A fresh mix of code snippets and tutorials

kses tricks

In WordPress, “kses strips evil scripts”. Here is a list of kses tricks for ninjas only.

Filtering kses

Here is the syntax for filtering kses:

$filtered = wp_kses($unfiltered, $allowed_html, $allowed_protocols);

For $allowed_html, specify an array of the HTML tags and attributes that should be allowed, like so:

$allowed_html = array(
	'a' => array(
		'href' => array(),
		'title' => array(),
	'br' => array(),
	'em' => array(),
	'strong' => array(),

And the default $allowed_protocols include everything but javascript, so you can limit further by specifying only those protocols that you want to allow:

$allowed_html = array(
	'http' => array(),
	'https' => array(),
	'ftp' => array(),
	'mailto' => array()

That’s the basic idea with wp_kses(), and there are a bunch of similar template tags worth mentioning.

Template tags

Here is a list of template tags involving similar functionality.

wp_kses($unfiltered, $allowed_html, $allowed_protocols);
wp_kses_post($unfiltered, $allowedposttags);
wp_kses_data($unfiltered, $allowedposttags);
wp_filter_kses($unfiltered, $allowedposttags);
wp_filter_post_kses($unfiltered, $allowedposttags);

Note that $allowedposttags is a global variable that may be used to simplify HTML filtering.

Example using wp_kses_post to filter plugin input

Here is a practical example of filtering plugin input with kses:

// sanitize and validate input
function wpmix_validate_options($input) {

	global $allowedposttags;
	$allowed_atts = array('align'=>array(), 'class'=>array(), 'id'=>array(), 'dir'=>array(), 'lang'=>array(), 'style'=>array(), 'xml:lang'=>array(), 'src'=>array(), 'alt'=>array());

	$allowedposttags['strong'] = $allowed_atts;
	$allowedposttags['small'] = $allowed_atts;
	$allowedposttags['span'] = $allowed_atts;
	$allowedposttags['abbr'] = $allowed_atts;
	$allowedposttags['code'] = $allowed_atts;
	$allowedposttags['div'] = $allowed_atts;
	$allowedposttags['img'] = $allowed_atts;
	$allowedposttags['h1'] = $allowed_atts;
	$allowedposttags['h2'] = $allowed_atts;
	$allowedposttags['h3'] = $allowed_atts;
	$allowedposttags['h4'] = $allowed_atts;
	$allowedposttags['h5'] = $allowed_atts;
	$allowedposttags['ol'] = $allowed_atts;
	$allowedposttags['ul'] = $allowed_atts;
	$allowedposttags['li'] = $allowed_atts;
	$allowedposttags['em'] = $allowed_atts;
	$allowedposttags['p'] = $allowed_atts;
	$allowedposttags['a'] = $allowed_atts;

	$input['wpmix_success'] = wp_kses_post($input['wpmix_success'], $allowedposttags);
	$input['wpmix_error'] = wp_kses_post($input['wpmix_error'], $allowedposttags);
	$input['wpmix_retry'] = wp_kses_post($input['wpmix_retry'], $allowedposttags);

	return $input;

As you can see, here we are adding some HTML tags and attributes to the global variable and then using that to custom-filter our plugin input. This method may be customized by adding/removing HTML tags and attributes, using an alternate/similar kses template tag, and of course filtering more input variables.


Learn more

Digging Into WordPressWordPress Themes In DepthWizard’s SQL Recipes for WordPress