WordPress sanitize and escape data

For input:


// validate html
$content = "<em>Visit</em> <a title='click link' href='http://wp.tutsplus.com'>google</a> to <strong>search</strong>";  
echo wp_kses( $content, array(  
    'strong' => array(),  
    'a' => array('href')  
) );  
// prints the HTML "Visit <a href='http://google.com'>google</a> to <strong>search</strong>":

For output:

esc_attr(); // escape for HTML attributes, checks for invalid UTF-8
esc_html(); // escape for data within HTML, checks for invalid UTF-8
esc_js(); // escape single quotes, htmlspecialchar ” < > &, fix line endings
esc_textarea(); // escapes data for use in a textarea
esc_url(); // removes a bunch of invalid characters from your URL, makes it good

echo zeroise(70,4); // prints 0070
sanitize_text_field(); // strips tags, checks for invalid UTF-8, remove line breaks, tabs and extra white space
intval(); // integer value
absint( $maybeint ); // http://codex.wordpress.org/Function_Reference/absint - Synonym of abs ( intval ( $foo ) )
wp_filter_post_kses(); // sanitize for allowed HTML tags and attr
sanitize_title(); // strip PHP and HTML tags
sanitize_key(); // lowercase alphanumeric characters, dashes and underscores

// validate email
$email = is_email('someone@e^ample.com'); // $email is set to false.  
$email = is_email('someone@example.com'); // $email is set to 'someone@example.com'

// balance tags
// Content with missing closing </strong> tag  
$content = "<em>Click</em> <a href='http://wp.tutsplus.com'>here</a> to visit <strong> wptuts+";  
echo balanceTags($content,true),  
// Prints the HTML "Click <a href='http://wp.tutsplus.com'>here</a> to visit <strong> wptuts+ </strong>"

// anti-spam bot email
$email = "joebloggs@example.com";  
$email = sanitize_email($email);  
echo '<a href="mailto:'.antispambot($email,1).'" title="Click to e-mail me" >'.antispambot($email).' </a>';

// Query Strings
// If we are at www.example.com/wp-admin/edit.php?post_type=book  
$query_params = array ('page' => 'my-bage');  
$url = add_query_arg( $query_params );  
// Would set $url to be: www.example.com/wp-admin/edit.php?post_type=book&page=my-page

$link_visits_sorting = remove_query_arg( 'orderby' );
$link_visits_sorting = add_query_arg( 'orderby', 'visits', $link_visits_sorting );
$link_visits_sorting = remove_query_arg( 'order', $link_visits_sorting );
$link_visits_sorting = add_query_arg( 'order', $order, $link_visits_sorting );
  • sanitize_file_name( $filename ) – sanitizes (or validates) the file-name by removing characters that are illegal in filenames on certain operating systems or that would require escaping at the command line. Replaces spaces with dashes and consecutive dashes with a single dash and removes periods, dashes and underscores from the beginning and end of the filename.
  • wp_unique_filename( $dir, $filename ) – returns a unique (for directory $dir), sanitized filename (it uses sanitize_file_name).


<h1 class="entry-title"><a href="<?php the_permalink(); ?>" title="<?php echo esc_attr( sprintf( __( 'Permalink to %s', 'themename' ), the_title_attribute( 'echo=0' ) ) ); ?>" rel="bookmark"><?php the_title(); ?></a></h1>

<a href="<?php echo esc_url( $url ); ?>" title="<?php echo esc_attr( $title ); ?>">
<?php echo esc_html( $text ); ?>

Leave a Comment