: str_replace(): Passing null to parameter #2 ($replace) of type array|string is deprecated in
* @var string[] $allowedxmlentitynames Array of KSES allowed XML entity names.
$allowedxmlentitynames = array(
$allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags );
$required_kses_globals = array(
$missing_kses_globals = array();
foreach ( $required_kses_globals as $global_name ) {
if ( ! isset( $GLOBALS[ $global_name ] ) || ! is_array( $GLOBALS[ $global_name ] ) ) {
$missing_kses_globals[] = '<code>$' . $global_name . '</code>';
if ( $missing_kses_globals ) {
/* translators: 1: CUSTOM_TAGS, 2: Global variable names. */
__( 'When using the %1$s constant, make sure to set these globals to an array: %2$s.' ),
'<code>CUSTOM_TAGS</code>',
implode( ', ', $missing_kses_globals )
$allowedtags = wp_kses_array_lc( $allowedtags );
$allowedposttags = wp_kses_array_lc( $allowedposttags );
* Filters text content and strips out disallowed HTML.
* This function makes sure that only the allowed HTML element names, attribute
* names, attribute values, and HTML entities will occur in the given text string.
* This function expects unslashed data.
* @see wp_kses_post() for specifically filtering post content and fields.
* @see wp_allowed_protocols() for the default allowed protocols in link URLs.
* @param string $content Text content to filter.
* @param array[]|string $allowed_html An array of allowed HTML elements and attributes,
* or a context name such as 'post'. See wp_kses_allowed_html()
* for the list of accepted context names.
* @param string[] $allowed_protocols Optional. Array of allowed URL protocols.
* Defaults to the result of wp_allowed_protocols().
* @return string Filtered content containing only the allowed HTML.
function wp_kses( $content, $allowed_html, $allowed_protocols = array() ) {
if ( empty( $allowed_protocols ) ) {
$allowed_protocols = wp_allowed_protocols();
$content = wp_kses_no_null( $content, array( 'slash_zero' => 'keep' ) );
$content = wp_kses_normalize_entities( $content );
$content = wp_kses_hook( $content, $allowed_html, $allowed_protocols );
return wp_kses_split( $content, $allowed_html, $allowed_protocols );
* Filters one HTML attribute and ensures its value is allowed.
* This function can escape data in some situations where `wp_kses()` must strip the whole attribute.
* @param string $attr The 'whole' attribute, including name and value.
* @param string $element The HTML element name to which the attribute belongs.
* @return string Filtered attribute.
function wp_kses_one_attr( $attr, $element ) {
$uris = wp_kses_uri_attributes();
$allowed_html = wp_kses_allowed_html( 'post' );
$allowed_protocols = wp_allowed_protocols();
$attr = wp_kses_no_null( $attr, array( 'slash_zero' => 'keep' ) );
// Preserve leading and trailing whitespace.
preg_match( '/^\s*/', $attr, $matches );
preg_match( '/\s*$/', $attr, $matches );
$attr = substr( $attr, strlen( $lead ) );
$attr = substr( $attr, strlen( $lead ), -strlen( $trail ) );
// Parse attribute name and value from input.
$split = preg_split( '/\s*=\s*/', $attr, 2 );
if ( count( $split ) === 2 ) {
* Remove quotes surrounding $value.
* Also guarantee correct quoting in $attr for this one attribute.
if ( '"' === $quote || "'" === $quote ) {
if ( ! str_ends_with( $value, $quote ) ) {
$value = substr( $value, 1, -1 );
// Sanitize quotes, angle braces, and entities.
$value = esc_attr( $value );
if ( in_array( strtolower( $name ), $uris, true ) ) {
$value = wp_kses_bad_protocol( $value, $allowed_protocols );
$attr = "$name=$quote$value$quote";
// Sanitize attribute by name.
wp_kses_attr_check( $name, $value, $attr, $vless, $element, $allowed_html );
return $lead . $attr . $trail;
* Returns an array of allowed HTML tags and attributes for a given context.
* @since 5.0.1 `form` removed as allowable HTML tag.
