The WP source shows that wp_filter_kses
and wp_filter_post_kses
are passed data that’s “expected to be escaped with slashes.”
On the other hand, wp_kses_data
is passed data that’s “expected to not be escaped” and wp_kses_post
has code that looks like wp_kses_data.
How safe is it to pass unknown (in terms of escaped with slashes) data to these functions?
Can the first set be preferred over the second or is preferring the second set safer?
Or is this a case where you absolutely need to know the condition of your data in terms of slashed?
–update–
I’m now figuring that if you don’t know whether the data is escaped you could use wp_kses_data( stripslashes_deep( $data ) );
and run the return though addslashes() if you need escaped in the end.
From the codex:
The first set is then preferred. More of a question of, “is stripping slashes more secure than not?” They both use the same allowed HTML. Well yeah it depends, in absolute cases, but I would assume that it is more secure to than not to.
Basic useage of kses:
All of the wordpress kses functions then just do
SO:
the
post
variations use a different set of tags; those allowed for use by non-admins.