sanitize_option
Sanitises various option values based on the nature of the option.
Description
This is basically a switch statement which will pass $value through a number of functions depending on the $option.
Returns (string)
Sanitized value.
Parameters (2)
- 0. $option (string)
- The name of the option.
- 1. $value (string)
- The unsanitised value.
Usage
Defined (1)
The function is defined in the following location(s).
- /wp-includes/formatting.php
- function sanitize_option( $option, $value ) {
- global $wpdb;
- $original_value = $value;
- $error = '';
- switch ( $option ) {
- case 'admin_email' :
- case 'new_admin_email' :
- $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value );
- if ( is_wp_error( $value ) ) {
- $error = $value->get_error_message();
- } else {
- $value = sanitize_email( $value );
- if ( ! is_email( $value ) ) {
- $error = __( 'The email address entered did not appear to be a valid email address. Please enter a valid email address.' );
- }
- }
- break;
- case 'thumbnail_size_w':
- case 'thumbnail_size_h':
- case 'medium_size_w':
- case 'medium_size_h':
- case 'medium_large_size_w':
- case 'medium_large_size_h':
- case 'large_size_w':
- case 'large_size_h':
- case 'mailserver_port':
- case 'comment_max_links':
- case 'page_on_front':
- case 'page_for_posts':
- case 'rss_excerpt_length':
- case 'default_category':
- case 'default_email_category':
- case 'default_link_category':
- case 'close_comments_days_old':
- case 'comments_per_page':
- case 'thread_comments_depth':
- case 'users_can_register':
- case 'start_of_week':
- case 'site_icon':
- $value = absint( $value );
- break;
- case 'posts_per_page':
- case 'posts_per_rss':
- $value = (int) $value;
- if ( empty($value) )
- $value = 1;
- if ( $value < -1 )
- $value = abs($value);
- break;
- case 'default_ping_status':
- case 'default_comment_status':
- // Options that if not there have 0 value but need to be something like "closed"
- if ( $value == '0' || $value == '')
- $value = 'closed';
- break;
- case 'blogdescription':
- case 'blogname':
- $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value );
- if ( $value !== $original_value ) {
- $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', wp_encode_emoji( $original_value ) );
- }
- if ( is_wp_error( $value ) ) {
- $error = $value->get_error_message();
- } else {
- $value = esc_html( $value );
- }
- break;
- case 'blog_charset':
- $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes
- break;
- case 'blog_public':
- // This is the value if the settings checkbox is not checked on POST. Don't rely on this.
- if ( null === $value )
- $value = 1;
- else
- $value = intval( $value );
- break;
- case 'date_format':
- case 'time_format':
- case 'mailserver_url':
- case 'mailserver_login':
- case 'mailserver_pass':
- case 'upload_path':
- $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value );
- if ( is_wp_error( $value ) ) {
- $error = $value->get_error_message();
- } else {
- $value = strip_tags( $value );
- $value = wp_kses_data( $value );
- }
- break;
- case 'ping_sites':
- $value = explode( "\n", $value );
- $value = array_filter( array_map( 'trim', $value ) );
- $value = array_filter( array_map( 'esc_url_raw', $value ) );
- $value = implode( "\n", $value );
- break;
- case 'gmt_offset':
- $value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes
- break;
- case 'siteurl':
- $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value );
- if ( is_wp_error( $value ) ) {
- $error = $value->get_error_message();
- } else {
- if ( preg_match( '#http(s?)://(.+)#i', $value ) ) {
- $value = esc_url_raw( $value );
- } else {
- $error = __( 'The WordPress address you entered did not appear to be a valid URL. Please enter a valid URL.' );
- }
- }
- break;
- case 'home':
- $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value );
- if ( is_wp_error( $value ) ) {
- $error = $value->get_error_message();
- } else {
- if ( preg_match( '#http(s?)://(.+)#i', $value ) ) {
- $value = esc_url_raw( $value );
- } else {
- $error = __( 'The Site address you entered did not appear to be a valid URL. Please enter a valid URL.' );
- }
- }
- break;
- case 'WPLANG':
- $allowed = get_available_languages();
- if ( ! is_multisite() && defined( 'WPLANG' ) && '' !== WPLANG && 'en_US' !== WPLANG ) {
- $allowed[] = WPLANG;
- }
- if ( ! in_array( $value, $allowed ) && ! empty( $value ) ) {
- $value = get_option( $option );
- }
- break;
- case 'illegal_names':
- $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value );
- if ( is_wp_error( $value ) ) {
- $error = $value->get_error_message();
- } else {
- if ( ! is_array( $value ) )
- $value = explode( ' ', $value );
- $value = array_values( array_filter( array_map( 'trim', $value ) ) );
- if ( ! $value )
- $value = '';
- }
- break;
- case 'limited_email_domains':
- case 'banned_email_domains':
- $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value );
- if ( is_wp_error( $value ) ) {
- $error = $value->get_error_message();
- } else {
- if ( ! is_array( $value ) )
- $value = explode( "\n", $value );
- $domains = array_values( array_filter( array_map( 'trim', $value ) ) );
- $value = array();
- foreach ( $domains as $domain ) {
- if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\.])+$|', $domain ) ) {
- $value[] = $domain;
- }
- }
- if ( ! $value )
- $value = '';
- }
- break;
- case 'timezone_string':
- $allowed_zones = timezone_identifiers_list();
- if ( ! in_array( $value, $allowed_zones ) && ! empty( $value ) ) {
- $error = __( 'The timezone you have entered is not valid. Please select a valid timezone.' );
- }
- break;
- case 'permalink_structure':
- case 'category_base':
- case 'tag_base':
- $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value );
- if ( is_wp_error( $value ) ) {
- $error = $value->get_error_message();
- } else {
- $value = esc_url_raw( $value );
- $value = str_replace( 'http://', '', $value );
- }
- if ( 'permalink_structure' === $option && '' !== $value && ! preg_match( '/%[^\/%]+%/', $value ) ) {
- $error = sprintf(
- /** translators: %s: Codex URL */
- __( 'A structure tag is required when using custom permalinks. <a href="%s">Learn more</a>' ),
- __( 'https://codex.wordpress.org/Using_Permalinks#Choosing_your_permalink_structure' )
- );
- }
- break;
- case 'default_role' :
- $value = 'subscriber';
- break;
- case 'moderation_keys':
- case 'blacklist_keys':
- $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value );
- if ( is_wp_error( $value ) ) {
- $error = $value->get_error_message();
- } else {
- $value = explode( "\n", $value );
- $value = array_filter( array_map( 'trim', $value ) );
- $value = array_unique( $value );
- $value = implode( "\n", $value );
- }
- break;
- }
- if ( ! empty( $error ) ) {
- $value = get_option( $option );
- if ( function_exists( 'add_settings_error' ) ) {
- add_settings_error( $option, "invalid_{$option}", $error );
- }
- }
- /**
- * Filters an option value following sanitization.
- *
- * @since 2.3.0
- * @since 4.3.0 Added the `$original_value` parameter.
- *
- * @param string $value The sanitized option value.
- * @param string $option The option name.
- * @param string $original_value The original value passed to the function.
- */
- return apply_filters( "sanitize_option_{$option}", $value, $option, $original_value );
- }
