wp_kses ignore allowed and allow everything

wp_kses (Codex) removes unallowed tags, but it doesn’t remove their content. So, if you have a “{something}”, wp_kses only removes the tags, not the content, returning “{something}”. Thus, this is intended behaviour and your issue doesn’t seem to be a bug.

Related Posts:

  1. Should I sanitize an email address before passing it to the is_email() function?
  2. Escaping and sanitizing SVGs in metabox textarea
  3. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  4. Reason for Lowercase usernames
  5. What is the best way to sanitize data?
  6. Should nonce be sanitized?
  7. esc_url removes white space. Can I change that to using ‘-‘?
  8. WP Coding standards – escaping the inescapable?
  9. What is the difference between strip_tags and wp_filter_nohtml_kses?
  10. Sanitatizing when using the posts_where hook
  11. Escape hexadecimals/rgba values
  12. Must I serialize/sanitize/escape array data before using set_transient?
  13. Echo JavaScript Safely
  14. Sanitize array callback for the WordPress Settings API
  15. How to escape $_GET and check if isset?
  16. What’s a safe / good way to output HTML safely within WordPress templates?
  17. Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
  18. Sanitizing output that contains quotes?
  19. WP_Customize_Manager: How to get control ID
  20. How to use wp_filter_oembed_result?
  21. Sanitization html output itself
  22. Post text sanitization after publishing/editing – changes are not saved
  23. wp_set_object_terms() without accents
  24. Escaping data from database (users table) is necessary?
  25. Properly sanitize an input field “Name “
  26. Does it make sense to sanitize the output of an SVG file?
  27. Sanitize a custom date meta field
  28. What is the proper way to sanitize $_POST and $_GET vars?
  29. Why is sanitize_text_field() selectively trimming data?
  30. what is a good method to sanitize the whole $_POST array in php?
  31. Is sanitize_title enough to generate post slugs?
  32. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  33. wordpress sanitize array?
  34. Data sanitization: Best Practices with code examples
  35. Typical wp_kses $allowed
  36. How safe / sanitized is wp_insert_posts()?
  37. Should HTML output be passed through esc_html() AND wp_kses()?
  38. When to use esc_html and when to use sanitize_text_field?
  39. How to safely sanitize a textarea which takes full HTML input
  40. How to get SimplePie fetch_feed without stripping iframe code?
  41. Sanitize and data validation with apply_filters() function
  42. Why is wp_kses not keeping style attributes as expected?
  43. Custom page with variables in url. Nice url with add_rewrite_rule
  44. Sanitize content from wp_editor
  45. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  46. What’s the difference between esc_* functions?
  47. What to use instead of wp_kses() in user output
  48. is_email() VS sanitize_email()
  49. Sanitizing integer input for update_post_meta
  50. Sanitize User Entered CSS
  51. Which KSES should be used and when?
  52. Is sanitize_text_field() is enough to save to DB?
  53. Settings API – sanitizing urls, email addresses and text
  54. What is the difference between esc_html and wp_filter_nohtml_kses?
  55. How to escape custom css?
  56. Escaping quotes from shortcode attributes
  57. Sanitation needed for WP_Query or get_posts calls?
  58. Escaping WP_Query tax_query when term has special character(s)
  59. wp_kses vs wp_strip_all_tags
  60. How to allow HTML tags into WP Bakery (formerly Visual Composer) `textfield` parameter
  61. Can I create customizer setting that can handle plugin shortcode?
  62. Escaping SVG with KSES
  63. how to escape wp_oembed_get for phpcs
  64. How to sanitize select box values in post meta?
  65. Does WordPress sanitize arguments to WP_Query?
  66. wp_kses_post only removes tags, but not their content
  67. WP doesn’t show Array Custom Fields?
  68. Make shortcode work with nested double quotes
  69. Do Cookies Need to be Sanatized Before Being Saved?
  70. Allowing more elements in comments via functions.php
  71. Shortcode putting html such as
  72. How to properly sanitize strings without $wpdb->prepare?
  73. Default WordPress settings API data sanitization
  74. How do I sanitize a javascript text?
  75. How to allow data:image attribute in src tag during post insert?
  76. WP Editor strips input placeholder attribute
  77. Importing JSON feed should the content be sanitized?
  78. how to sanitize checkbox input?
  79. Sanitizing post content for use in an email
  80. Should I sanitize custom post meta if it is going to be escaped later?
  81. Is there an equivalent of the PHP function sanitize_key in Gutenberg?
  82. How to display data from custom table in wordpress database?
  83. Remove tinyMCE from admin and replace with textarea
  84. How to get input_attrs in the sanitize function?
  85. wp_sanitize_redirect strips out @ signs (even from parameters) — why?
  86. Change allowed HTML tags for comments
  87. wp_kses() strips data attributes even if it’s in the allowed list
  88. What is the difference between sanitize_text_field() and wp_filter_nohtml_kses()?
  89. array_map() for sanitizing $_POST
  90. Sanitizing `wp_editor();` Values for Database, Edit, and Display
  91. Correct processing of `$_POST`, following WordPress Coding Standards
  92. How does WordPress store data?
  93. I’m confused about URL sanitization in meta boxes
  94. Sanitizing search data for use with WP_Query
  95. why is esc_html() returning nothing given a string containing a high-bit character?
  96. Sanitizing comments or escaping comment_text()
  97. Remove all table widths from editor content
  98. How to sanitize post meta field value?
  99. Remove tags from the kses filter
  100. Accepting certain HTML tags in WP List Table column data
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)