wp_kses_post


The wp_kses_post() function in WordPress allows through the HTML elements that are specified in the $allowedposttags global variable. This array defines a list of HTML elements and attributes that are deemed safe for use in post content. The exact elements and attributes allowed can vary depending on the version of WordPress and any modifications made by plugins or themes.

Typical elements allowed by $allowedposttags include common formatting and structural tags such as:

  • Headings: <h1><h2><h3><h4><h5><h6>
  • Paragraphs: <p>
  • Breaks: <br>
  • Lists: <ul><ol><li>
  • Text formatting: <strong><em><b><i><del><s><ins>
  • Links: <a> (with attributes like hreftitle, and rel)
  • Images: <img> (with attributes like srcaltwidthheight, and class)
  • Quotes: <blockquote><q><cite>
  • Code: <code><pre>
  • Tables: <table><tr><td><th><thead><tbody><tfoot><caption>
  • Spans and divs: <span><div> (with certain attributes)
  • Others: <iframe><embed><object><param><video><audio><source><track><canvas><svg><path>, and more.

Each tag in the $allowedposttags array is paired with an array of allowed attributes for that tag. For example, the <a> tag typically allows attributes such as hreftitle, and rel, but may not allow JavaScript event handler attributes such as onclick to prevent potential XSS attacks.

It’s important to note that the list of allowed tags and attributes can be customized by site administrators, themes, or plugins, so the actual elements allowed on a specific WordPress installation might differ from the default. Developers can modify the $allowedposttags array using filters and hooks provided by WordPress to tailor the content filtering to their specific needs.

If you want to be more selective about what tags are allowed, look at the wp_kses() function.