wp_kses_bad_protocol( string $string, string[] $allowed_protocols )

Sanitizes a string and removed disallowed URL protocols.

Description

This function removes all non-allowed protocols from the beginning of the string. It ignores whitespace and the case of the letters, and it does understand HTML entities. It does its work recursively, so it won’t be fooled by a string like javascript:javascript:alert(57).

Parameters

$string: (string) (Required) Content to filter bad protocols from.
$allowed_protocols: (string[]) (Required) Array of allowed URL protocols.

Return

(string) Filtered content.

Source

File: wp-includes/kses.php

function wp_kses_bad_protocol( $string, $allowed_protocols ) {
	$string     = wp_kses_no_null( $string );
	$iterations = 0;

	do {
		$original_string = $string;
		$string          = wp_kses_bad_protocol_once( $string, $allowed_protocols );
	} while ( $original_string != $string && ++$iterations < 6 );

	if ( $original_string != $string ) {
		return '';
	}

	return $string;
}

Uses

Uses	Description
wp-includes/kses.php: wp_kses_no_null()	Removes any invalid control characters in a text string.
wp-includes/kses.php: wp_kses_bad_protocol_once()	Sanitizes content from bad protocols and other characters.

Used By

Used By	Description
wp-includes/kses.php: wp_kses_one_attr()	Filters one HTML attribute and ensures its value is allowed.
wp-includes/formatting.php: esc_url()	Checks and cleans a URL.
wp-includes/kses.php: safecss_filter_attr()	Filters an inline style attribute and removes disallowed rules.
wp-includes/kses.php: wp_kses_hair()	Builds an attribute list from string containing attributes.
wp-includes/class-http.php: WP_Http::request()	Send an HTTP request to a URI.
wp-includes/http.php: wp_http_validate_url()	Validate a URL for safe use in the HTTP API.

Changelog

Version	Description
1.0.0	Introduced.

© 2003–2021 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/wp_kses_bad_protocol