Function and usage of filter_block_kses_value() in wordpress


Answers ( 1 )


    The filter_block_kses_value() function in WordPress is designed to filter and sanitize parsed block attribute values. This ensures that any HTML contained within these values adheres to a specific set of rules, enhancing security by preventing malicious code from being executed. Here's a detailed breakdown of the function and its usage:

    Function Prototype:

    filter_block_kses_value( string[]|string $value, array[]|string $allowed_html, string[] $allowed_protocols = array() ): string[]|string

    Function Purpose:

    • Primary Goal: To filter and sanitize attribute values of blocks in WordPress.
    • Security Aspect: Removes non-allowable or potentially harmful HTML, safeguarding the site against malicious content.


    1. $value (string[]|string, required):

      • Description: The attribute value that needs to be filtered and sanitized.
      • Type: Can be either a string or an array of strings, depending on the attribute value structure.
    2. $allowed_html (array[]|string, required):

      • Description: Specifies which HTML elements and attributes are allowed.
      • Type: Can be an array detailing the allowed HTML elements and attributes, or a context name (like 'post').
      • Note: The function wp_kses_allowed_html() provides a list of accepted context names and their corresponding allowed HTML elements and attributes.
    3. $allowed_protocols (string[], optional):

      • Description: Lists the URL protocols that are permitted within attribute values.
      • Type: An array of allowed URL protocols.
      • Default Value: If not specified, defaults to the result of the wp_allowed_protocols() function, which provides a standard set of allowed protocols.

    Return Value:

    • Type: string[]|string
    • Description: The function returns the filtered and sanitized version of the $value parameter. This return value will be of the same type as the $value input (either a string or an array of strings).

    Sample Usage:

    // Sample attribute value containing HTML
    $attribute_value = "<a href=''>Click here</a>";
    // Define allowed HTML elements and attributes
    $allowed_html = array(
        'a' => array(
            'href' => array(),
            'title' => array()
    // Optionally, define allowed URL protocols
    $allowed_protocols = array('https', 'mailto');
    // Sanitize and filter the attribute value
    $sanitized_value = filter_block_kses_value($attribute_value, $allowed_html, $allowed_protocols);
    // Output the sanitized value
    echo $sanitized_value;

    In this example, $attribute_value is sanitized to ensure that it only contains 'a' tags with 'href' and 'title' attributes, adhering to the specified allowed HTML elements and protocols. The filter_block_kses_value() function is particularly useful in scenarios where user input or dynamic content is involved, as it helps maintain a secure and controlled environment.

Leave an answer