Sanitizes a string from user input or from the database.
Description
- Checks for invalid UTF-8,
- Converts single
<
characters to entities - Strips all tags
- Removes line breaks, tabs, and extra whitespace
- Strips percent-encoded characters
See also
Parameters
$str
stringrequired- String to sanitize.
Return
string Sanitized string.More Information
Basic Usage
<?php sanitize_text_field( $str ) ?>
Source
function sanitize_text_field( $str ) {
$filtered = _sanitize_text_fields( $str, false );
/**
* Filters a sanitized text field string.
*
* @since 2.9.0
*
* @param string $filtered The sanitized string.
* @param string $str The string prior to being sanitized.
*/
return apply_filters( 'sanitize_text_field', $filtered, $str );
}
Hooks
- apply_filters( ‘sanitize_text_field’,
string $filtered ,string $str ) Filters a sanitized text field string.
Related
Uses | Description |
---|---|
_sanitize_text_fields()wp-includes/formatting.php | Internal helper function to sanitize a string from user input or from the database. |
apply_filters()wp-includes/plugin.php | Calls the callback functions that have been added to a filter hook. |
Used by | Description |
---|---|
WP_Font_Utils::sanitize_font_family()wp-includes/fonts/class-wp-font-utils.php | Sanitizes and formats font family names. |
WP_Font_Utils::get_font_face_slug()wp-includes/fonts/class-wp-font-utils.php | Generates a slug from font face properties, e.g. |
WP_Font_Collection::get_sanitization_schema()wp-includes/fonts/class-wp-font-collection.php | Retrieves the font collection sanitization schema. |
WP_REST_Templates_Controller::get_wp_templates_author_text_field()wp-includes/rest-api/endpoints/class-wp-rest-templates-controller.php | Returns a human readable text for the author of the template. |
wp_get_theme_preview_path()wp-includes/theme-previews.php | Filters the blog option to return the path for the previewed theme. |
wp_attach_theme_preview_middleware()wp-includes/theme-previews.php | Adds a middleware to |
WP_REST_Pattern_Directory_Controller::prepare_item_for_response()wp-includes/rest-api/endpoints/class-wp-rest-pattern-directory-controller.php | Prepare a raw block pattern before it gets output in a REST API response. |
WP_REST_Site_Health_Controller::get_directory_sizes()wp-includes/rest-api/endpoints/class-wp-rest-site-health-controller.php | Gets the current directory sizes for this install. |
WP_Application_Passwords::create_new_application_password()wp-includes/class-wp-application-passwords.php | Creates a new application password. |
WP_Application_Passwords::update_application_password()wp-includes/class-wp-application-passwords.php | Updates an application password. |
WP_REST_Plugins_Controller::sanitize_plugin_param()wp-includes/rest-api/endpoints/class-wp-rest-plugins-controller.php | Sanitizes the “plugin” parameter to be a proper plugin file with “.php” appended. |
WP_Sitemaps::render_sitemaps()wp-includes/sitemaps/class-wp-sitemaps.php | Renders sitemap templates based on rewrite rules. |
wp_ajax_toggle_auto_updates()wp-admin/includes/ajax-actions.php | Handles enabling or disable plugin and theme auto-updates via AJAX. |
WP_Debug_Data::debug_data()wp-admin/includes/class-wp-debug-data.php | Static function for generating site debug data when required. |
wp_ajax_health_check_get_sizes()wp-admin/includes/ajax-actions.php | Handles site health check to get directories and database sizes via AJAX. |
WP_Privacy_Requests_Table::get_views()wp-admin/includes/class-wp-privacy-requests-table.php | Gets an associative array ( id => link ) with the list of views available on this table. |
WP_Privacy_Requests_Table::prepare_items()wp-admin/includes/class-wp-privacy-requests-table.php | Prepares items to output. |
_wp_personal_data_handle_actions()wp-admin/includes/privacy-tools.php | Handle list table actions. |
WP_Customize_Manager::handle_load_themes_request()wp-includes/class-wp-customize-manager.php | Loads themes into the theme browsing/installation UI. |
WP_Widget_Custom_HTML::update()wp-includes/widgets/class-wp-widget-custom-html.php | Handles updating settings for the current Custom HTML widget instance. |
rest_sanitize_value_from_schema()wp-includes/rest-api.php | Sanitize a value based on a schema. |
WP_REST_Attachments_Controller::create_item()wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php | Creates a single attachment. |
wp_ajax_delete_plugin()wp-admin/includes/ajax-actions.php | Handles deleting a plugin via AJAX. |
