Possible context values are: 'raw', 'edit', 'db', 'display', 'attribute' and 'js'. The 'display' context is used by default. 'attribute' and 'js' contexts are treated like 'display' when calling filters.
Clean up the field value before using it in an HTML tag attribute. Will remove tags and other stuff so that the value can be used in the attribute and it will not cause any errors:
function sanitize_post_field( $field, $value, $post_id, $context = 'display' ) {
$int_fields = array( 'ID', 'post_parent', 'menu_order' );
if ( in_array( $field, $int_fields, true ) ) {
$value = (int) $value;
}
// Fields which contain arrays of integers.
$array_int_fields = array( 'ancestors' );
if ( in_array( $field, $array_int_fields, true ) ) {
$value = array_map( 'absint', $value );
return $value;
}
if ( 'raw' === $context ) {
return $value;
}
$prefixed = false;
if ( str_contains( $field, 'post_' ) ) {
$prefixed = true;
$field_no_prefix = str_replace( 'post_', '', $field );
}
if ( 'edit' === $context ) {
$format_to_edit = array( 'post_content', 'post_excerpt', 'post_title', 'post_password' );
if ( $prefixed ) {
/**
* Filters the value of a specific post field to edit.
*
* The dynamic portion of the hook name, `$field`, refers to the post
* field name. Possible filter names include:
*
* - `edit_post_author`
* - `edit_post_date`
* - `edit_post_date_gmt`
* - `edit_post_content`
* - `edit_post_title`
* - `edit_post_excerpt`
* - `edit_post_status`
* - `edit_post_password`
* - `edit_post_name`
* - `edit_post_modified`
* - `edit_post_modified_gmt`
* - `edit_post_content_filtered`
* - `edit_post_parent`
* - `edit_post_type`
* - `edit_post_mime_type`
*
* @since 2.3.0
*
* @param mixed $value Value of the post field.
* @param int $post_id Post ID.
*/
$value = apply_filters( "edit_{$field}", $value, $post_id );
/**
* Filters the value of a specific post field to edit.
*
* Only applied to post fields with a name which is prefixed with `post_`.
*
* The dynamic portion of the hook name, `$field_no_prefix`, refers to the
* post field name minus the `post_` prefix. Possible filter names include:
*
* - `author_edit_pre`
* - `date_edit_pre`
* - `date_gmt_edit_pre`
* - `content_edit_pre`
* - `title_edit_pre`
* - `excerpt_edit_pre`
* - `status_edit_pre`
* - `password_edit_pre`
* - `name_edit_pre`
* - `modified_edit_pre`
* - `modified_gmt_edit_pre`
* - `content_filtered_edit_pre`
* - `parent_edit_pre`
* - `type_edit_pre`
* - `mime_type_edit_pre`
*
* @since 2.3.0
*
* @param mixed $value Value of the post field.
* @param int $post_id Post ID.
*/
$value = apply_filters( "{$field_no_prefix}_edit_pre", $value, $post_id );
} else {
/**
* Filters the value of a specific post field to edit.
*
* Only applied to post fields not prefixed with `post_`.
*
* The dynamic portion of the hook name, `$field`, refers to the
* post field name. Possible filter names include:
*
* - `edit_post_ID`
* - `edit_post_ping_status`
* - `edit_post_pinged`
* - `edit_post_to_ping`
* - `edit_post_comment_count`
* - `edit_post_comment_status`
* - `edit_post_guid`
* - `edit_post_menu_order`
*
* @since 2.3.0
*
* @param mixed $value Value of the post field.
* @param int $post_id Post ID.
*/
$value = apply_filters( "edit_post_{$field}", $value, $post_id );
}
if ( in_array( $field, $format_to_edit, true ) ) {
if ( 'post_content' === $field ) {
$value = format_to_edit( $value, user_can_richedit() );
} else {
$value = format_to_edit( $value );
}
} else {
$value = esc_attr( $value );
}
} elseif ( 'db' === $context ) {
if ( $prefixed ) {
/**
* Filters the value of a specific post field before saving.
*
* Only applied to post fields with a name which is prefixed with `post_`.
*
* The dynamic portion of the hook name, `$field`, refers to the post
* field name. Possible filter names include:
*
* - `pre_post_author`
* - `pre_post_date`
* - `pre_post_date_gmt`
* - `pre_post_content`
* - `pre_post_title`
* - `pre_post_excerpt`
* - `pre_post_status`
* - `pre_post_password`
* - `pre_post_name`
* - `pre_post_modified`
* - `pre_post_modified_gmt`
* - `pre_post_content_filtered`
* - `pre_post_parent`
* - `pre_post_type`
* - `pre_post_mime_type`
*
* @since 2.3.0
*
* @param mixed $value Value of the post field.
