Inbuilt Sanitization Functions in WordPress

WordPress core has a number of inbuilt functions that can be used as sanitizers. That means, these functions can be used to sanitize user input.

These functions are super handy in situations where you want to skip writing code for a custom sanitizing function.

Also, in custom theme settings where you need to use a sanitize_callback, you can simply use the name of the function in place of a custom function name and get your work done.

Below is a list of such functions that you will commonly use in a theme –

absint( mixed $maybeint ): This function is used to return a positive integer from the given input.

esc_url_raw( string $url, string[] $protocols = null ): The function checks the given url against a list of allowed protocols. The default protocols in the $protocols array are – ‘http’, ‘https’, ‘ftp’, ‘ftps’, ‘mailto’, ‘news’, ‘irc’, ‘irc6’, ‘ircs’, ‘gopher’, ‘nntp’, ‘feed’, ‘telnet’, ‘mms’, ‘rtsp’, ‘sms’, ‘svn’, ‘tel’, ‘fax’, ‘xmpp’, ‘webcal’, and ‘urn’, which actually covers most common protocols.

sanitize_email( string $email ): It takes an $email string as input and returns a valid email by stripping out all the characters that are not allowed in an email.

sanitize_file_name( string $filename ): It takes a $filename string as input and strips out special characters from the name. It also trims period, dash and underscore from the beginning and the end of filename.

sanitize_hex_color( string $color ): It takes a $color string, sanitizes it and returns a hex color with the preceding # symbol.

sanitize_hex_color_no_hash( string $color ): This function takes a $color string and returns a valid color hex value without the # sign.

sanitize_html_class( string $class, string $fallback = ” ): Takes a $class string and strips down the string to A-Z,a-z,0-9,_,-. It will return the $fallback string if $class returns zero after being stripped.

sanitize_key( string $key ): Takes a string as input, sanitizes the string and removes all special characters except lowercase alphanumeric characters, dashes, and underscores. Returns the stripped string.

sanitize_mime_type( string $mime_type ): Takes a $mime_type string as input. Sanitizes the mime type and returns the correct type.

sanitize_option( string $option, string $value ): This function takes a $value string and sanitizes it against the $option. There are some 51 options in WordPress that this function evaluates the value for.

sanitize_sql_orderby( string $orderby ): Takes a $orderby string and checks that it is a valid order by clause. Returns the order by string if valid, else returns false.

sanitize_text_field( string $str ): The function takes a string, checks for invalid UTF-8, converts single < characters to entities, removes the line breaks, tabs and extra whitespace and strips tags and octets. Returns the sanitized string.

sanitize_title( string $title, string $fallback_title = ”, string $context = ‘save’ ): Takes a string as input, converts it to a slug to be primarily used as an URL. If the title is empty then the fallback title will be used ( if given ). The $context parameter denotes the operation for which the string is sanitized. When the value of $context is set to save then the accent characters ( if any ) are removed from the string.

sanitize_title_for_query( string $title ): It takes a $title string and sanitizes it with the query context.

sanitize_title_with_dashes( string $title, string $raw_title = ”, string $context = ‘display’ ): This function takes a string ( $title ) as input, replaces whitespace and some other characters with dashes. Limits the output string to alphanumeric characters, underscore (_) and dash (-).

sanitize_user( string $username, bool $strict = false ): It takes a $username string and strips out unsafe characters. The second paramter $strict, if set to true will return a string with only alphanumeric, _, space, ., -, @.

wp_filter_post_kses( string $data ): It takes post content as $data. The content should be escaped with slashes for this function. Returns content with allowed HTML tags and attributes.

wp_kses( string $string, array[]|string $allowed_html, string[] $allowed_protocols = array() ): This function takes an input string ( $string ). Sanitizes the string based on allowed html ( $allowed_html – which is an array of HTML tags ). There is also an option to pass an array of allowed protocols ( $allowed_protocols ).

wp_kses_data( string $data ): This function takes a data string ( $data ) and returns the same with allowed HTML KSES rules removes other tags.

wp_rel_nofollow( string $text ): This function takes a string ( $text ), adds a rel=nofollow attribute to all <a> elements in the string and returns the same.