Default:array()

Return

More Information

KSES is a recursive acronym which stands for “KSES Strips Evil Scripts”.

For parameter $allowed_protocols, the default allowed protocols are http, https, ftp, mailto, news, irc, gopher, nntp, feed, and telnet. This covers all common link protocols, except for javascript, which should not be allowed for untrusted users.

Source

function wp_kses( $content, $allowed_html, $allowed_protocols = array() ) {
	if ( empty( $allowed_protocols ) ) {
		$allowed_protocols = wp_allowed_protocols();
	}

	$content = wp_kses_no_null( $content, array( 'slash_zero' => 'keep' ) );
	$content = wp_kses_normalize_entities( $content );
	$content = wp_kses_hook( $content, $allowed_html, $allowed_protocols );

	return wp_kses_split( $content, $allowed_html, $allowed_protocols );
}

View all references View on Trac View on GitHub

Changelog