_wp_kses_decode_entities_chr
_wp_kses_decode_entities_chr_hexdec
_wp_kses_split_callback
safecss_filter_attr
valid_unicode
wp_filter_kses
wp_filter_nohtml_kses
wp_filter_post_kses
wp_kses
wp_kses_array_lc
wp_kses_attr
wp_kses_bad_protocol
wp_kses_bad_protocol_once
wp_kses_bad_protocol_once2
wp_kses_check_attr_val
wp_kses_data
wp_kses_decode_entities
wp_kses_hair
wp_kses_hook
wp_kses_html_error
wp_kses_js_entities
wp_kses_named_entities
wp_kses_no_null
wp_kses_normalize_entities
wp_kses_normalize_entities2
wp_kses_normalize_entities3
wp_kses_post
wp_kses_split
wp_kses_split2
wp_kses_stripslashes
wp_kses_version
BP_CUSTOM_TAGS
_wp_kses_decode_entities_chr(array $match) : string
_wp_kses_decode_entities_chr_hexdec(array $match) : string
_wp_kses_split_callback($match)
safecss_filter_attr($css, $deprecated = '')
valid_unicode(integer $i) : boolean
| package | External |
|---|
integerUnicode value
booleantrue if the value was a valid Unicode numberwp_filter_kses(string $data) : string
| package | External |
|---|---|
| since | 1.0.0 |
| uses |
stringContent to filter, expected to be escaped with slashes
stringFiltered contentwp_filter_nohtml_kses(string $data) : string
| package | External |
|---|---|
| since | 2.1.0 |
stringContent to strip all HTML from
stringFiltered content without any HTMLwp_filter_post_kses(string $data) : string
Post content refers to the page contents of the 'post' type and not $_POST data from forms.
| package | External |
|---|---|
| since | 2.0.0 |
| uses |
stringPost content to filter, expected to be escaped with slashes
stringFiltered post content with allowed HTML tags and attributes intact.wp_kses(string $string, array $allowed_html, array $allowed_protocols = array()) : string
This function makes sure that only the allowed HTML element names, attribute names and attribute values plus only sane HTML entities will occur in $string. You have to remove any slashes from PHP's magic quotes before you call this function.
The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This covers all common link protocols, except for 'javascript' which should not be allowed for untrusted users.
| package | External |
|---|---|
| since | 1.0.0 |
stringContent to filter through kses
arrayList of allowed HTML elements
arrayOptional. Allowed protocol in links.
stringFiltered content with only allowed HTML elementswp_kses_array_lc(array $inarray) : array
| package | External |
|---|---|
| since | 1.0.0 |
arrayUnfiltered array
arrayFixed array with all lowercase keyswp_kses_attr(string $element, string $attr, array $allowed_html, array $allowed_protocols) : string
If some are allowed it calls wp_kses_hair() to split them further, and then it builds up new HTML code from the data that kses_hair() returns. It also removes "<" and ">" characters, if there are any left. One more thing it does is to check if the tag has a closing XHTML slash, and if it does, it puts one in the returned code as well.
| package | External |
|---|---|
| since | 1.0.0 |
stringHTML element/tag
stringHTML attributes from HTML element to closing HTML element tag
arrayAllowed HTML elements
arrayAllowed protocols to keep
stringSanitized HTML elementwp_kses_bad_protocol(string $string, array $allowed_protocols) : string
This function removes all non-allowed protocols from the beginning of $string. It ignores whitespace and the case of the letters, and it does understand HTML entities. It does its work in a while loop, so it won't be fooled by a string like "javascript:javascript:alert(57)".
| package | External |
|---|---|
| since | 1.0.0 |
stringContent to filter bad protocols from
arrayAllowed protocols to keep
stringFiltered contentwp_kses_bad_protocol_once(string $string, string $allowed_protocols) : string
This function searches for URL protocols at the beginning of $string, while handling whitespace and HTML entities.
| package | External |
|---|---|
| since | 1.0.0 |
stringContent to check for bad protocols
stringAllowed protocols
stringSanitized contentwp_kses_bad_protocol_once2(string $string, string $allowed_protocols) : string
This function processes URL protocols, checks to see if they're in the white-list or not, and returns different data depending on the answer.
| package | External |
|---|---|
| access | private |
| since | 1.0.0 |
stringURI scheme to check against the whitelist
stringAllowed protocols
stringSanitized contentwp_kses_check_attr_val(string $value, string $vless, string $checkname, mixed $checkvalue) : boolean
The currently implemented checks are "maxlen", "minlen", "maxval", "minval" and "valueless" with even more checks to come soon.
