Wordpress - Typical wp_kses $allowed

I would disagree with the solution posted by @JaredCobb, wp_kses() is much more flexible than the method he presented. It can strip out unwanted attributes from tags without destroying the tags themselves. For example, if the user put in <strong class='foo'>, wp_kses() would return <strong> if you did not allow class, whereas strip_tags() would remove the <strong> completely.

@redconservatory: The attributes you'll want to use are as follows:

$args = array(
    //formatting
    'strong' => array(),
    'em'     => array(),
    'b'      => array(),
    'i'      => array(),

    //links
    'a'     => array(
        'href' => array()
    )
);

This will allow bold and italics with no attributes, as well as anchor tags with an href attributes...and nothing else. It uses the whitelisting principle, which @jaredcobb rightly noted is the better way to go here.


I would start out with the same $allowedtags array that WordPress uses for their comments. You can find their array in the [wordpress directory]/wp-includes/kses.php file. These seem like sensible defaults to me, and a good starting point. Here is their array...

$allowedtags = array(
    'a' => array(
        'href' => true,
        'title' => true,
    ),
    'abbr' => array(
        'title' => true,
    ),
    'acronym' => array(
        'title' => true,
    ),
    'b' => array(),
    'blockquote' => array(
        'cite' => true,
    ),
    'cite' => array(),
    'code' => array(),
    'del' => array(
        'datetime' => true,
    ),
    'em' => array(),
    'i' => array(),
    'q' => array(
        'cite' => true,
    ),
    'strike' => array(),
    'strong' => array(),
);

I would NOT use PHP's strip_tags as a replacement for wp_kses.

You should never use strip_tags to filter an unknown user's content!

I have created a quick video explaining Why WordPress’ wp_kses() is better than PHP’s strip_tags() for security.


I've only used wp_kses when I've specifically needed to allow / filter attributes of HTML tags (for example, I want them to be allowed to have an <image> tag, with a src="" attribute but I don't want them to be able to but href="" or style="" or anything else on the image tag. In that case, wp_kses comes in handy because (as you can see in the example you created) you can filter down very specifically. I've rarely used wp_kses though because I just find that a couple of native PHP functions (below) do the trick and are easier to understand when I look at the code several months later.

If you want to completely remove HTML tags (except maybe allow a few) then I always use strip_tags. You can pass in a string of allowed tags (like <p> <br> <strong>) or whatever other harmless tags you like. This allows the user to be able to have some control over formatting, if that's applicable for your use case. I like strip_tags because it takes a whitelist approach to sanitizing your data. (Meaning that everything gets stripped except what you explicitly whitelist).

If your goal is to allow them to put any HTML into the content, but you just want to show their text as they entered it (like code examples) then use htmlspecialchars. This will convert HTML characters into their encoded counterparts so you can safely output it to the page.

You might come across code using str_replace which "looks" for bad tags like or or whatever. I really don't recommend that approach because it takes a blacklist approach to sanitizing data and you've got to constantly make sure your blacklist is up to date.

I guess to sum up, it depends on what your metaboxes are used for. If you're protecting against input from users (who might be malicious) I'd recommend strip_tags and just allow some of the harmless tags. If you have a good business case to really micromanage the tags and specific attributes of the user's content, use wp_kses.

Tags:

Wp Kses