wp_kses_bad_protocol

The timeline below displays how wordpress function wp_kses_bad_protocol has changed across different WordPress versions. If a version is not listed, refer to the next available version below.

WordPress Version: 6.4

/**
 * Sanitizes a string and removed disallowed URL protocols.
 *
 * This function removes all non-allowed protocols from the beginning of the
 * string. It ignores whitespace and the case of the letters, and it does
 * understand HTML entities. It does its work recursively, so it won't be
 * fooled by a string like `javascript:javascript:alert(57)`.
 *
 * @since 1.0.0
 *
 * @param string   $content           Content to filter bad protocols from.
 * @param string[] $allowed_protocols Array of allowed URL protocols.
 * @return string Filtered content.
 */
function wp_kses_bad_protocol($content, $allowed_protocols)
{
    $content = wp_kses_no_null($content);
    // Short-circuit if the string starts with `https://` or `http://`. Most common cases.
    if (str_starts_with($content, 'https://') && in_array('https', $allowed_protocols, true) || str_starts_with($content, 'http://') && in_array('http', $allowed_protocols, true)) {
        return $content;
    }
    $iterations = 0;
    do {
        $original_content = $content;
        $content = wp_kses_bad_protocol_once($content, $allowed_protocols);
    } while ($original_content !== $content && ++$iterations < 6);
    if ($original_content !== $content) {
        return '';
    }
    return $content;
}

WordPress Version: 6.2

/**
 * Sanitizes a string and removed disallowed URL protocols.
 *
 * This function removes all non-allowed protocols from the beginning of the
 * string. It ignores whitespace and the case of the letters, and it does
 * understand HTML entities. It does its work recursively, so it won't be
 * fooled by a string like `javascript:javascript:alert(57)`.
 *
 * @since 1.0.0
 *
 * @param string   $content           Content to filter bad protocols from.
 * @param string[] $allowed_protocols Array of allowed URL protocols.
 * @return string Filtered content.
 */
function wp_kses_bad_protocol($content, $allowed_protocols)
{
    $content = wp_kses_no_null($content);
    // Short-circuit if the string starts with `https://` or `http://`. Most common cases.
    if (str_starts_with($content, 'https://') && in_array('https', $allowed_protocols, true) || str_starts_with($content, 'http://') && in_array('http', $allowed_protocols, true)) {
        return $content;
    }
    $iterations = 0;
    do {
        $original_content = $content;
        $content = wp_kses_bad_protocol_once($content, $allowed_protocols);
    } while ($original_content != $content && ++$iterations < 6);
    if ($original_content != $content) {
        return '';
    }
    return $content;
}

WordPress Version: 5.1

/**
 * Sanitizes a string and removed disallowed URL protocols.
 *
 * This function removes all non-allowed protocols from the beginning of the
 * string. It ignores whitespace and the case of the letters, and it does
 * understand HTML entities. It does its work recursively, so it won't be
 * fooled by a string like `javascript:javascript:alert(57)`.
 *
 * @since 1.0.0
 *
 * @param string   $string            Content to filter bad protocols from.
 * @param string[] $allowed_protocols Array of allowed URL protocols.
 * @return string Filtered content.
 */
function wp_kses_bad_protocol($string, $allowed_protocols)
{
    $string = wp_kses_no_null($string);
    $iterations = 0;
    do {
        $original_string = $string;
        $string = wp_kses_bad_protocol_once($string, $allowed_protocols);
    } while ($original_string != $string && ++$iterations < 6);
    if ($original_string != $string) {
        return '';
    }
    return $string;
}

WordPress Version: 4.3

/**
 * Sanitize string from bad protocols.
 *
 * This function removes all non-allowed protocols from the beginning of
 * $string. It ignores whitespace and the case of the letters, and it does
 * understand HTML entities. It does its work in a while loop, so it won't be
 * fooled by a string like "javascript:javascript:alert(57)".
 *
 * @since 1.0.0
 *
 * @param string $string            Content to filter bad protocols from
 * @param array  $allowed_protocols Allowed protocols to keep
 * @return string Filtered content
 */
function wp_kses_bad_protocol($string, $allowed_protocols)
{
    $string = wp_kses_no_null($string);
    $iterations = 0;
    do {
        $original_string = $string;
        $string = wp_kses_bad_protocol_once($string, $allowed_protocols);
    } while ($original_string != $string && ++$iterations < 6);
    if ($original_string != $string) {
        return '';
    }
    return $string;
}

WordPress Version: 3.7

/**
 * Sanitize string from bad protocols.
 *
 * This function removes all non-allowed protocols from the beginning of
 * $string. It ignores whitespace and the case of the letters, and it does
 * understand HTML entities. It does its work in a while loop, so it won't be
 * fooled by a string like "javascript:javascript:alert(57)".
 *
 * @since 1.0.0
 *
 * @param string $string Content to filter bad protocols from
 * @param array $allowed_protocols Allowed protocols to keep
 * @return string Filtered content
 */
function wp_kses_bad_protocol($string, $allowed_protocols)
{
    $string = wp_kses_no_null($string);
    $iterations = 0;
    do {
        $original_string = $string;
        $string = wp_kses_bad_protocol_once($string, $allowed_protocols);
    } while ($original_string != $string && ++$iterations < 6);
    if ($original_string != $string) {
        return '';
    }
    return $string;
}