wp_kses
(Codex) removes unallowed tags, but it doesn’t remove their content. So, if you have a “{something}”, wp_kses
only removes the tags, not the content, returning “{something}”. Thus, this is intended behaviour and your issue doesn’t seem to be a bug.
Related Posts:
- Should I sanitize an email address before passing it to the is_email() function?
- Escaping and sanitizing SVGs in metabox textarea
- What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
- Reason for Lowercase usernames
- What is the best way to sanitize data?
- Should nonce be sanitized?
- esc_url removes white space. Can I change that to using ‘-‘?
- WP Coding standards – escaping the inescapable?
- What is the difference between strip_tags and wp_filter_nohtml_kses?
- Sanitatizing when using the posts_where hook
- Escape hexadecimals/rgba values
- Must I serialize/sanitize/escape array data before using set_transient?
- Echo JavaScript Safely
- Sanitize array callback for the WordPress Settings API
- How to escape $_GET and check if isset?
- What’s a safe / good way to output HTML safely within WordPress templates?
- Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
- Sanitizing output that contains quotes?
- WP_Customize_Manager: How to get control ID
- How to use wp_filter_oembed_result?
- Sanitization html output itself
- Post text sanitization after publishing/editing – changes are not saved
- wp_set_object_terms() without accents
- Escaping data from database (users table) is necessary?
- Properly sanitize an input field “Name “
- Is sanitize_title enough to generate post slugs?
- In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
- wordpress sanitize array?
- Should HTML output be passed through esc_html() AND wp_kses()?
- When to use esc_html and when to use sanitize_text_field?
- How to get SimplePie fetch_feed without stripping iframe code?
- Sanitize and data validation with apply_filters() function
- Why is wp_kses not keeping style attributes as expected?
- Sanitize content from wp_editor
- Sanitize User Entered CSS
- Which KSES should be used and when?
- Settings API – sanitizing urls, email addresses and text
- how to escape wp_oembed_get for phpcs
- Does WordPress sanitize arguments to WP_Query?
- WP doesn’t show Array Custom Fields?
- How to properly sanitize strings without $wpdb->prepare?
- How to allow data:image attribute in src tag during post insert?
- how to sanitize checkbox input?
- Sanitizing post content for use in an email
- How to get input_attrs in the sanitize function?
- wp_kses() strips data attributes even if it’s in the allowed list
- What is the difference between sanitize_text_field() and wp_filter_nohtml_kses()?
- Sanitizing `wp_editor();` Values for Database, Edit, and Display
- Sanitizing search data for use with WP_Query
- How to sanitize post meta field value?
- where to apply “apply filters” and other Sanitization Functions
- How to save html and text in the database?
- Data Validation: Always escape late / escape HTML Code
- Multiple register settings, with same option name – issue
- How to allow internal links using wp_kses filtration
- Filter string like a slug
- Sanitize textarea instead of input
- vs WordPress Security
- Cannot get ‘sanitize_callback’ to work for rest parameters
- How to sanitize user input?
- wpdb get_results() and prepare when to use prepare?
- HTML Entities displaying improperly as malformed escaped code
- Allow iframes from specific sites?
- WP_Editor – Saving Value into Plugin Option – Stripping HTML
- Data sanitization for user registration and user login
- Copy content stored in meta to post content
- remove_accents does not seem to work (when used inside sanitize_file_name filter)
- Why wp_kses() not working for rel, target of link in WordPress
- What is the safe way to print tracking code / pixel code before tag or tag
- Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
- What’s the proper way to sanitize checkbox value sent to the database
- How to escape html generate by a loop
- Does meta-data need to be sanitized?
- Inline style HTML attribute is being stripped from all elements of a post
- Can A Post Meta Field Store multiple values that are not in an array?
- esc_attr on get_post_meta [closed]
- Using esc_url_raw with protocols properly
- Output Sanitation
- Broken kses.php function “wp_kses_named_entities” crashes WordPress
- Function sanitize_title() does not appear to be working
- Sanitaizing Select Optin For Custom Post Type Metabox in WP
- How to handle complex data with Settings API
- Toggle Shortcode Sanitize Title
- settings api and the data passed in the parameter
- HTML Img with data:image src gets sanitized in admin?
- Sanitizing URL in a WordPress plugin
- how to sanitize customizer checkbox control
- do I need to sanitize a shortcode’s function input?
- WordPress post_content gets deleted in cron after wp_update_post
- Form Sanitization and Validation
- Data not displaying in text field
- Proper Way to Sanitize Meta Input
- Sanitize html, where to sanitize
- Save selectlist value (taxonomy) in wp:wp_set_object_terms
- Add Protocol to Custom Menus
- Notice: Undefined index: in options-framework.php
- How to use esc_attr__() function properly to translate a variable that contains string?
- oneOf two possible objects in WP REST API?
- How to return responsive images from a sanitize_callback?
- how to sanitizing $_POST with the correct way?