WordPress wp_kses

Many of the readers frequently ask a question that how to escape data before using in HTML? If the same thing bothers you too, you are at right place. You can validate your data with WordPress wp_kses!!

If you’re a WordPress developer that writes HTML/CSS/JS, you should be very alert about website security. As it is one of the important aspects to protect your website from hackers, spammers etc. You need to prevent them from injecting malicious code into your databases. You must have heard about data escaping. It helps to secure your data prior to rendering it for an end user. It also prevents cross-site scripting (XSS). WordPress provides built-in functions to stop this type of things automatically. But if you need to escape your output in a specific way, wp_kses function in WordPress will come handy. It will give you control over what is allowed and what’s not.

What is a wp_kses Function in WordPress?

WordPress Wp_kses is an HTML filtering mechanism. It stands for KSES Strips Evil Scripts. It only allows the safe content and strips rest of the tags. The safe tags are kept in WP global variable called $allowedtags. Wp_kses function assures only the specified HTML element names, attribute names and values including the sane HTML entities will exist in the output. It means KSES filters the input to remove slashes from PHP quotes before you call it.

It has an example structure like

wp_kses( string $custom_content, array $allowed_HTML, array $allowed_protocols = array() )

It takes three arguments as follows

1. $Custom_content – The first argument is the source string. It means you will first pass the content to filter. You may get this string from user or database. If you want to process it, you will pass it here in the function.

2. $allowed_HTML – It is an array of allowed HTML tags and attributes. So, wp_kses takes a list of allowed HTML elements as the second argument. You can see the example of the allowed_html_tags array as follows

allowed_html = array(
'a' => array(
'href' => array(),
'title' => array()
),
'br' => array(),
'em' => array(),
'strong' => array(),
);

The variable contains an array of tags. Each tag holds an array of allowed parameters. To specify tags with no allowed parameters, an empty array will be used.

3. $allowed_protocols – This argument is used to pass allowed protocol. This is optional. You can specify if you want to accept HTTP, HTTPS, FTP and ignore TelNet, JavaScript, etc.

This function returns the filtered content with allowed HTML elements only.

What is the purpose of wp_kses?

WordPress wp_kses is usually pronounced as wp-kisses. It is used to sanitize data and filter the malicious input. It is a custom solution to decide what to accept and what to reject.

The wp_kses function allows you to identify and define what you need and strips all of the rest. It gives you a start debugging point if anything goes wrong. It serves as a checkpoint to validate input and escape on output.

Variations of WordPress wp_kses Function

It is really tough to specify every allowed tag and attribute. So WordPress provides the function variations that allow you to use wp_kses with pre-set allowed tags and protocols. Mainly used for validating posts and comments to print whitelisted content only. These two functions are as follows

  • wp_kses_post()

This function is used to sanitize input with allowed HTML elements for post content. The post content here refers to the page contents of the ‘post’ type and not $_POST data for forms.

<?php wp_kses_post( $data ); ?>

It takes the post content as an argument and returns the filtered content with allowed elements.

  • wp_kses_allowed_html()

This function is used to see the allowed HTML elements for the current content. It works by using the wp_kses_allowed_html hook which provides an easy way to change what is allowed HTML.

<?php $allowed_tags = wp_kses_allowed_html( $context ); ?>

It takes the content for which to retrieve tags. The allowed values are post, strip, data, entities or the name of a field filter. It will return the list of allowed HTML tags for the given input. The Return value is a multidimensional array with the tag name as the key. It generates an array of attributes as the value.

How to use wp_kses?

Till now, you get familiar with WordPress wp_kses function. But the main thing is how it works? To clarify this, here is an example. Suppose, you display a simple string by using different HTML tags like ‘strong’, ‘Title’, ‘br’, ‘p’, ‘anchor’ tags.

<?php
$str = '<title>Check Kses function</title> I am <strong>stronger</strong> and cooler every single day <a href="#">Click Here</a>.<p>I am stronger and cooler every single day.I am stronger and cooler every single day.I am stronger and cooler every single day.I am stronger and cooler every single day.I am stronger and cooler every single day</p>';
echo $str;

When you will get it displayed using echo, it will give results as shown below.

Now, display same string using the wp_kses function. Where only ‘strong’, ‘p’, ‘br’ tags are allowed.

$arr = array('br' => array(), 'p' => array(), 'strong' => array());
echo'<br>String using wp_kses function....<br>'.wp_kses($str,$arr);
?>

It will display a resultant string as shown in the second paragraph of the output screen. It only reflects the allowed tags strong, br, p as defined in wp_kses function and anchor tag is removed. So, no link for click Here text is formed. Similarly, no title assigned as ‘Title’ tag is also not allowed.

output screen of wp_kses function WordPress wp_kses

Wp_kses vs strip_tags

The PHP strip_tags remove HTML and PHP tags from a string. It takes two arguments – first the string to be filtered and second the string of allowed tags.

string strip_tags ( string $str [, string $allowable_tags ] )

It returns the string after required stripping. It also clears the content of ‘script’ and ‘style’ tags. But here wp_kses gives a clear advantage. It strips the string but doesn’t remove the content of given tags.

Secondly, the PHP strip_tags can break the results completely. For example, the less-than symbol that is an opening character for a potential HTML tag. But if it is not passed into the second parameter of the strip_tags() function, will not be rendered whereas WordPress wp_kses() renders the HTML effectively.

Final Words

WordPress wp_kses function is more secure than strip_tags in PHP. Wp_kses survives the javascript attacks whereas strip_tags break. The WordPress wp_kses helps to prevent javascript attacks by denying it. As Javascript is not passed as an allowed protocol by default in wp_kses function. And hopefully, you will also not include it. So, it outputs the javascript as harmless plain text rather than executing javascript alert. So, wp_kses is a smarter choice to validate and sanitize the data efficiently.