* @var string[] $allowedxmlentitynames Array of KSES allowed XML entitity names.
$allowedxmlnamedentities = array(
$allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags );
$allowedtags = wp_kses_array_lc( $allowedtags );
$allowedposttags = wp_kses_array_lc( $allowedposttags );
* Filters text content and strips out disallowed HTML.
* This function makes sure that only the allowed HTML element names, attribute
* names, attribute values, and HTML entities will occur in the given text string.
* This function expects unslashed data.
* @see wp_kses_post() for specifically filtering post content and fields.
* @see wp_allowed_protocols() for the default allowed protocols in link URLs.
* @param string $string Text content to filter.
* @param array[]|string $allowed_html An array of allowed HTML elements and attributes,
* or a context name such as 'post'. See wp_kses_allowed_html()
* for the list of accepted context names.
* @param string[] $allowed_protocols Array of allowed URL protocols.
* @return string Filtered content containing only the allowed HTML.
function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
if ( empty( $allowed_protocols ) ) {
$allowed_protocols = wp_allowed_protocols();
$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
$string = wp_kses_normalize_entities( $string );
$string = wp_kses_hook( $string, $allowed_html, $allowed_protocols );
return wp_kses_split( $string, $allowed_html, $allowed_protocols );
* Filters one HTML attribute and ensures its value is allowed.
* This function can escape data in some situations where `wp_kses()` must strip the whole attribute.
* @param string $string The 'whole' attribute, including name and value.
* @param string $element The HTML element name to which the attribute belongs.
* @return string Filtered attribute.
function wp_kses_one_attr( $string, $element ) {
$uris = wp_kses_uri_attributes();
$allowed_html = wp_kses_allowed_html( 'post' );
$allowed_protocols = wp_allowed_protocols();
$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
// Preserve leading and trailing whitespace.
preg_match( '/^\s*/', $string, $matches );
preg_match( '/\s*$/', $string, $matches );
$string = substr( $string, strlen( $lead ) );
$string = substr( $string, strlen( $lead ), -strlen( $trail ) );
// Parse attribute name and value from input.
$split = preg_split( '/\s*=\s*/', $string, 2 );
if ( count( $split ) == 2 ) {
// Remove quotes surrounding $value.
// Also guarantee correct quoting in $string for this one attribute.
if ( '"' === $quote || "'" === $quote ) {
if ( substr( $value, -1 ) != $quote ) {
$value = substr( $value, 1, -1 );
// Sanitize quotes, angle braces, and entities.
$value = esc_attr( $value );
if ( in_array( strtolower( $name ), $uris, true ) ) {
$value = wp_kses_bad_protocol( $value, $allowed_protocols );
$string = "$name=$quote$value$quote";
// Sanitize attribute by name.
wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html );
return $lead . $string . $trail;
* Returns an array of allowed HTML tags and attributes for a given context.
* @since 5.0.1 `form` removed as allowable HTML tag.
* @global array $allowedposttags
* @global array $allowedtags
* @global array $allowedentitynames
* @param string|array $context The context for which to retrieve tags. Allowed values are 'post',
* 'strip', 'data', 'entities', or the name of a field filter such as
* 'pre_user_description'.
* @return array Array of allowed HTML tags and their allowed attributes.
function wp_kses_allowed_html( $context = '' ) {
global $allowedposttags, $allowedtags, $allowedentitynames;
if ( is_array( $context ) ) {
* Filters the HTML that is allowed for a given context.
* @param array[]|string $context Context to judge allowed tags by.
* @param string $context_type Context name.
return apply_filters( 'wp_kses_allowed_html', $context, 'explicit' );
/** This filter is documented in wp-includes/kses.php */
$tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
// 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
$tags = $allowedposttags;
'accept-charset' => true,
/** This filter is documented in wp-includes/kses.php */
$tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
case 'pre_user_description':
$tags['a']['rel'] = true;
/** This filter is documented in wp-includes/kses.php */
return apply_filters( 'wp_kses_allowed_html', $tags, $context );
/** This filter is documented in wp-includes/kses.php */
return apply_filters( 'wp_kses_allowed_html', array(), $context );
/** This filter is documented in wp-includes/kses.php */
return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context );
/** This filter is documented in wp-includes/kses.php */
return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context );
* You add any KSES hooks here.
* There is currently only one KSES WordPress hook, {@see 'pre_kses'}, and it is called here.
* All parameters are passed to the hooks and expected to receive a string.
* @param string $string Content to filter through KSES.
* @param array[]|string $allowed_html An array of allowed HTML elements and attributes,
* or a context name such as 'post'. See wp_kses_allowed_html()
* for the list of accepted context names.
* @param string[] $allowed_protocols Array of allowed URL protocols.
* @return string Filtered content through {@see 'pre_kses'} hook.
function wp_kses_hook( $string, $allowed_html, $allowed_protocols ) {
* Filters content to be run through KSES.
* @param string $string Content to filter through KSES.
* @param array[]|string $allowed_html An array of allowed HTML elements and attributes,
* or a context name such as 'post'. See wp_kses_allowed_html()
* for the list of accepted context names.
* @param string[] $allowed_protocols Array of allowed URL protocols.
return apply_filters( 'pre_kses', $string, $allowed_html, $allowed_protocols );
* Returns the version number of KSES.
* @return string KSES version number.
function wp_kses_version() {
* Searches for HTML tags, no matter how malformed.
* It also matches stray `>` characters.
* @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes,
* or a context name such as 'post'.
* @global string[] $pass_allowed_protocols Array of allowed URL protocols.
* @param string $string Content to filter.
* @param array[]|string $allowed_html An array of allowed HTML elements and attributes,
* or a context name such as 'post'. See wp_kses_allowed_html()
* for the list of accepted context names.
* @param string[] $allowed_protocols Array of allowed URL protocols.
* @return string Content with fixed HTML tags
function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
global $pass_allowed_html, $pass_allowed_protocols;
$pass_allowed_html = $allowed_html;
$pass_allowed_protocols = $allowed_protocols;
return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
* Returns an array of HTML attribute names whose value contains a URL.
* This function returns a list of all HTML attributes that must contain
* a URL according to the HTML specification.
* This list includes URI attributes both allowed and disallowed by KSES.
* @link https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes
* @return string[] HTML attribute names whose value contains a URL.
function wp_kses_uri_attributes() {
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
