sanitize_text_field( string $str )

Sanitizes a string from user input or from the database.


Description Description

  • Checks for invalid UTF-8,
  • Converts single < characters to entities
  • Strips all tags
  • Removes line breaks, tabs, and extra whitespace
  • Strips octets

See also See also


Top ↑

Parameters Parameters

$str

(string) (Required) String to sanitize.


Top ↑

Return Return

(string) Sanitized string.


Top ↑

More Information More Information

Basic Usage

<?php sanitize_text_field( $str ) ?>

Top ↑

Source Source

File: wp-includes/formatting.php

function sanitize_text_field( $str ) {
	$filtered = _sanitize_text_fields( $str, false );

	/**
	 * Filters a sanitized text field string.
	 *
	 * @since 2.9.0
	 *
	 * @param string $filtered The sanitized string.
	 * @param string $str      The string prior to being sanitized.
	 */
	return apply_filters( 'sanitize_text_field', $filtered, $str );
}


Top ↑

Changelog Changelog

Changelog
Version Description
2.9.0 Introduced.

Top ↑

User Contributed Notes User Contributed Notes

  1. Skip to note 2 content

    I ran across an issue with one of my plugins, as it was going through the initial security review, where I had an array that wasn’t passing a security check. The sanitize_text_field() function only works on a string, not an array’d item.

    I located this nice little tidbit of code to sanitize an array, properly.

    /***
     * To ensure arrays are properly sanitized to WordPress Codex standards,
     * they encourage usage of sanitize_text_field(). That only works with a single
     * variable (string). This function allows for a full blown array to get sanitized
     * properly, while sanitizing each individual value in a key -> value pair.
     *
     * Source: https://wordpress.stackexchange.com/questions/24736/wordpress-sanitize-array
     * Author: Broshi, answered Feb 5 '17 at 9:14
     */
    function wporg_recursive_sanitize_text_field( $array ) {
    	foreach ( $array as $key => &$value ) {
    		if ( is_array( $value ) ) {
    			$value = wporg_recursive_sanitize_text_field( $value );
    		} else {
    			$value = sanitize_text_field( $value );
    		}
    	}
    	return $array;
    }

    IMHO, this needs to become a core feature of WordPress’ sanitation functions. Lior Broshi is the gentleman that came up with this creative solution (I have obtained his permission to share this).

You must log in before being able to contribute a note or feedback.