wp_kses_attr( string $element, string $attr, array $allowed_html, array $allowed_protocols )
Removes all attributes, if none are allowed for this element.
Description
If some are allowed it calls wp_kses_hair() to split them further, and then it builds up new HTML code from the data that kses_hair() returns. It also removes "<" and ">" characters, if there are any left. One more thing it does is to check if the tag has a closing XHTML slash, and if it does, it puts one in the returned code as well.
Parameters
- $element
-
(Required) HTML element/tag
- $attr
-
(Required) HTML attributes from HTML element to closing HTML element tag
- $allowed_html
-
(Required) Allowed HTML elements
- $allowed_protocols
-
(Required) Allowed protocols to keep
Return
(string) Sanitized HTML element
Source
File: wp-includes/kses.php
function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) {
if ( ! is_array( $allowed_html ) )
$allowed_html = wp_kses_allowed_html( $allowed_html );
// Is there a closing XHTML slash at the end of the attributes?
$xhtml_slash = '';
if (preg_match('%\s*/\s*$%', $attr))
$xhtml_slash = ' /';
// Are any attributes allowed at all for this element?
$element_low = strtolower( $element );
if ( empty( $allowed_html[ $element_low ] ) || true === $allowed_html[ $element_low ] ) {
return "<$element$xhtml_slash>";
}
// Split it
$attrarr = wp_kses_hair($attr, $allowed_protocols);
// Go through $attrarr, and save the allowed attributes for this element
// in $attr2
$attr2 = '';
foreach ( $attrarr as $arreach ) {
if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) {
$attr2 .= ' '.$arreach['whole'];
}
}
// Remove any "<" or ">" characters
$attr2 = preg_replace('/[<>]/', '', $attr2);
return "<$element$attr2$xhtml_slash>";
}
Changelog
Version | Description |
---|---|
WP-1.0.0 | Introduced. |