Which KSES should be used and when?

The WP source shows that wp_filter_kses and wp_filter_post_kses are passed data that’s “expected to be escaped with slashes.”

On the other hand, wp_kses_data is passed data that’s “expected to not be escaped” and wp_kses_post has code that looks like wp_kses_data.

Read More

How safe is it to pass unknown (in terms of escaped with slashes) data to these functions?

Can the first set be preferred over the second or is preferring the second set safer?

Or is this a case where you absolutely need to know the condition of your data in terms of slashed?

–update–

I’m now figuring that if you don’t know whether the data is escaped you could use wp_kses_data( stripslashes_deep( $data ) ); and run the return though addslashes() if you need escaped in the end.

Related posts

Leave a Reply

1 comment

  1. From the codex:

    wp_filter_kses should generally be
    preferred over wp_kses_data because
    wp_magic_quotes escapes $_GET, $_POST,
    $_COOKIE, $_SERVER, and $_REQUEST
    fairly early in the hook system,
    shortly after ‘plugins_loaded’ but
    earlier then ‘init’ or ‘wp_loaded’.

    The first set is then preferred. More of a question of, “is stripping slashes more secure than not?” They both use the same allowed HTML. Well yeah it depends, in absolute cases, but I would assume that it is more secure to than not to.

    Basic useage of kses:

    $filtered = wp_kses($unfiltered, $allowed_html, $allowed_protocols);
    

    All of the wordpress kses functions then just do

    $filtered = wp_kses($unfiltered, $allowedtags);
    

    SO:

    $filtered = wp_kses_data($unfiltered);
    $filtered = wp_filter_kses($unfiltered); // does the same, but will also slash escape the data
    

    the post variations use a different set of tags; those allowed for use by non-admins.