sanitize_html_class() – Function | Developer.WordPress.org

Sanitizes an HTML classname to ensure it only contains valid characters.

Description

Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty string then it will return the alternative value supplied.

Parameters

$classnamestringrequired: The classname to be sanitized.
$fallbackstringoptional: The value to return if the sanitization ends up as an empty string.

Default:''

Return

string The sanitized value.

Source

function sanitize_html_class( $classname, $fallback = '' ) {
	// Strip out any percent-encoded characters.
	$sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $classname );

	// Limit to A-Z, a-z, 0-9, '_', '-'.
	$sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $sanitized );

	if ( '' === $sanitized && $fallback ) {
		return sanitize_html_class( $fallback );
	}
	/**
	 * Filters a sanitized HTML class string.
	 *
	 * @since 2.8.0
	 *
	 * @param string $sanitized The sanitized HTML class.
	 * @param string $classname HTML class before sanitization.
	 * @param string $fallback  The fallback string.
	 */
	return apply_filters( 'sanitize_html_class', $sanitized, $classname, $fallback );
}

View all references View on Trac View on GitHub

Changelog

Version	Description
2.8.0	Introduced.

User Contributed Notes

Skip to note 5 content

elnico 6 years ago

You must log in to vote on the helpfulness of this noteVote results for this note: 5You must log in to vote on the helpfulness of this note

Class names must not start with numbers and this function does not take this into acount.
https://www.w3.org/TR/CSS21/syndata.html#characters
This function may return a string starting with digits which by W3 definition are not valid class names.

Log in to add feedback

lieutenantdan 8 years ago

Created this function to help escape multiple HTML classes, you can give it an array of classes or a string of them separated by a delimiter:

if( ! function_exists("sanitize_html_classes") ){
    function sanitize_html_classes($classes, $sep = " "){
        $return = "";

        if(!is_array($classes)) {
            $classes = explode($sep, $classes);
        }

        if(!empty($classes)){
            foreach($classes as $class){
                $return .= sanitize_html_class($class) . " ";
            }
        }

        return $return;
    }
}

Codex 9 years ago

Basic Example

<?php
// If you want to explicitly style a post, you can use the sanitized version of the post title as a class
$post_class = sanitize_html_class( $post->post_title );
echo '<div class="' . $post_class . '">';
?>

Mahdi Yazdani 5 years ago

Sanitize multiple HTML classes in one pass.

Accepts either an array of $classes, or a space-separated string of class names and runs them to sanitize using the sanitize_html_class function.

/**
 * Sanitize multiple HTML classes in one pass.
 *
 * @param    array  $classes           Classes to be sanitized.
 * @param    string $return_format     The return format, 'input', 'string', or 'array'.
 * @return   array|string
 */
function prefix_sanitize_html_classes( $classes, $return_format = 'input' ) {
	if ( 'input' === $return_format ) {
		$return_format = is_array( $classes ) ? 'array' : 'string';
	}

	$classes           = is_array( $classes ) ? $classes : explode( ' ', $classes );
	$sanitized_classes = array_map( 'sanitize_html_class', $classes );

	if ( 'array' === $return_format ) {
		return $sanitized_classes;
	} else {
		return implode( ' ', $sanitized_classes );
	}
}

sanitize_html_class( string $classname, string $fallback = '' ): string

In this article