sanitize_text_field( string $str ): string

Sanitizes a string from user input or from the database.

Contents

Description

  • Checks for invalid UTF-8,
  • Converts single < characters to entities
  • Strips all tags
  • Removes line breaks, tabs, and extra whitespace
  • Strips percent-encoded characters

Top ↑

See also

Top ↑

Parameters

$str string Required
String to sanitize.

Top ↑

Return

string Sanitized string.

Top ↑

More Information

Basic Usage

<?php sanitize_text_field( $str ) ?>

Top ↑

Source

File: wp-includes/formatting.php. View all references 

function sanitize_text_field( $str ) {
	$filtered = _sanitize_text_fields( $str, false );

	/**
	 * Filters a sanitized text field string.
	 *
	 * @since 2.9.0
	 *
	 * @param string $filtered The sanitized string.
	 * @param string $str      The string prior to being sanitized.
	 */
	return apply_filters( 'sanitize_text_field', $filtered, $str );
}

View on Trac View on GitHub

Top ↑

Hooks

Top ↑

Top ↑

Uses

Uses
Uses Description
_sanitize_text_fields() wp-includes/formatting.php

Internal helper function to sanitize a string from user input or from the database.
apply_filters() wp-includes/plugin.php

Calls the callback functions that have been added to a filter hook.

Top ↑

Used By

Used By
Used By Description
wp_get_theme_preview_path() wp-includes/theme-previews.php

Filters the blog option to return the path for the previewed theme.
wp_attach_theme_preview_middleware() wp-includes/theme-previews.php

Adds a middleware to apiFetch to set the theme for the preview.
WP_REST_Pattern_Directory_Controller::prepare_item_for_response() wp-includes/rest-api/endpoints/class-wp-rest-pattern-directory-controller.php

Prepare a raw block pattern before it gets output in a REST API response.
WP_REST_Site_Health_Controller::get_directory_sizes() wp-includes/rest-api/endpoints/class-wp-rest-site-health-controller.php

Gets the current directory sizes for this install.
WP_Application_Passwords::create_new_application_password() wp-includes/class-wp-application-passwords.php

Creates a new application password.
WP_Application_Passwords::update_application_password() wp-includes/class-wp-application-passwords.php

Updates an application password.
WP_REST_Plugins_Controller::sanitize_plugin_param() wp-includes/rest-api/endpoints/class-wp-rest-plugins-controller.php

Sanitizes the “plugin” parameter to be a proper plugin file with “.php” appended.
WP_Sitemaps::render_sitemaps() wp-includes/sitemaps/class-wp-sitemaps.php

Renders sitemap templates based on rewrite rules.
wp_ajax_toggle_auto_updates() wp-admin/includes/ajax-actions.php

Handles enabling or disable plugin and theme auto-updates via AJAX.
WP_Debug_Data::debug_data() wp-admin/includes/class-wp-debug-data.php

Static function for generating site debug data when required.
wp_ajax_health_check_get_sizes() wp-admin/includes/ajax-actions.php

Handles site health check to get directories and database sizes via AJAX.
WP_Privacy_Requests_Table::get_views() wp-admin/includes/class-wp-privacy-requests-table.php

Gets an associative array ( id => link ) with the list of views available on this table.
WP_Privacy_Requests_Table::prepare_items() wp-admin/includes/class-wp-privacy-requests-table.php

Prepares items to output.
_wp_personal_data_handle_actions() wp-admin/includes/privacy-tools.php

Handle list table actions.
WP_Customize_Manager::handle_load_themes_request() wp-includes/class-wp-customize-manager.php

Loads themes into the theme browsing/installation UI.
WP_Widget_Custom_HTML::update() wp-includes/widgets/class-wp-widget-custom-html.php

Handles updating settings for the current Custom HTML widget instance.
rest_sanitize_value_from_schema() wp-includes/rest-api.php

Sanitize a value based on a schema.
WP_REST_Attachments_Controller::create_item() wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

Creates a single attachment.
wp_ajax_delete_plugin() wp-admin/includes/ajax-actions.php

Handles deleting a plugin via AJAX.
WP_Customize_Nav_Menu_Setting::sanitize() wp-includes/customize/class-wp-customize-nav-menu-setting.php

Sanitize an input.
WP_Customize_Nav_Menu_Item_Setting::sanitize() wp-includes/customize/class-wp-customize-nav-menu-item-setting.php

Sanitize an input.
WP_Customize_Nav_Menus::ajax_search_available_items() wp-includes/class-wp-customize-nav-menus.php

