WordPress.org
Get WordPress
WordPress.org

WordPress Developer Resources

sanitize_text_field()

sanitize_text_field( string $str ): string

In this article

Back to top

Sanitizes a string from user input or from the database.

Description

  • Checks for invalid UTF-8,
  • Converts single < characters to entities
  • Strips all tags
  • Removes line breaks, tabs, and extra whitespace
  • Strips percent-encoded characters

See also

Parameters

$strstringrequired
String to sanitize.

Return

string Sanitized string.

More Information

Basic Usage

<?php sanitize_text_field( $str ) ?>

Source

function sanitize_text_field( $str ) {
	$filtered = _sanitize_text_fields( $str, false );

	/**
	 * Filters a sanitized text field string.
	 *
	 * @since 2.9.0
	 *
	 * @param string $filtered The sanitized string.
	 * @param string $str      The string prior to being sanitized.
	 */
	return apply_filters( 'sanitize_text_field', $filtered, $str );
}

View all references View on Trac View on GitHub

Hooks

apply_filters( ‘sanitize_text_field’, string $filtered, string $str )

Filters a sanitized text field string.

UsesDescription
_sanitize_text_fields()wp-includes/formatting.php

Internal helper function to sanitize a string from user input or from the database.

apply_filters()wp-includes/plugin.php

Calls the callback functions that have been added to a filter hook.

Used byDescription
WP_Font_Utils::sanitize_font_family()wp-includes/fonts/class-wp-font-utils.php

Sanitizes and formats font family names.

WP_Font_Utils::get_font_face_slug()wp-includes/fonts/class-wp-font-utils.php

Generates a slug from font face properties, e.g. open sans;normal;400;100%;U+0-10FFFF

WP_Font_Collection::get_sanitization_schema()wp-includes/fonts/class-wp-font-collection.php

Retrieves the font collection sanitization schema.

WP_REST_Templates_Controller::get_wp_templates_author_text_field()wp-includes/rest-api/endpoints/class-wp-rest-templates-controller.php

Returns a human readable text for the author of the template.

wp_get_theme_preview_path()wp-includes/theme-previews.php

Filters the blog option to return the path for the previewed theme.

wp_attach_theme_preview_middleware()wp-includes/theme-previews.php

Adds a middleware to apiFetch to set the theme for the preview.

WP_REST_Pattern_Directory_Controller::prepare_item_for_response()wp-includes/rest-api/endpoints/class-wp-rest-pattern-directory-controller.php

Prepare a raw block pattern before it gets output in a REST API response.

WP_REST_Site_Health_Controller::get_directory_sizes()wp-includes/rest-api/endpoints/class-wp-rest-site-health-controller.php

Gets the current directory sizes for this install.

WP_Application_Passwords::create_new_application_password()wp-includes/class-wp-application-passwords.php

Creates a new application password.

WP_Application_Passwords::update_application_password()wp-includes/class-wp-application-passwords.php

Updates an application password.

WP_REST_Plugins_Controller::sanitize_plugin_param()wp-includes/rest-api/endpoints/class-wp-rest-plugins-controller.php

Sanitizes the “plugin” parameter to be a proper plugin file with “.php” appended.

WP_Sitemaps::render_sitemaps()wp-includes/sitemaps/class-wp-sitemaps.php

Renders sitemap templates based on rewrite rules.

wp_ajax_toggle_auto_updates()wp-admin/includes/ajax-actions.php

Handles enabling or disable plugin and theme auto-updates via AJAX.

wp_ajax_health_check_get_sizes()wp-admin/includes/ajax-actions.php

Handles site health check to get directories and database sizes via AJAX.

WP_Privacy_Requests_Table::get_views()wp-admin/includes/class-wp-privacy-requests-table.php

Gets an associative array ( id => link ) with the list of views available on this table.

WP_Privacy_Requests_Table::prepare_items()wp-admin/includes/class-wp-privacy-requests-table.php

Prepares items to output.

_wp_personal_data_handle_actions()wp-admin/includes/privacy-tools.php

Handle list table actions.

WP_Customize_Manager::handle_load_themes_request()wp-includes/class-wp-customize-manager.php

Loads themes into the theme browsing/installation UI.

WP_Widget_Custom_HTML::update()wp-includes/widgets/class-wp-widget-custom-html.php

Handles updating settings for the current Custom HTML widget instance.

rest_sanitize_value_from_schema()wp-includes/rest-api.php

Sanitize a value based on a schema.

WP_REST_Attachments_Controller::create_item()wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

Creates a single attachment.

wp_ajax_delete_plugin()wp-admin/includes/ajax-actions.php

Handles deleting a plugin via AJAX.

WP_Customize_Nav_Menu_Setting::sanitize()wp-includes/customize/class-wp-customize-nav-menu-setting.php

Sanitize an input.

WP_Customize_Nav_Menu_Item_Setting::sanitize()wp-includes/customize/class-wp-customize-nav-menu-item-setting.php

Sanitize an input.