*/
$value = apply_filters( "pre_{$field}", $value );
/**
* Filters the value of a specific field before saving.
*
* Only applied to post fields with a name which is prefixed with `post_`.
*
* The dynamic portion of the hook name, `$field_no_prefix`, refers to the
* post field name minus the `post_` prefix. Possible filter names include:
*
* - `author_save_pre`
* - `date_save_pre`
* - `date_gmt_save_pre`
* - `content_save_pre`
* - `title_save_pre`
* - `excerpt_save_pre`
* - `status_save_pre`
* - `password_save_pre`
* - `name_save_pre`
* - `modified_save_pre`
* - `modified_gmt_save_pre`
* - `content_filtered_save_pre`
* - `parent_save_pre`
* - `type_save_pre`
* - `mime_type_save_pre`
*
* @since 2.3.0
*
* @param mixed $value Value of the post field.
*/
$value = apply_filters( "{$field_no_prefix}_save_pre", $value );
} else {
/**
* Filters the value of a specific field before saving.
*
* Only applied to post fields with a name which is prefixed with `post_`.
*
* The dynamic portion of the hook name, `$field_no_prefix`, refers to the
* post field name minus the `post_` prefix. Possible filter names include:
*
* - `pre_post_ID`
* - `pre_post_comment_status`
* - `pre_post_ping_status`
* - `pre_post_to_ping`
* - `pre_post_pinged`
* - `pre_post_guid`
* - `pre_post_menu_order`
* - `pre_post_comment_count`
*
* @since 2.3.0
*
* @param mixed $value Value of the post field.
*/
$value = apply_filters( "pre_post_{$field}", $value );
/**
* Filters the value of a specific post field before saving.
*
* Only applied to post fields with a name which is *not* prefixed with `post_`.
*
* The dynamic portion of the hook name, `$field`, refers to the post
* field name. Possible filter names include:
*
* - `ID_pre`
* - `comment_status_pre`
* - `ping_status_pre`
* - `to_ping_pre`
* - `pinged_pre`
* - `guid_pre`
* - `menu_order_pre`
* - `comment_count_pre`
*
* @since 2.3.0
*
* @param mixed $value Value of the post field.
*/
$value = apply_filters( "{$field}_pre", $value );
}
} else {
// Use display filters by default.
if ( $prefixed ) {
/**
* Filters the value of a specific post field for display.
*
* Only applied to post fields with a name which is prefixed with `post_`.
*
* The dynamic portion of the hook name, `$field`, refers to the post
* field name. Possible filter names include:
*
* - `post_author`
* - `post_date`
* - `post_date_gmt`
* - `post_content`
* - `post_title`
* - `post_excerpt`
* - `post_status`
* - `post_password`
* - `post_name`
* - `post_modified`
* - `post_modified_gmt`
* - `post_content_filtered`
* - `post_parent`
* - `post_type`
* - `post_mime_type`
*
* @since 2.3.0
*
* @param mixed $value Value of the prefixed post field.
* @param int $post_id Post ID.
* @param string $context Context for how to sanitize the field.
* Accepts 'raw', 'edit', 'db', 'display',
* 'attribute', or 'js'. Default 'display'.
*/
$value = apply_filters( "{$field}", $value, $post_id, $context );
} else {
/**
* Filters the value of a specific post field for display.
*
* Only applied to post fields name which is *not* prefixed with `post_`.
*
* The dynamic portion of the hook name, `$field`, refers to the post
* field name. Possible filter names include:
*
* - `post_ID`
* - `post_comment_status`
* - `post_ping_status`
* - `post_to_ping`
* - `post_pinged`
* - `post_guid`
* - `post_menu_order`
* - `post_comment_count`
*
* @since 2.3.0
*
* @param mixed $value Value of the unprefixed post field.
* @param int $post_id Post ID
* @param string $context Context for how to sanitize the field.
* Accepts 'raw', 'edit', 'db', 'display',
* 'attribute', or 'js'. Default 'display'.
*/
$value = apply_filters( "post_{$field}", $value, $post_id, $context );
}
if ( 'attribute' === $context ) {
$value = esc_attr( $value );
} elseif ( 'js' === $context ) {
$value = esc_js( $value );
}
}
// Restore the type for integer fields after esc_attr().
if ( in_array( $field, $int_fields, true ) ) {
$value = (int) $value;
}
return $value;
}