| package | External |
|---|---|
| since | 1.0.0 |
stringAttribute value
stringWhether the value is valueless. Use 'y' or 'n'
stringWhat $checkvalue is checking for.
mixedWhat constraint the value should pass
booleanWhether check passeswp_kses_data(string $data) : string
| package | External |
|---|---|
| since | 2.9.0 |
| uses |
stringContent to filter, expected to not be escaped
stringFiltered contentwp_kses_decode_entities(string $string) : string
This function decodes numeric HTML entities (A and A). It doesn't do anything with other entities like ä, but we don't need them in the URL protocol whitelisting system anyway.
| package | External |
|---|---|
| since | 1.0.0 |
stringContent to change entities
stringContent after decoded entitieswp_kses_hair(string $attr, array $allowed_protocols) : array
This function does a lot of work. It parses an attribute list into an array with attribute data, and tries to do the right thing even if it gets weird input. It will add quotes around attribute values that don't have any quotes or apostrophes around them, to make it easier to produce HTML code that will conform to W3C's HTML specification. It will also remove bad URL protocols from attribute values. It also reduces duplicate attributes by using the attribute defined first (foo='bar' foo='baz' will result in foo='bar').
| package | External |
|---|---|
| since | 1.0.0 |
stringAttribute list from HTML element to closing HTML element tag
arrayAllowed protocols to keep
arrayList of attributes after parsingwp_kses_hook(string $string, array $allowed_html, array $allowed_protocols) : string
There is currently only one kses WordPress hook and it is called here. All parameters are passed to the hooks and expected to recieve a string.
| package | External |
|---|---|
| since | 1.0.0 |
stringContent to filter through kses
arrayList of allowed HTML elements
arrayAllowed protocol in links
stringFiltered content through 'pre_kses' hookwp_kses_html_error(string $string) : string
The general plan is to remove everything to and including some whitespace, but it deals with quotes and apostrophes as well.
| package | External |
|---|---|
| since | 1.0.0 |
string
stringwp_kses_js_entities(string $string) : string
wp_kses_named_entities(array $matches) : string
This function only accepts valid named entity references, which are finite, case-sensitive, and highly scrutinized by HTML and XML validators.
| package | External |
|---|---|
| since | 3.0.0 |
arraypreg_replace_callback() matches array
stringCorrectly encoded entitywp_kses_no_null(string $string) : string
wp_kses_normalize_entities(string $string) : string
This function normalizes HTML entities. It will convert "AT&T" to the correct "AT&T", ":" to ":", "&#XYZZY;" to "&#XYZZY;" and so on.
| package | External |
|---|---|
| since | 1.0.0 |
stringContent to normalize entities
stringContent with normalized entitieswp_kses_normalize_entities2(array $matches) : string
This function helps wp_kses_normalize_entities() to only accept 16 bit values and nothing more for &#number; entities.
| package | External |
|---|---|
| access | private |
| since | 1.0.0 |
arraypreg_replace_callback() matches array
stringCorrectly encoded entitywp_kses_normalize_entities3(array $matches) : string
This function helps wp_kses_normalize_entities() to only accept valid Unicode numeric entities in hex form.
| package | External |
|---|---|
| access | private |
arraypreg_replace_callback() matches array
stringCorrectly encoded entitywp_kses_post(string $data) : string
Post content refers to the page contents of the 'post' type and not $_POST data from forms.
| package | External |
|---|---|
| since | 2.9.0 |
| uses |
stringPost content to filter
stringFiltered post content with allowed HTML tags and attributes intact.wp_kses_split(string $string, array $allowed_html, array $allowed_protocols) : string
It also matches stray ">" characters.
| package | External |
|---|---|
| since | 1.0.0 |
stringContent to filter
arrayAllowed HTML elements
arrayAllowed protocols to keep
stringContent with fixed HTML tagswp_kses_split2(string $string, array $allowed_html, array $allowed_protocols) : string
This function does a lot of work. It rejects some very malformed things like
<:::>. It returns an empty string, if the element isn't allowed (look ma, no strip_tags()!). Otherwise it splits the tag into an element and an attribute list. After the tag is split into an element and an attribute list, it is run through another filter which will remove illegal attributes and once that is completed, will be returned.| package | External |
|---|---|
| access | private |
| since | 1.0.0 |
| uses |
stringContent to filter
arrayAllowed HTML elements
arrayAllowed protocols to keep
stringFixed HTML elementwp_kses_stripslashes(string $string) : string
This function changes the character sequence \" to just ". It leaves all other slashes alone. It's really weird, but the quoting from preg_replace(//e) seems to require this.
| package | External |
|---|---|
| since | 1.0.0 |
stringString to strip slashes
stringFixed strings with quoted slasheswp_kses_version() : string