public static
string
|
#
sanitize( string $string, array $allowed_html = array(), array $allowed_protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet') )
Filters content and keeps only allowable HTML elements.
Filters content and keeps only allowable HTML elements.
This function makes sure that only the allowed HTML element names, attribute
names and attribute values plus only sane HTML entities will occur in $string.
You have to remove any slashes from PHP's magic quotes before you call this
function.
The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
'irc', 'gopher', 'nntp', 'feed', and finally 'telnet. This covers all common
link protocols, except for 'javascript' which should not be allowed for
untrusted users.
Parameters
- $string
string
$string Content to filter through kses- $allowed_html
array
$allowed_html List of allowed HTML elements- $allowed_protocols
array
$allowed_protocols Optional. Allowed protocol in links. Returns
string
Filtered content with only allowed HTML elements
Since
1.0.0
|
public static
|
|
public static
string
|
#
no_null( string $string )
Removes any NULL characters in $string.
Removes any NULL characters in $string.
Parameters
Returns
string
Since
1.0.0
|
public static
string
|
#
js_entities( string $string )
Removes the HTML JavaScript entities found in early versions of Netscape
4.
Removes the HTML JavaScript entities found in early versions of Netscape
4.
Parameters
Returns
string
Since
1.0.0
|
protected static
string
|
#
normalize_entities( string $string )
Converts and fixes HTML entities.
Converts and fixes HTML entities.
This function normalizes HTML entities. It will convert "AT&T" to the
correct "AT&T", ":" to ":", "&#XYZZY;" to "&#XYZZY;" and so on.
Parameters
- $string
string
$string Content to normalize entities Returns
string
Content with normalized entities
Since
1.0.0
|
protected static
string
|
#
normalize_entities_callback1( array $matches )
Callback for normalize_entities() regular expression.
Callback for normalize_entities() regular expression.
This function helps normalize_entities() to only accept 16 bit values and
nothing more for &#number; entities.
Parameters
- $matches
array
$matches preg_replace_callback() matches array Returns
string
Correctly encoded entity
Since
1.0.0
|
protected static
string
|
#
normalize_entities_callback2( array $matches )
Callback for normalize_entities() for regular expression.
Callback for normalize_entities() for regular expression.
This function helps normalize_entities() to only accept valid Unicode numeric
entities in hex form.
Parameters
- $matches
array
$matches preg_replace_callback() matches array Returns
string
Correctly encoded entity
|
public static
string
|
#
html_error( string $string )
Handles parsing errors in hair().
Handles parsing errors in hair().
The general plan is to remove everything to and including some whitespace,
but it deals with quotes and apostrophes as well.
Parameters
Returns
string
Since
1.0.0
|
public static
array
|
#
array_lc_keys( array $inarray )
Goes through an array and changes the keys to all lower case.
Goes through an array and changes the keys to all lower case.
Parameters
- $inarray
array
$inarray Unfiltered array Returns
array
Fixed array with all lowercase keys
Since
1.0.0
|
public static
boolean
|
#
isUnicodeValid( integer $i )
Helper function to determine if a Unicode value is valid.
Helper function to determine if a Unicode value is valid.
Parameters
- $i
integer
$i Unicode value Returns
boolean
true if the value was a valid Unicode number
|
public static
|
#
split( mixed $string, mixed $allowed_html, mixed $allowed_protocols )
|
protected static
string
|
#
split_callback( string $matches )
Callback for wp_kses_split for fixing malformed HTML tags.
Callback for wp_kses_split for fixing malformed HTML tags.
This function does a lot of work. It rejects some very malformed things like
<:::>. It returns an empty string, if the element isn't allowed (look ma,
no strip_tags()!). Otherwise it splits the tag into an element and an attribute
list.
After the tag is split into an element and an attribute list, it is run
through another filter which will remove illegal attributes and once that is
completed, will be returned.
Parameters
- $matches
string
$string Content to filter Returns
string
Fixed HTML element
Since
1.0.0
Uses
|
public static
string
|
#
attr( string $element, string $attr, array $allowed_html, array $allowed_protocols )
Removes all attributes, if none are allowed for this element.
Removes all attributes, if none are allowed for this element.