WP_Customize_Nav_Menu_Setting::sanitize()wp-includes/customize/class-wp-customize-nav-menu-setting.php | Sanitize an input. |
WP_Customize_Nav_Menu_Item_Setting::sanitize()wp-includes/customize/class-wp-customize-nav-menu-item-setting.php | Sanitize an input. |
WP_Customize_Nav_Menus::ajax_search_available_items()wp-includes/class-wp-customize-nav-menus.php | Ajax handler for searching available menu items. |
wp_ajax_update_plugin()wp-admin/includes/ajax-actions.php | Handles updating a plugin via AJAX. |
validate_another_blog_signup()wp-signup.php | Validates a new site sign-up for an existing user. |
validate_blog_signup()wp-signup.php | Validates new site signup. |
WP_Plugins_List_Table::prepare_items()wp-admin/includes/class-wp-plugins-list-table.php | |
WP_Links_List_Table::prepare_items()wp-admin/includes/class-wp-links-list-table.php | |
WP_MS_Themes_List_Table::prepare_items()wp-admin/includes/class-wp-ms-themes-list-table.php | |
WP_Theme_Install_List_Table::prepare_items()wp-admin/includes/class-wp-theme-install-list-table.php | |
edit_user()wp-admin/includes/user.php | Edit user settings based on contents of $_POST |
WP_Plugin_Install_List_Table::prepare_items()wp-admin/includes/class-wp-plugin-install-list-table.php | |
media_handle_upload()wp-admin/includes/media.php | Saves a file submitted from a POST request and create an attachment post for it. |
edit_post()wp-admin/includes/post.php | Updates an existing post with values provided in |
wp_ajax_save_attachment()wp-admin/includes/ajax-actions.php | Handles updating attachment attributes via AJAX. |
WP_Customize_Manager::save()wp-includes/class-wp-customize-manager.php | Handles customize_save WP Ajax request to save/update a changeset. |
WP_Nav_Menu_Widget::update()wp-includes/widgets/class-wp-nav-menu-widget.php | Handles updating settings for the current Navigation Menu widget instance. |
WP_Widget_Recent_Comments::update()wp-includes/widgets/class-wp-widget-recent-comments.php | Handles updating settings for the current Recent Comments widget instance. |
WP_Widget_Tag_Cloud::update()wp-includes/widgets/class-wp-widget-tag-cloud.php | Handles updating settings for the current Tag Cloud widget instance. |
WP_Widget_Recent_Posts::update()wp-includes/widgets/class-wp-widget-recent-posts.php | Handles updating the settings for the current Recent Posts widget instance. |
WP_Widget_Categories::update()wp-includes/widgets/class-wp-widget-categories.php | Handles updating settings for the current Categories widget instance. |
WP_Widget_Text::update()wp-includes/widgets/class-wp-widget-text.php | Handles updating settings for the current Text widget instance. |
WP_Widget_Calendar::update()wp-includes/widgets/class-wp-widget-calendar.php | Handles updating settings for the current Calendar widget instance. |
WP_Widget_Meta::update()wp-includes/widgets/class-wp-widget-meta.php | Handles updating settings for the current Meta widget instance. |
WP_Widget_Archives::update()wp-includes/widgets/class-wp-widget-archives.php | Handles updating settings for the current Archives widget instance. |
WP_Widget_Search::update()wp-includes/widgets/class-wp-widget-search.php | Handles updating settings for the current Search widget instance. |
WP_Widget_Pages::update()wp-includes/widgets/class-wp-widget-pages.php | Handles updating settings for the current Pages widget instance. |
register_new_user()wp-includes/user.php | Handles registering a new user. |
wp_page_menu()wp-includes/post-template.php | Displays or retrieves a list of pages with an optional home link. |
Changelog
Version | Description |
---|---|
2.9.0 | Introduced. |
This function is not for protecting against SQL injection, so please don’t use it in your database queries. In most cases using https://developer.wordpress.org/reference/classes/wpdb/prepare/ with placeholders is best for database queries.
Sanitize an array
Check whether the string is a valid UTF-8 character, and remove all HTML tags.
I ran across an issue with one of my plugins, as it was going through the initial security review, where I had an array that wasn’t passing a security check. The sanitize_text_field() function only works on a string, not an array’d item.
I located this nice little tidbit of code to sanitize an array, properly.
IMHO, this needs to become a core feature of WordPress’ sanitation functions. Lior Broshi is the gentleman that came up with this creative solution (I have obtained his permission to share this).