WordPress.org
Get WordPress
WordPress.org

WordPress Developer Resources

_sanitize_text_fields()

_sanitize_text_fields( string $str, bool $keep_newlines = false ): string

In this article

Back to top

This function’s access is marked private. This means it is not intended for use by plugin or theme developers, only in other core functions. It is listed here for completeness.

Internal helper function to sanitize a string from user input or from the database.

Parameters

$strstringrequired
String to sanitize.
$keep_newlinesbooloptional
Whether to keep newlines. Default: false.

Default:false

Return

string Sanitized string.

Source

function _sanitize_text_fields( $str, $keep_newlines = false ) {
	if ( is_object( $str ) || is_array( $str ) ) {
		return '';
	}

	$str = (string) $str;

	$filtered = wp_check_invalid_utf8( $str );

	if ( str_contains( $filtered, '<' ) ) {
		$filtered = wp_pre_kses_less_than( $filtered );
		// This will strip extra whitespace for us.
		$filtered = wp_strip_all_tags( $filtered, false );

		/*
		 * Use HTML entities in a special case to make sure that
		 * later newline stripping stages cannot lead to a functional tag.
		 */
		$filtered = str_replace( "<\n", "&lt;\n", $filtered );
	}

	if ( ! $keep_newlines ) {
		$filtered = preg_replace( '/[\r\n\t ]+/', ' ', $filtered );
	}
	$filtered = trim( $filtered );

	// Remove percent-encoded characters.
	$found = false;
	while ( preg_match( '/%[a-f0-9]{2}/i', $filtered, $match ) ) {
		$filtered = str_replace( $match[0], '', $filtered );
		$found    = true;
	}

	if ( $found ) {
		// Strip out the whitespace that may now exist after removing percent-encoded characters.
		$filtered = trim( preg_replace( '/ +/', ' ', $filtered ) );
	}

	return $filtered;
}

View all references View on Trac View on GitHub

UsesDescription
wp_strip_all_tags()wp-includes/formatting.php

Properly strips all HTML tags including script and style

wp_pre_kses_less_than()wp-includes/formatting.php

Converts lone less than signs.

wp_check_invalid_utf8()wp-includes/formatting.php

Checks for invalid UTF8 in a string.

Used byDescription
sanitize_textarea_field()wp-includes/formatting.php

Sanitizes a multiline string from user input or from the database.

sanitize_text_field()wp-includes/formatting.php

Sanitizes a string from user input or from the database.

Changelog

VersionDescription
4.7.0Introduced.

User Contributed Notes

You must log in before being able to contribute a note or feedback.