wp_kses ignore allowed and allow everything

wp_kses (Codex) removes unallowed tags, but it doesn’t remove their content. So, if you have a “{something}”, wp_kses only removes the tags, not the content, returning “{something}”. Thus, this is intended behaviour and your issue doesn’t seem to be a bug.

Related Posts:

  1. Should I sanitize an email address before passing it to the is_email() function?
  2. Escaping and sanitizing SVGs in metabox textarea
  3. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  4. Reason for Lowercase usernames
  5. What is the best way to sanitize data?
  6. Should nonce be sanitized?
  7. esc_url removes white space. Can I change that to using ‘-‘?
  8. WP Coding standards – escaping the inescapable?
  9. What is the difference between strip_tags and wp_filter_nohtml_kses?
  10. Sanitatizing when using the posts_where hook
  11. Escape hexadecimals/rgba values
  12. Must I serialize/sanitize/escape array data before using set_transient?
  13. Echo JavaScript Safely
  14. Sanitize array callback for the WordPress Settings API
  15. How to escape $_GET and check if isset?
  16. What’s a safe / good way to output HTML safely within WordPress templates?
  17. Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
  18. Sanitizing output that contains quotes?
  19. WP_Customize_Manager: How to get control ID
  20. How to use wp_filter_oembed_result?
  21. Sanitization html output itself
  22. Post text sanitization after publishing/editing – changes are not saved
  23. wp_set_object_terms() without accents
  24. Escaping data from database (users table) is necessary?
  25. Properly sanitize an input field “Name “
  26. Does it make sense to sanitize the output of an SVG file?
  27. What is the proper way to sanitize $_POST and $_GET vars?
  28. Why is sanitize_text_field() selectively trimming data?
  29. How safe / sanitized is wp_insert_posts()?
  30. How to get SimplePie fetch_feed without stripping iframe code?
  31. What’s the difference between esc_* functions?
  32. Sanitizing integer input for update_post_meta
  33. Is sanitize_text_field() is enough to save to DB?
  34. Escaping quotes from shortcode attributes
  35. how to escape wp_oembed_get for phpcs
  36. How to sanitize select box values in post meta?
  37. wp_kses_post only removes tags, but not their content
  38. Do Cookies Need to be Sanatized Before Being Saved?
  39. How to allow data:image attribute in src tag during post insert?
  40. WP Editor strips input placeholder attribute
  41. Change allowed HTML tags for comments
  42. I’m confused about URL sanitization in meta boxes
  43. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  44. How to save html and text in the database?
  45. How to allow internal links using wp_kses filtration
  46. Is default functions like update_post_meta safe to use user inputs?
  47. Who is responsible for data sanitization in WordPress development?
  48. Proper use of internationalization
  49. How to sanitize my cookie name
  50. Do We Need to Validate, Sanitize, or Filter Simple Numerical Superglobals (Cookies and Post)?
  51. MITM risk of not sanitizing?
  52. Which escape function to use when escaping an email or plain text?
  53. WordPress Settings API – Sanitize Integer
  54. CSS from textarea in options page to frontend what to do
  55. How to get rid of shortcodes in post content once and for all
  56. Make WordPress process admin group comments using $allowedtags
  57. How can I remove the kses filters when saving a specific post type ? (it breaks my JSON)
  58. Is it possible to run wp_kses on all posts?
  59. Why is WordPress Breaking Custom Elements with Hyphens Into Element and Attribute?
  60. Is it sensible to worry about sanitizing admin input in plugin custom CSS?
  61. How to use sanitize_callback?
  62. Unable to sanitize in customizer and escape in theme without removing ability for user to use “< br >” to insert a line break
  63. Are all hooks/functions tied to Kses meant for sanitization?
  64. sanitize_text_field and apostrophe problem
  65. Getting error to display radio button value in General Settings page
  66. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  67. How to allow &nbsp with wp_kses()?
  68. What’s the proper way to sanitize checkbox value sent to the database
  69. How to escape html generate by a loop
  70. Inline style HTML attribute is being stripped from all elements of a post
  71. Can A Post Meta Field Store multiple values that are not in an array?
  72. esc_attr on get_post_meta [closed]
  73. Using esc_url_raw with protocols properly
  74. Trouble creating custom sanitization function for user list dropdown
  75. Output Sanitation
  76. How to allow certain PHP functions when using sanitize_callback in the word press customizer
  77. Display the line breaks in user bio without using html
  78. Sanitize $_GET variable when comparing
  79. How can I apply custom sanitization to new usernames?
  80. How do I sanitize the str_replace function in javascript variables
  81. Sanitizing textarea for wp_insert_post with TinyMCE enabled or disabled
  82. Safely store code(html/js..) into database
  83. Sanitaizing Select Optin For Custom Post Type Metabox in WP
  84. How to handle complex data with Settings API
  85. settings api and the data passed in the parameter
  86. HTML Img with data:image src gets sanitized in admin?
  87. Sanitizing URL in a WordPress plugin
  88. Where is the HTML-handler part in the wpdb class?
  89. WordPress post_content gets deleted in cron after wp_update_post
  90. Form Sanitization and Validation
  91. Can we validate data from jquery
  92. Sanitize html, where to sanitize
  93. Any ideas how to allow CSS input to perfectly work in the text area with wp_kses?
  94. Custom-Metaboxes-and-Fields text_url field prepending http://
  95. Data validation for inline javascript
  96. oneOf two possible objects in WP REST API?
  97. How to return responsive images from a sanitize_callback?
  98. Multisite, but wp_kses_allowed_html only for one subsite?
  99. how to sanitizing $_POST with the correct way?
  100. sanitize meta input