wp_kses

The timeline below displays how wordpress function wp_kses has changed across different WordPress versions. If a version is not listed, refer to the next available version below.

WordPress Version: 6.2

/**
 * Filters text content and strips out disallowed HTML.
 *
 * This function makes sure that only the allowed HTML element names, attribute
 * names, attribute values, and HTML entities will occur in the given text string.
 *
 * This function expects unslashed data.
 *
 * @see wp_kses_post() for specifically filtering post content and fields.
 * @see wp_allowed_protocols() for the default allowed protocols in link URLs.
 *
 * @since 1.0.0
 *
 * @param string         $content           Text content to filter.
 * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 *                                          for the list of accepted context names.
 * @param string[]       $allowed_protocols Optional. Array of allowed URL protocols.
 *                                          Defaults to the result of wp_allowed_protocols().
 * @return string Filtered content containing only the allowed HTML.
 */
function wp_kses($content, $allowed_html, $allowed_protocols = array())
{
    if (empty($allowed_protocols)) {
        $allowed_protocols = wp_allowed_protocols();
    }
    $content = wp_kses_no_null($content, array('slash_zero' => 'keep'));
    $content = wp_kses_normalize_entities($content);
    $content = wp_kses_hook($content, $allowed_html, $allowed_protocols);
    return wp_kses_split($content, $allowed_html, $allowed_protocols);
}

WordPress Version: 6.1

/**
 * Filters text content and strips out disallowed HTML.
 *
 * This function makes sure that only the allowed HTML element names, attribute
 * names, attribute values, and HTML entities will occur in the given text string.
 *
 * This function expects unslashed data.
 *
 * @see wp_kses_post() for specifically filtering post content and fields.
 * @see wp_allowed_protocols() for the default allowed protocols in link URLs.
 *
 * @since 1.0.0
 *
 * @param string         $string            Text content to filter.
 * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 *                                          for the list of accepted context names.
 * @param string[]       $allowed_protocols Optional. Array of allowed URL protocols.
 *                                          Defaults to the result of wp_allowed_protocols().
 * @return string Filtered content containing only the allowed HTML.
 */
function wp_kses($string, $allowed_html, $allowed_protocols = array())
{
    if (empty($allowed_protocols)) {
        $allowed_protocols = wp_allowed_protocols();
    }
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_normalize_entities($string);
    $string = wp_kses_hook($string, $allowed_html, $allowed_protocols);
    return wp_kses_split($string, $allowed_html, $allowed_protocols);
}

WordPress Version: 5.5

/**
 * Filters text content and strips out disallowed HTML.
 *
 * This function makes sure that only the allowed HTML element names, attribute
 * names, attribute values, and HTML entities will occur in the given text string.
 *
 * This function expects unslashed data.
 *
 * @see wp_kses_post() for specifically filtering post content and fields.
 * @see wp_allowed_protocols() for the default allowed protocols in link URLs.
 *
 * @since 1.0.0
 *
 * @param string         $string            Text content to filter.
 * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
 *                                          or a context name such as 'post'. See wp_kses_allowed_html()
 *                                          for the list of accepted context names.
 * @param string[]       $allowed_protocols Array of allowed URL protocols.
 * @return string Filtered content containing only the allowed HTML.
 */
function wp_kses($string, $allowed_html, $allowed_protocols = array())
{
    if (empty($allowed_protocols)) {
        $allowed_protocols = wp_allowed_protocols();
    }
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_normalize_entities($string);
    $string = wp_kses_hook($string, $allowed_html, $allowed_protocols);
    return wp_kses_split($string, $allowed_html, $allowed_protocols);
}

