wp_kses_bad_protocol( string $string, array $allowed_protocols )

Sanitize string from bad protocols.

Description

This function removes all non-allowed protocols from the beginning of $string. It ignores whitespace and the case of the letters, and it does understand HTML entities. It does its work in a while loop, so it won’t be fooled by a string like "javascript:javascript:alert(57)".

Parameters

$string

(string) (Required) Content to filter bad protocols from

$allowed_protocols

(array) (Required) Allowed protocols to keep

Return

(string) Filtered content

Source

File: wp-includes/kses.php 

function wp_kses_bad_protocol($string, $allowed_protocols) {
	$string = wp_kses_no_null($string);
	$iterations = 0;

	do {
		$original_string = $string;
		$string = wp_kses_bad_protocol_once($string, $allowed_protocols);
	} while ( $original_string != $string && ++$iterations < 6 );

	if ( $original_string != $string )
		return '';

	return $string;
}

Expand Source Code View on GitHub

Related

Uses

Uses
Uses Description
wp-includes/kses.php: wp_kses_bad_protocol_once()

Sanitizes content from bad protocols and other characters.
wp-includes/kses.php: wp_kses_no_null()

Removes any invalid control characters in $string.

Used By

Used By
Used By Description
wp-includes/class-http.php: WP_Http::request()

Send an HTTP request to a URI.
wp-includes/http.php: wp_http_validate_url()

Validate a URL for safe use in the HTTP API.
wp-includes/kses.php: wp_kses_hair()

Builds an attribute list from string containing attributes.
wp-includes/kses.php: wp_kses_one_attr()

Filters one attribute only and ensures its value is allowed.
wp-includes/formatting.php: esc_url()

Checks and cleans a URL.

Changelog

Changelog
Version Description
WP-1.0.0 Introduced.