Automattic\WooCommerce\Utilities
NumberUtil::sanitize_cost_in_current_locale
Sanitize a cost value based on the current locale decimal and thousand separators.
Method of the class: NumberUtil{}
No Hooks.
Returns
String. The sanitized value.
Usage
$result = NumberUtil::sanitize_cost_in_current_locale( $value ): string;
- $value(string) (required)
- The value to sanitize.
NumberUtil::sanitize_cost_in_current_locale() NumberUtil::sanitize cost in current locale code WC 10.9.1
public static function sanitize_cost_in_current_locale( $value ): string {
$value = is_null( $value ) ? '' : $value;
$value = wp_kses_post( trim( wp_unslash( $value ) ) );
$currency_symbol_encoded = get_woocommerce_currency_symbol();
$currency_symbol_variations = array( $currency_symbol_encoded, wp_kses_normalize_entities( $currency_symbol_encoded ), html_entity_decode( $currency_symbol_encoded, ENT_COMPAT ) );
$value = str_replace( $currency_symbol_variations, '', $value );
// Count the number of decimal points.
$decimal_point_count = substr_count( $value, '.' );
// If it's a standard decimal number (single decimal point and is_numeric), accept it directly. This could be in the case where the frontend has de-localised the value.
// We check for the decimal point count in addition to using is_numeric.
// This is because is_numeric is much looser and accepts non-base10 numbers as well as 'e' to demarcate exponents.
if ( 1 === $decimal_point_count && is_numeric( $value ) ) {
return $value;
}
// Otherwise, attempt to delocalise according to localisation rules.
$allowed_characters_regex = sprintf(
'/^[0-9\%s\%s]*$/',
wc_get_price_thousand_separator(),
wc_get_price_decimal_separator()
);
if ( 1 !== preg_match( $allowed_characters_regex, $value ) ) {
throw new \InvalidArgumentException(
esc_html(
sprintf(
/* translators: %1$s: Invalid value that was input by the user, %2$s: thousand separator, %3$s: decimal separator */
__( '%1$s is not a valid numeric value. Allowed characters are numbers, the thousand (%2$s), and decimal (%3$s) separators.', 'woocommerce' ),
$value,
wc_get_price_thousand_separator(),
wc_get_price_decimal_separator()
)
)
);
}
// Validate decimal and thousand separator positions.
$decimal_separator = wc_get_price_decimal_separator();
$thousand_separator = wc_get_price_thousand_separator();
if (
// Check that there is only 1 decimal separator.
substr_count( $value, $decimal_separator ) > 1 ||
(
// Check that decimal separator appears after thousand separator if both exist.
false !== strpos( $value, $thousand_separator ) &&
false !== strpos( $value, $decimal_separator ) &&
strpos( $value, $decimal_separator ) <= strpos( $value, $thousand_separator )
)
) {
throw new \InvalidArgumentException(
esc_html(
sprintf(
/* translators: %s: Invalid value that was input by the user */
__( '%s is not a valid numeric value: there should be one decimal separator and it has to be after the thousands separator.', 'woocommerce' ),
$value
)
)
);
}
/**
* For context, as of 2025.
* The full set of thousands separators is PERIOD, COMMA, SPACE, APOSTROPHE.
* And the full set of decimal separators is PERIOD, COMMA.
* There are no locales that use the same thousands and decimal separators.
*/
$value = str_replace( wc_get_price_thousand_separator(), '', $value );
$value = str_replace( wc_get_price_decimal_separator(), '.', $value );
if ( $value && ! is_numeric( $value ) ) {
/* translators: %s: Invalid value that was input by the user */
throw new \InvalidArgumentException(
esc_html(
sprintf(
/* translators: %s: Invalid value that was input by the user */
__( '%s is not a valid numeric value.', 'woocommerce' ),
$value
)
)
);
}
return $value;
}