Ajax handler for searching available menu items.
wp_ajax_update_plugin() wp-admin/includes/ajax-actions.php

Handles updating a plugin via AJAX.
validate_another_blog_signup() wp-signup.php

Validates a new site sign-up for an existing user.
validate_blog_signup() wp-signup.php

Validates new site signup.
edit_user() wp-admin/includes/user.php

Edit user settings based on contents of $_POST
media_handle_upload() wp-admin/includes/media.php

Saves a file submitted from a POST request and create an attachment post for it.
edit_post() wp-admin/includes/post.php

Updates an existing post with values provided in $_POST.
wp_ajax_save_attachment() wp-admin/includes/ajax-actions.php

Handles updating attachment attributes via AJAX.
WP_Customize_Manager::save() wp-includes/class-wp-customize-manager.php

Handles customize_save WP Ajax request to save/update a changeset.
WP_Nav_Menu_Widget::update() wp-includes/widgets/class-wp-nav-menu-widget.php

Handles updating settings for the current Navigation Menu widget instance.
WP_Widget_Recent_Comments::update() wp-includes/widgets/class-wp-widget-recent-comments.php

Handles updating settings for the current Recent Comments widget instance.
WP_Widget_Tag_Cloud::update() wp-includes/widgets/class-wp-widget-tag-cloud.php

Handles updating settings for the current Tag Cloud widget instance.
WP_Widget_Recent_Posts::update() wp-includes/widgets/class-wp-widget-recent-posts.php

Handles updating the settings for the current Recent Posts widget instance.
WP_Widget_Categories::update() wp-includes/widgets/class-wp-widget-categories.php

Handles updating settings for the current Categories widget instance.
WP_Widget_Text::update() wp-includes/widgets/class-wp-widget-text.php

Handles updating settings for the current Text widget instance.
WP_Widget_Calendar::update() wp-includes/widgets/class-wp-widget-calendar.php

Handles updating settings for the current Calendar widget instance.
WP_Widget_Meta::update() wp-includes/widgets/class-wp-widget-meta.php

Handles updating settings for the current Meta widget instance.
WP_Widget_Archives::update() wp-includes/widgets/class-wp-widget-archives.php

Handles updating settings for the current Archives widget instance.
WP_Widget_Search::update() wp-includes/widgets/class-wp-widget-search.php

Handles updating settings for the current Search widget instance.
WP_Widget_Pages::update() wp-includes/widgets/class-wp-widget-pages.php

Handles updating settings for the current Pages widget instance.
register_new_user() wp-includes/user.php

Handles registering a new user.
wp_page_menu() wp-includes/post-template.php

Displays or retrieves a list of pages with an optional home link.
Show 38 more used by Hide more used by

Top ↑

Changelog

Changelog
Version Description
2.9.0 Introduced.

Top ↑

User Contributed Notes

  3. Skip to note 3 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 2You must log in to vote on the helpfulness of this note
    Contributed by 凱寧

    Check whether the string is a valid UTF-8 character, and remove all HTML tags.

    $str = "<h2>Title</h2>";
sanitize_text_field( $str ); // it will return "title" without any HTML tags!
  4. Skip to note 4 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note
    Contributed by Douglas "BearlyDoug" Hazard

    I ran across an issue with one of my plugins, as it was going through the initial security review, where I had an array that wasn’t passing a security check. The sanitize_text_field() function only works on a string, not an array’d item.

    I located this nice little tidbit of code to sanitize an array, properly.

    /***
 * To ensure arrays are properly sanitized to WordPress Codex standards,
 * they encourage usage of sanitize_text_field(). That only works with a single
 * variable (string). This function allows for a full blown array to get sanitized
 * properly, while sanitizing each individual value in a key -> value pair.
 *
 * Source: https://wordpress.stackexchange.com/questions/24736/wordpress-sanitize-array
 * Author: Broshi, answered Feb 5 '17 at 9:14
 */
function wporg_recursive_sanitize_text_field( $array ) {
	foreach ( $array as $key => &$value ) {
		if ( is_array( $value ) ) {
			$value = wporg_recursive_sanitize_text_field( $value );
		} else {
			$value = sanitize_text_field( $value );
		}
	}
	return $array;
}

    IMHO, this needs to become a core feature of WordPress’ sanitation functions. Lior Broshi is the gentleman that came up with this creative solution (I have obtained his permission to share this).

You must log in before being able to contribute a note or feedback.