If some are allowed it calls hair() to split them further, and then it builds
up new HTML code from the data that kses_hair() returns. It also removes "<"
and ">" characters, if there are any left. One more thing it does is to check
if the tag has a closing XHTML slash, and if it does, it puts one in the
returned code as well.
Parameters
- $element
string
$element HTML element/tag- $attr
string
$attr HTML attributes from HTML element to closing HTML element tag- $allowed_html
array
$allowed_html Allowed HTML elements- $allowed_protocols
array
$allowed_protocols Allowed protocols to keep Returns
string
Sanitized HTML element
Since
1.0.0
Used by
|
public static
boolean
|
#
check_attr_val( string $value, string $vless, string $checkname, mixed $checkvalue )
Performs different checks for attribute values.
Performs different checks for attribute values.
The currently implemented checks are "maxlen", "minlen", "maxval", "minval"
and "valueless" with even more checks to come soon.
Parameters
- $value
string
$value Attribute value- $vless
string
$vless Whether the value is valueless or not. Use 'y' or 'n'- $checkname
string
$checkname What $checkvalue is checking for.- $checkvalue
mixed
$checkvalue What constraint the value should pass Returns
boolean
Whether check passes (true) or not (false)
Since
1.0.0
|
public static
array
|
#
hair( string $attr, array $allowed_protocols )
Builds an attribute list from string containing attributes.
Builds an attribute list from string containing attributes.
This function does a lot of work. It parses an attribute list into an array
with attribute data, and tries to do the right thing even if it gets weird
input. It will add quotes around attribute values that don't have any quotes or
apostrophes around them, to make it easier to produce HTML code that will
conform to W3C's HTML specification. It will also remove bad URL protocols from
attribute values. It also reduces duplicate attributes by using the attribute
defined first (foo='bar' foo='baz' will result in foo='bar').
Parameters
- $attr
string
$attr Attribute list from HTML element to closing HTML element tag- $allowed_protocols
array
$allowed_protocols Allowed protocols to keep Returns
array
List of attributes after parsing
Since
1.0.0
|
public static
string
|
#
bad_protocol( string $string, array $allowed_protocols )
Sanitize string from bad protocols.
Sanitize string from bad protocols.
This function removes all non-allowed protocols from the beginning of
$string. It ignores whitespace and the case of the letters, and it does
understand HTML entities. It does its work in a while loop, so it won't be
fooled by a string like "javascript:javascript:alert(57)".
Parameters
- $string
string
$string Content to filter bad protocols from- $allowed_protocols
array
$allowed_protocols Allowed protocols to keep Returns
string
Filtered content
Since
1.0.0
|
protected static
|
|
protected static
string
|
#
bad_protocol_once2( mixed $matches )
Callback for bad_protocol_once() regular expression.
Callback for bad_protocol_once() regular expression.
This function processes URL protocols, checks to see if they're in the
white-list or not, and returns different data depending on the answer.
Parameters
- $matches
mixed
$matches string or preg_replace_callback() matches array to check for bad
protocols Returns
string
Sanitized content
Since
1.0.0
|
protected static
string
|
#
stripslashes( string $string )
Strips slashes from in front of quotes.
Strips slashes from in front of quotes.
This function changes the character sequence \" to just ". It leaves all
other slashes alone. It's really weird, but the quoting from preg_replace(//e)
seems to require this.
Parameters
- $string
string
$string String to strip slashes Returns
string
Fixed strings with quoted slashes
Since
1.0.0
|
protected static
string
|
#
decode_entities( string $string )
Convert all entities to their character counterparts.
Convert all entities to their character counterparts.
This function decodes numeric HTML entities (A and A). It doesn't do anything
with other entities like รค, but we don't need them in the URL protocol
whitelisting system anyway.
Parameters
- $string
string
$string Content to change entities Returns
string
Content after decoded entities
Since
1.0.0
|
protected static
string
|
#
decode_entities_chr( array $match )
Regex callback for wp_kses_decode_entities()
Regex callback for wp_kses_decode_entities()
Parameters
- $match
array
$match preg match Returns
string
|
protected static
string
|
#
decode_entities_chr_hexdec( array $match )
Regex callback for wp_kses_decode_entities()
Regex callback for wp_kses_decode_entities()
Parameters
- $match
array
$match preg match Returns
string
|
public static
|
|