You may have heard about the wp_kses or encountered it in during writing a code or reading someone's code. Or maybe in reading the WP core.

As it has a weird name, the first question comes to our mind is what it does and where to use it. Let's discuss the use of this functions in briefly

What is "kses"?

Here “kses” stands for “KSES Strips Evil Scripts.” It is a function that is used to filter or only allow the HTML element, attribute names and values that are allowed by you. It is a way to sanitize a string, but not probably the most efficient way. WordPress has its own way to manage Input (Saving into DB) and output (Displaying to the user) of the data. Using this function makes your code more robust and secure. 

<?php
     wp_kses( $str, $allowed_html, $allowed_protocols = array() );
?>

The above function accepts three arguments,

1. $str is a required string field type in which the data need to be filtered or processed before input or output in WordPress
2. $allowed_html is an array type and a required field in which we can define HTML elements and attributes that are allowed to pass.
3. $allowed_protocol() is an array type which is optional field. In this, we can specify the allowed protocols. Defaults are 'http', 'https', 'ftp' etc.

Where to use this function ??

Before using this function you have to be clear about what you output or input is going to accept or reject. Once you are clear you can strip out the unnecessary things from your input or output. There are some other variations of this function such as

wp_kses_post 

wp_kses_allowed_html 

You can read more about the sanitization and other functions here.

In the end, it is a way to write a code robustly and increasing security in your code. Whenever we write or create a plugin we should make sure we sanitize the output/input. Here are some helper functions for sanitizing output or before the data is being echoed.