WP_Customize_Nav_Menus::ajax_search_available_items()wp-includes/class-wp-customize-nav-menus.php

Ajax handler for searching available menu items.

wp_ajax_update_plugin()wp-admin/includes/ajax-actions.php

Handles updating a plugin via AJAX.

validate_another_blog_signup()wp-signup.php

Validates a new site sign-up for an existing user.

validate_blog_signup()wp-signup.php

Validates new site signup.

WP_Plugins_List_Table::prepare_items()wp-admin/includes/class-wp-plugins-list-table.php
WP_Links_List_Table::prepare_items()wp-admin/includes/class-wp-links-list-table.php
WP_MS_Themes_List_Table::prepare_items()wp-admin/includes/class-wp-ms-themes-list-table.php
WP_Theme_Install_List_Table::prepare_items()wp-admin/includes/class-wp-theme-install-list-table.php
edit_user()wp-admin/includes/user.php

Edit user settings based on contents of $_POST

WP_Plugin_Install_List_Table::prepare_items()wp-admin/includes/class-wp-plugin-install-list-table.php
media_handle_upload()wp-admin/includes/media.php

Saves a file submitted from a POST request and create an attachment post for it.

edit_post()wp-admin/includes/post.php

Updates an existing post with values provided in $_POST.

wp_ajax_save_attachment()wp-admin/includes/ajax-actions.php

Handles updating attachment attributes via AJAX.

WP_Customize_Manager::save()wp-includes/class-wp-customize-manager.php

Handles customize_save WP Ajax request to save/update a changeset.

WP_Nav_Menu_Widget::update()wp-includes/widgets/class-wp-nav-menu-widget.php

Handles updating settings for the current Navigation Menu widget instance.

WP_Widget_Tag_Cloud::update()wp-includes/widgets/class-wp-widget-tag-cloud.php

Handles updating settings for the current Tag Cloud widget instance.

WP_Widget_Recent_Comments::update()wp-includes/widgets/class-wp-widget-recent-comments.php

Handles updating settings for the current Recent Comments widget instance.

WP_Widget_Recent_Posts::update()wp-includes/widgets/class-wp-widget-recent-posts.php

Handles updating the settings for the current Recent Posts widget instance.

WP_Widget_Categories::update()wp-includes/widgets/class-wp-widget-categories.php

Handles updating settings for the current Categories widget instance.

WP_Widget_Calendar::update()wp-includes/widgets/class-wp-widget-calendar.php

Handles updating settings for the current Calendar widget instance.

WP_Widget_Text::update()wp-includes/widgets/class-wp-widget-text.php

Handles updating settings for the current Text widget instance.

WP_Widget_Archives::update()wp-includes/widgets/class-wp-widget-archives.php

Handles updating settings for the current Archives widget instance.

WP_Widget_Meta::update()wp-includes/widgets/class-wp-widget-meta.php

Handles updating settings for the current Meta widget instance.

WP_Widget_Search::update()wp-includes/widgets/class-wp-widget-search.php

Handles updating settings for the current Search widget instance.

WP_Widget_Pages::update()wp-includes/widgets/class-wp-widget-pages.php

Handles updating settings for the current Pages widget instance.

register_new_user()wp-includes/user.php

Handles registering a new user.

wp_page_menu()wp-includes/post-template.php

Displays or retrieves a list of pages with an optional home link.

Show 46 moreShow less

Changelog

VersionDescription
2.9.0Introduced.

User Contributed Notes

  3. Skip to note 7 content
    凱寧
    You must log in to vote on the helpfulness of this noteVote results for this note: 3You must log in to vote on the helpfulness of this note

    Check whether the string is a valid UTF-8 character, and remove all HTML tags.

    $str = "<h2>Title</h2>";
sanitize_text_field( $str ); // it will return "title" without any HTML tags!
  4. Skip to note 8 content
    Douglas “BearlyDoug” Hazard
    You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note

    I ran across an issue with one of my plugins, as it was going through the initial security review, where I had an array that wasn’t passing a security check. The sanitize_text_field() function only works on a string, not an array’d item.

    I located this nice little tidbit of code to sanitize an array, properly.

    /***
 * To ensure arrays are properly sanitized to WordPress Codex standards,
 * they encourage usage of sanitize_text_field(). That only works with a single
 * variable (string). This function allows for a full blown array to get sanitized
 * properly, while sanitizing each individual value in a key -> value pair.
 *
 * Source: https://wordpress.stackexchange.com/questions/24736/wordpress-sanitize-array
 * Author: Broshi, answered Feb 5 '17 at 9:14
 */
function wporg_recursive_sanitize_text_field( $array ) {
	foreach ( $array as $key => &$value ) {
		if ( is_array( $value ) ) {
			$value = wporg_recursive_sanitize_text_field( $value );
		} else {
			$value = sanitize_text_field( $value );
		}
	}
	return $array;
}

    IMHO, this needs to become a core feature of WordPress’ sanitation functions. Lior Broshi is the gentleman that came up with this creative solution (I have obtained his permission to share this).

You must log in before being able to contribute a note or feedback.