WordPress Version: 5.1

/**
 * Filters text content and strips out disallowed HTML.
 *
 * This function makes sure that only the allowed HTML element names, attribute
 * names, attribute values, and HTML entities will occur in the given text string.
 *
 * This function expects unslashed data.
 *
 * @see wp_kses_post() for specifically filtering post content and fields.
 * @see wp_allowed_protocols() for the default allowed protocols in link URLs.
 *
 * @since 1.0.0
 *
 * @param string         $string            Text content to filter.
 * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes, or a
 *                                          context name such as 'post'.
 * @param string[]       $allowed_protocols Array of allowed URL protocols.
 * @return string Filtered content containing only the allowed HTML.
 */
function wp_kses($string, $allowed_html, $allowed_protocols = array())
{
    if (empty($allowed_protocols)) {
        $allowed_protocols = wp_allowed_protocols();
    }
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_normalize_entities($string);
    $string = wp_kses_hook($string, $allowed_html, $allowed_protocols);
    return wp_kses_split($string, $allowed_html, $allowed_protocols);
}

WordPress Version: 4.7

/**
 * Filters content and keeps only allowable HTML elements.
 *
 * This function makes sure that only the allowed HTML element names, attribute
 * names and attribute values plus only sane HTML entities will occur in
 * $string. You have to remove any slashes from PHP's magic quotes before you
 * call this function.
 *
 * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
 * covers all common link protocols, except for 'javascript' which should not
 * be allowed for untrusted users.
 *
 * @since 1.0.0
 *
 * @param string $string            Content to filter through kses
 * @param array  $allowed_html      List of allowed HTML elements
 * @param array  $allowed_protocols Optional. Allowed protocol in links.
 * @return string Filtered content with only allowed HTML elements
 */
function wp_kses($string, $allowed_html, $allowed_protocols = array())
{
    if (empty($allowed_protocols)) {
        $allowed_protocols = wp_allowed_protocols();
    }
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_normalize_entities($string);
    $string = wp_kses_hook($string, $allowed_html, $allowed_protocols);
    // WP changed the order of these funcs and added args to wp_kses_hook
    return wp_kses_split($string, $allowed_html, $allowed_protocols);
}

WordPress Version: 4.3

/**
 * Filters content and keeps only allowable HTML elements.
 *
 * This function makes sure that only the allowed HTML element names, attribute
 * names and attribute values plus only sane HTML entities will occur in
 * $string. You have to remove any slashes from PHP's magic quotes before you
 * call this function.
 *
 * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
 * covers all common link protocols, except for 'javascript' which should not
 * be allowed for untrusted users.
 *
 * @since 1.0.0
 *
 * @param string $string            Content to filter through kses
 * @param array  $allowed_html      List of allowed HTML elements
 * @param array  $allowed_protocols Optional. Allowed protocol in links.
 * @return string Filtered content with only allowed HTML elements
 */
function wp_kses($string, $allowed_html, $allowed_protocols = array())
{
    if (empty($allowed_protocols)) {
        $allowed_protocols = wp_allowed_protocols();
    }
    $string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    $string = wp_kses_hook($string, $allowed_html, $allowed_protocols);
    // WP changed the order of these funcs and added args to wp_kses_hook
    return wp_kses_split($string, $allowed_html, $allowed_protocols);
}

WordPress Version: 3.7

/**
 * Filters content and keeps only allowable HTML elements.
 *
 * This function makes sure that only the allowed HTML element names, attribute
 * names and attribute values plus only sane HTML entities will occur in
 * $string. You have to remove any slashes from PHP's magic quotes before you
 * call this function.
 *
 * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
 * covers all common link protocols, except for 'javascript' which should not
 * be allowed for untrusted users.
 *
 * @since 1.0.0
 *
 * @param string $string Content to filter through kses
 * @param array $allowed_html List of allowed HTML elements
 * @param array $allowed_protocols Optional. Allowed protocol in links.
 * @return string Filtered content with only allowed HTML elements
 */
function wp_kses($string, $allowed_html, $allowed_protocols = array())
{
    if (empty($allowed_protocols)) {
        $allowed_protocols = wp_allowed_protocols();
    }
    $string = wp_kses_no_null($string);
    $string = wp_kses_js_entities($string);
    $string = wp_kses_normalize_entities($string);
    $string = wp_kses_hook($string, $allowed_html, $allowed_protocols);
    // WP changed the order of these funcs and added args to wp_kses_hook
    return wp_kses_split($string, $allowed_html, $allowed_protocols);
}