_sanitize_text_fields()
Internal helper function to sanitize a string from user input or from the database.
Internal function — this function is designed to be used by the kernel itself. It is not recommended to use this function in your code.
No Hooks.
Return
String. Sanitized string.
Usage
_sanitize_text_fields( $str, $keep_newlines );
- $str(string) (required)
- String to sanitize.
- $keep_newlines(true|false)
- Whether to keep newlines.
Default: false
Changelog
| Since 4.7.0 | Introduced. |
_sanitize_text_fields() sanitize text fields code WP 6.8
function _sanitize_text_fields( $str, $keep_newlines = false ) {
if ( is_object( $str ) || is_array( $str ) ) {
return '';
}
$str = (string) $str;
$filtered = wp_check_invalid_utf8( $str );
if ( str_contains( $filtered, '<' ) ) {
$filtered = wp_pre_kses_less_than( $filtered );
// This will strip extra whitespace for us.
$filtered = wp_strip_all_tags( $filtered, false );
/*
* Use HTML entities in a special case to make sure that
* later newline stripping stages cannot lead to a functional tag.
*/
$filtered = str_replace( "<\n", "<\n", $filtered );
}
if ( ! $keep_newlines ) {
$filtered = preg_replace( '/[\r\n\t ]+/', ' ', $filtered );
}
$filtered = trim( $filtered );
// Remove percent-encoded characters.
$found = false;
while ( preg_match( '/%[a-f0-9]{2}/i', $filtered, $match ) ) {
$filtered = str_replace( $match[0], '', $filtered );
$found = true;
}
if ( $found ) {
// Strip out the whitespace that may now exist after removing percent-encoded characters.
$filtered = trim( preg_replace( '/ +/', ' ', $filtered ) );
}
return $filtered;
}