wp_kses ignore allowed and allow everything

wp_kses (Codex) removes unallowed tags, but it doesn’t remove their content. So, if you have a “{something}”, wp_kses only removes the tags, not the content, returning “{something}”. Thus, this is intended behaviour and your issue doesn’t seem to be a bug.

Related Posts:

  1. Should I sanitize an email address before passing it to the is_email() function?
  2. Escaping and sanitizing SVGs in metabox textarea
  3. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  4. Reason for Lowercase usernames
  5. What is the best way to sanitize data?
  6. Should nonce be sanitized?
  7. esc_url removes white space. Can I change that to using ‘-‘?
  8. WP Coding standards – escaping the inescapable?
  9. What is the difference between strip_tags and wp_filter_nohtml_kses?
  10. Sanitatizing when using the posts_where hook
  11. Escape hexadecimals/rgba values
  12. Must I serialize/sanitize/escape array data before using set_transient?
  13. Echo JavaScript Safely
  14. Sanitize array callback for the WordPress Settings API
  15. How to escape $_GET and check if isset?
  16. What’s a safe / good way to output HTML safely within WordPress templates?
  17. Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
  18. Sanitizing output that contains quotes?
  19. WP_Customize_Manager: How to get control ID
  20. How to use wp_filter_oembed_result?
  21. Sanitization html output itself
  22. Post text sanitization after publishing/editing – changes are not saved
  23. wp_set_object_terms() without accents
  24. Escaping data from database (users table) is necessary?
  25. Properly sanitize an input field “Name “
  26. Is sanitize_title enough to generate post slugs?
  27. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  28. wordpress sanitize array?
  29. Should HTML output be passed through esc_html() AND wp_kses()?
  30. When to use esc_html and when to use sanitize_text_field?
  31. How to get SimplePie fetch_feed without stripping iframe code?
  32. Sanitize and data validation with apply_filters() function
  33. Why is wp_kses not keeping style attributes as expected?
  34. Sanitize content from wp_editor
  35. Sanitize User Entered CSS
  36. Which KSES should be used and when?
  37. Settings API – sanitizing urls, email addresses and text
  38. how to escape wp_oembed_get for phpcs
  39. Does WordPress sanitize arguments to WP_Query?
  40. WP doesn’t show Array Custom Fields?
  41. How to properly sanitize strings without $wpdb->prepare?
  42. How to allow data:image attribute in src tag during post insert?
  43. how to sanitize checkbox input?
  44. Sanitizing post content for use in an email
  45. How to get input_attrs in the sanitize function?
  46. wp_kses() strips data attributes even if it’s in the allowed list
  47. What is the difference between sanitize_text_field() and wp_filter_nohtml_kses()?
  48. Sanitizing `wp_editor();` Values for Database, Edit, and Display
  49. Sanitizing search data for use with WP_Query
  50. How to sanitize post meta field value?
  51. where to apply “apply filters” and other Sanitization Functions
  52. How to save html and text in the database?
  53. Data Validation: Always escape late / escape HTML Code
  54. Multiple register settings, with same option name – issue
  55. How to allow internal links using wp_kses filtration
  56. Filter string like a slug
  57. Sanitize textarea instead of input
  58. vs WordPress Security
  59. Cannot get ‘sanitize_callback’ to work for rest parameters
  60. How to sanitize user input?
  61. wpdb get_results() and prepare when to use prepare?
  62. HTML Entities displaying improperly as malformed escaped code
  63. Allow iframes from specific sites?
  64. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  65. Data sanitization for user registration and user login
  66. Copy content stored in meta to post content
  67. remove_accents does not seem to work (when used inside sanitize_file_name filter)
  68. Why wp_kses() not working for rel, target of link in WordPress
  69. What is the safe way to print tracking code / pixel code before tag or tag
  70. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  71. What’s the proper way to sanitize checkbox value sent to the database
  72. How to escape html generate by a loop
  73. Does meta-data need to be sanitized?
  74. Inline style HTML attribute is being stripped from all elements of a post
  75. Can A Post Meta Field Store multiple values that are not in an array?
  76. esc_attr on get_post_meta [closed]
  77. Using esc_url_raw with protocols properly
  78. Output Sanitation
  79. Broken kses.php function “wp_kses_named_entities” crashes WordPress
  80. Function sanitize_title() does not appear to be working
  81. Sanitaizing Select Optin For Custom Post Type Metabox in WP
  82. How to handle complex data with Settings API
  83. Toggle Shortcode Sanitize Title
  84. settings api and the data passed in the parameter
  85. HTML Img with data:image src gets sanitized in admin?
  86. Sanitizing URL in a WordPress plugin
  87. how to sanitize customizer checkbox control
  88. do I need to sanitize a shortcode’s function input?
  89. WordPress post_content gets deleted in cron after wp_update_post
  90. Form Sanitization and Validation
  91. Data not displaying in text field
  92. Proper Way to Sanitize Meta Input
  93. Sanitize html, where to sanitize
  94. Save selectlist value (taxonomy) in wp:wp_set_object_terms
  95. Add Protocol to Custom Menus
  96. Notice: Undefined index: in options-framework.php
  97. How to use esc_attr__() function properly to translate a variable that contains string?
  98. oneOf two possible objects in WP REST API?
  99. How to return responsive images from a sanitize_callback?
  100. how to sanitizing $_POST with the correct way?