* @global array $allowedposttags
* @global array $allowedtags
* @global array $allowedentitynames
* @param string|array $context The context for which to retrieve tags. Allowed values are 'post',
* 'strip', 'data', 'entities', or the name of a field filter such as
* 'pre_user_description', or an array of allowed HTML elements and attributes.
* @return array Array of allowed HTML tags and their allowed attributes.
function wp_kses_allowed_html( $context = '' ) {
global $allowedposttags, $allowedtags, $allowedentitynames;
if ( is_array( $context ) ) {
// When `$context` is an array it's actually an array of allowed HTML elements and attributes.
* Filters the HTML tags that are allowed for a given context.
* HTML tags and attribute names are case-insensitive in HTML but must be
* added to the KSES allow list in lowercase. An item added to the allow list
* in upper or mixed case will not recognized as permitted by KSES.
* @param array[] $html Allowed HTML tags.
* @param string $context Context name.
return apply_filters( 'wp_kses_allowed_html', $html, $context );
/** This filter is documented in wp-includes/kses.php */
$tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
// 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
$tags = $allowedposttags;
'accept-charset' => true,
/** This filter is documented in wp-includes/kses.php */
$tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
case 'pre_user_description':
$tags['a']['rel'] = true;
/** This filter is documented in wp-includes/kses.php */
return apply_filters( 'wp_kses_allowed_html', $tags, $context );
/** This filter is documented in wp-includes/kses.php */
return apply_filters( 'wp_kses_allowed_html', array(), $context );
/** This filter is documented in wp-includes/kses.php */
return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context );
/** This filter is documented in wp-includes/kses.php */
return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context );
* You add any KSES hooks here.
* There is currently only one KSES WordPress hook, {@see 'pre_kses'}, and it is called here.
* All parameters are passed to the hooks and expected to receive a string.
* @param string $content Content to filter through KSES.
* @param array[]|string $allowed_html An array of allowed HTML elements and attributes,
* or a context name such as 'post'. See wp_kses_allowed_html()
* for the list of accepted context names.
* @param string[] $allowed_protocols Array of allowed URL protocols.
* @return string Filtered content through {@see 'pre_kses'} hook.
function wp_kses_hook( $content, $allowed_html, $allowed_protocols ) {
* Filters content to be run through KSES.
* @param string $content Content to filter through KSES.
* @param array[]|string $allowed_html An array of allowed HTML elements and attributes,
* or a context name such as 'post'. See wp_kses_allowed_html()
* for the list of accepted context names.
* @param string[] $allowed_protocols Array of allowed URL protocols.
return apply_filters( 'pre_kses', $content, $allowed_html, $allowed_protocols );
* Returns the version number of KSES.
* @return string KSES version number.
function wp_kses_version() {
* Searches for HTML tags, no matter how malformed.
* It also matches stray `>` characters.
* @since 6.6.0 Recognize additional forms of invalid HTML which convert into comments.
* @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes,
* or a context name such as 'post'.
* @global string[] $pass_allowed_protocols Array of allowed URL protocols.
* @param string $content Content to filter.
* @param array[]|string $allowed_html An array of allowed HTML elements and attributes,
* or a context name such as 'post'. See wp_kses_allowed_html()
* for the list of accepted context names.
* @param string[] $allowed_protocols Array of allowed URL protocols.
* @return string Content with fixed HTML tags
function wp_kses_split( $content, $allowed_html, $allowed_protocols ) {
global $pass_allowed_html, $pass_allowed_protocols;
$pass_allowed_html = $allowed_html;
$pass_allowed_protocols = $allowed_protocols;
$token_pattern = <<<REGEX
( # Detect comments of various flavors before attempting to find tags.
(<!--.*?(-->|$)) # - Normative HTML comments.
</[^a-zA-Z][^>]*> # - Closing tags with invalid tag names.
<![^>]*> # - Invalid markup declaration nodes. Not all invalid nodes
# are matched so as to avoid breaking legacy behaviors.
(<[^>]*(>|$)|>) # Tag-like spans of text.
return preg_replace_callback( $token_pattern, '_wp_kses_split_callback', $content );
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
