WordPress sanitize and escape data

• WordPress data validation
• Data Sanitization and Validation With WordPress

For input:

wp_filter_nohtml_kses();

wp_filter_kses();

wp_kses();



// validate html

$content = "<em>Visit</em> <a title='click link' href='http://wp.tutsplus.com'>google</a> to <strong>search</strong>";  

echo wp_kses( $content, array(  

    'strong' => array(),  

    'a' => array('href')  

) );  

// prints the HTML "Visit <a href='http://google.com'>google</a> to <strong>search</strong>":

For output:

esc_attr(); // escape for HTML attributes, checks for invalid UTF-8

esc_html(); // escape for data within HTML, checks for invalid UTF-8

esc_js(); // escape single quotes, htmlspecialchar ” < > &, fix line endings

esc_textarea(); // escapes data for use in a textarea

esc_url(); // removes a bunch of invalid characters from your URL, makes it good



echo zeroise(70,4); // prints 0070

sanitize_text_field(); // strips tags, checks for invalid UTF-8, remove line breaks, tabs and extra white space

intval(); // integer value

absint( $maybeint ); // http://codex.wordpress.org/Function_Reference/absint - Synonym of abs ( intval ( $foo ) )

wp_filter_post_kses(); // sanitize for allowed HTML tags and attr

sanitize_title(); // strip PHP and HTML tags

sanitize_key(); // lowercase alphanumeric characters, dashes and underscores



// validate email

$email = is_email('someone@e^ample.com'); // $email is set to false.  

$email = is_email('someone@example.com'); // $email is set to 'someone@example.com'





// balance tags

// Content with missing closing </strong> tag  

$content = "<em>Click</em> <a href='http://wp.tutsplus.com'>here</a> to visit <strong> wptuts+";  

echo balanceTags($content,true),  

// Prints the HTML "Click <a href='http://wp.tutsplus.com'>here</a> to visit <strong> wptuts+ </strong>"





// anti-spam bot email

$email = "joebloggs@example.com";  

$email = sanitize_email($email);  

echo '<a href="mailto:'.antispambot($email,1).'" title="Click to e-mail me" >'.antispambot($email).' </a>';

  



// Query Strings

add_query_arg();

remove_query_arg();

// If we are at www.example.com/wp-admin/edit.php?post_type=book  

$query_params = array ('page' => 'my-bage');  

$url = add_query_arg( $query_params );  

// Would set $url to be: www.example.com/wp-admin/edit.php?post_type=book&page=my-page



$link_visits_sorting = remove_query_arg( 'orderby' );

$link_visits_sorting = add_query_arg( 'orderby', 'visits', $link_visits_sorting );

$link_visits_sorting = remove_query_arg( 'order', $link_visits_sorting );

$link_visits_sorting = add_query_arg( 'order', $order, $link_visits_sorting );

• sanitize_file_name( $filename ) – sanitizes (or validates) the file-name by removing characters that are illegal in filenames on certain operating systems or that would require escaping at the command line. Replaces spaces with dashes and consecutive dashes with a single dash and removes periods, dashes and underscores from the beginning and end of the filename.
• wp_unique_filename( $dir, $filename ) – returns a unique (for directory $dir), sanitized filename (it uses sanitize_file_name).

Example:

<h1 class="entry-title"><a href="<?php the_permalink(); ?>" title="<?php echo esc_attr( sprintf( __( 'Permalink to %s', 'themename' ), the_title_attribute( 'echo=0' ) ) ); ?>" rel="bookmark"><?php the_title(); ?></a></h1>



<a href="<?php echo esc_url( $url ); ?>" title="<?php echo esc_attr( $title ); ?>">

<?php echo esc_html( $text ); ?>

</a>