WordPress.org
Get WordPress
WordPress.org

WordPress Developer Resources

WP_Theme::sanitize_header()

WP_Theme::sanitize_header( string $header, string $value ): string|array

In this article

Back to top

This function’s access is marked private. This means it is not intended for use by plugin or theme developers, only in other core functions. It is listed here for completeness.

Sanitizes a theme header.

Parameters

$headerstringrequired
Theme header. Accepts 'Name', 'Description', 'Author', 'Version', 'ThemeURI', 'AuthorURI', 'Status', 'Tags', 'RequiresWP', 'RequiresPHP', 'UpdateURI'.
$valuestringrequired
Value to sanitize.

Return

string|array An array for Tags header, string otherwise.

Source

private function sanitize_header( $header, $value ) {
	switch ( $header ) {
		case 'Status':
			if ( ! $value ) {
				$value = 'publish';
				break;
			}
			// Fall through otherwise.
		case 'Name':
			static $header_tags = array(
				'abbr'    => array( 'title' => true ),
				'acronym' => array( 'title' => true ),
				'code'    => true,
				'em'      => true,
				'strong'  => true,
			);

			$value = wp_kses( $value, $header_tags );
			break;
		case 'Author':
			// There shouldn't be anchor tags in Author, but some themes like to be challenging.
		case 'Description':
			static $header_tags_with_a = array(
				'a'       => array(
					'href'  => true,
					'title' => true,
				),
				'abbr'    => array( 'title' => true ),
				'acronym' => array( 'title' => true ),
				'code'    => true,
				'em'      => true,
				'strong'  => true,
			);

			$value = wp_kses( $value, $header_tags_with_a );
			break;
		case 'ThemeURI':
		case 'AuthorURI':
			$value = sanitize_url( $value );
			break;
		case 'Tags':
			$value = array_filter( array_map( 'trim', explode( ',', strip_tags( $value ) ) ) );
			break;
		case 'Version':
		case 'RequiresWP':
		case 'RequiresPHP':
		case 'UpdateURI':
			$value = strip_tags( $value );
			break;
	}

	return $value;
}

View all references View on Trac View on GitHub

UsesDescription
sanitize_url()wp-includes/formatting.php

Sanitizes a URL for database or redirect usage.

wp_kses()wp-includes/kses.php

Filters text content and strips out disallowed HTML.

Used byDescription
WP_Theme::get()wp-includes/class-wp-theme.php

Gets a raw, unformatted theme header.

Changelog

VersionDescription
6.1.0Added support for Update URI header.
5.4.0Added support for Requires at least and Requires PHP headers.
3.4.0Introduced.

User Contributed Notes

You must log in before being able to contribute a note or feedback.