WordPress.org
Get WordPress
WordPress.org

WordPress Developer Resources

WP_Customize_Widgets::sanitize_widget_instance()

WP_Customize_Widgets::sanitize_widget_instance( array $value, string $id_base = null ): array|void

In this article

Back to top

Sanitizes a widget instance.

Description

Unserialize the JS-instance for storing in the options. It’s important that this filter only get applied to an instance once.

Parameters

$valuearrayrequired
Widget instance to sanitize.
$id_basestringoptional
Base of the ID of the widget being sanitized.

Default:null

Return

array|void Sanitized widget instance.

Source

public function sanitize_widget_instance( $value, $id_base = null ) {
	global $wp_widget_factory;

	if ( array() === $value ) {
		return $value;
	}

	if ( isset( $value['raw_instance'] ) && $id_base && wp_use_widgets_block_editor() ) {
		$widget_object = $wp_widget_factory->get_widget_object( $id_base );
		if ( ! empty( $widget_object->widget_options['show_instance_in_rest'] ) ) {
			if ( 'block' === $id_base && ! current_user_can( 'unfiltered_html' ) ) {
				/*
				 * The content of the 'block' widget is not filtered on the fly while editing.
				 * Filter the content here to prevent vulnerabilities.
				 */
				$value['raw_instance']['content'] = wp_kses_post( $value['raw_instance']['content'] );
			}

			return $value['raw_instance'];
		}
	}

	if (
		empty( $value['is_widget_customizer_js_value'] ) ||
		empty( $value['instance_hash_key'] ) ||
		empty( $value['encoded_serialized_instance'] )
	) {
		return;
	}

	$decoded = base64_decode( $value['encoded_serialized_instance'], true );
	if ( false === $decoded ) {
		return;
	}

	if ( ! hash_equals( $this->get_instance_hash_key( $decoded ), $value['instance_hash_key'] ) ) {
		return;
	}

	$instance = unserialize( $decoded );
	if ( false === $instance ) {
		return;
	}

	return $instance;
}

View all references View on Trac View on GitHub

UsesDescription
WP_Widget_Factory::get_widget_object()wp-includes/class-wp-widget-factory.php

Returns the registered WP_Widget object for the given widget type.

wp_use_widgets_block_editor()wp-includes/widgets.php

Whether or not to use the block editor to manage widgets. Defaults to true unless a theme has removed support for widgets-block-editor or a plugin has filtered the return value of this function.

wp_kses_post()wp-includes/kses.php

Sanitizes content for allowed HTML tags for post content.

WP_Customize_Widgets::get_instance_hash_key()wp-includes/class-wp-customize-widgets.php

Retrieves MAC for a serialized widget instance string.

current_user_can()wp-includes/capabilities.php

Returns whether the current user has the specified capability.

Show 1 moreShow less
Used byDescription
WP_Customize_Widgets::call_widget_update()wp-includes/class-wp-customize-widgets.php

Finds and invokes the widget update and control callbacks.

WP_Customize_Widgets::get_setting_args()wp-includes/class-wp-customize-widgets.php

Retrieves common arguments to supply when constructing a Customizer setting.

Changelog

VersionDescription
5.8.0Added the $id_base parameter.
3.9.0Introduced.

User Contributed Notes

You must log in before being able to contribute a note or feedback.