[wp-trac] [WordPress Trac] #63881: KSES: Deprecate wp_kses_stripslashes

WordPress Trac noreply at wordpress.org
Tue Aug 26 17:12:25 UTC 2025 

#63881: KSES: Deprecate wp_kses_stripslashes
-------------------------+--------------------------------------
 Reporter:  jonsurrell   |      Owner:  (none)
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  General      |    Version:
 Severity:  normal       |   Keywords:  2nd-opinion dev-feedback
  Focuses:               |
-------------------------+--------------------------------------
 [https://developer.wordpress.org/reference/functions/wp_kses_stripslashes/
 wp_kses_stripslashes()] does not appear to have a purpose in modern PHP.
 Documentation suggest that it was required to support the `e` ''eval''
 regular expression flag:

 > This function changes the character sequence `\"` to just `"`. It leaves
 all other slashes alone. The quoting from `preg_replace(//e)` requires
 this.

 [https://core.trac.wordpress.org/ticket/19877#comment:1 Some historical
 context] from @duck_ supports this (bold mine):

 > wp_kses_stripslashes is a legacy function that had to be used to deal
 with addslashes() run when using preg_replace() and the eval modifier. The
 double quotes remained slashed because the backreference in the PHP string
 to be evaluated was in single quotes, so a custom slash removal function
 was used to remove slashes from in front of double quotes.
 >
 > I would prefer to actually remove the call as it's no longer necessary.
 If you're passing slashed data to kses it should be stripped first --
 which is why we do stripslashes in wp_filter_kses(). **Unfortunately
 removing the call would cause breakage for those passing in slashed data
 containing double quoted attributes as this happens to work at the
 moment.**

 There is a potential problem mentioned that should be better understood
 before proceeding.

 -----

 [https://www.php.net/manual/en/migration70.changed-functions.php The flag
 was removed in PHP 7], so the `e` flag is not supported by any PHP version
 that WordPress supports. `wp_kses_stripslashes()` is likely obsolete.

 There was work to remove the `e` flag usage 16-17 years ago:

 - [10339]
 - [12198]

 Related tickets:

 - #19877
 - #56118

 The function may be doing more harm than good at this point. See
 [https://github.com/WordPress/gutenberg/issues/6619 Gutenberg 6619] and
 [https://github.com/WordPress/gutenberg/issues/16508 Gutenberg 16508].

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63881>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list