Zack Tollman, ladies and gentlemen, is one of my favorite people in the world. Let's preface with that. He does not blog often, but when he blogs, it is fantastic. Go ahead and read everything he's ever written if you're a hardcore WordPress developer.
But fear not, this post is not just limited to hardcore WordPress developers. Indeed, Zack does a deep dive into the performance of
wp_kses, a function that prevents nasty stuff from being put into various content areas in WordPress. You should absolutely read it, because it's amazing.
Let's start with his conclusion (though
wp_kses is not why you must read this post):
In my opinion, a blanket policy that dictates that
wp_ksesshould not be used on the frontend is largely misguided. There are situations in which use of the function would not present a meaningful performance impact. Notably, small pieces of content (e.g., titles, excerpts) with a short list of allowed HTML tags appears to perform well within the bounds of reason. It also seems that running the
wp_ksesfunctions against larger content is not out of the question. I would not qualify it as performant, but I certainly am not seeing levels of performance that suggest it should always not be used.
So, it's not always bad. Now, let's discuss a couple of additional things this deep-dive brings out:
1) Holy smokes, HHVM is crazy fast.
Look at this chart from Zack's post:
Don't know what HHVM is? Here's the best technical but human readable explanation I could find. But really, it's impossible to explain HHVM without lots of nerdery. Here's another super technical attempt with good internal reference links, from the official website. In short, HHVM was made by Facebook to make PHP-style code more performant, by processing it with a super custom “just in time” (aka: as needed) compiler. HHVM makes PHP-style code fast. See above chart.
Some hosts are actively exploring HHVM, or even enabling it. Compatibility isn't perfect yet, though within a year I anticipate many managed WordPress hosts will switch to HHVM, at least for some plans. Again, the above chart explains why. It's crazy fast.
2) Let me explore my data mines.
Zack must have done hours of research, all to figure out why an assumption is commonly made about a single function. And it turns out, that assumption didn't need to be as absolute as it was.
wp_kses can be used carefully on the front-end.
But here's the funny thing. There are only a handful of people with enough breadth and depth of knowledge in the WordPress space to recall the type of stuff Zack researched without hours of study. And even they could end up on some pretty deep dives.
WordPress is a large application. There be dragons in some of the bowels of the WordPress codebase. Sometimes even the brightest minds don't know why a decision was made years go without a lot of study.
So, it's good to question our common assumptions. We can't all be Sherlock Holmes and explore our data mines in our brains (That's a fun show, btw. I hear they're books too).
So, thanks to Zack for this deep dive. I learned a ton from it, and I think you will too.