sanitize_option

Sanitises various option values based on the nature of the option.

Description

(string) sanitize_option( (string) $option, (string) $value ); 

This is basically a switch statement which will pass $value through a number of functions depending on the $option.

Returns (string)

Sanitized value.

Parameters (2)

0. $option (string)
The name of the option.
1. $value (string)
The unsanitised value.

Usage

  1. if ( !function_exists( 'sanitize_option' ) ) { 
  2. require_once ABSPATH . WPINC . '/formatting.php'; 
  3.  
  4. // The name of the option. 
  5. $option = ''; 
  6.  
  7. // The unsanitised value. 
  8. $value = ''; 
  9.  
  10. // NOTICE! Understand what this does before running. 
  11. $result = sanitize_option($option, $value); 
  12.  

Defined (1)

The function is defined in the following location(s).

/wp-includes/formatting.php  
  1. function sanitize_option( $option, $value ) { 
  2. global $wpdb; 
  3.  
  4. $original_value = $value; 
  5. $error = ''; 
  6.  
  7. switch ( $option ) { 
  8. case 'admin_email' : 
  9. case 'new_admin_email' : 
  10. $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 
  11. if ( is_wp_error( $value ) ) { 
  12. $error = $value->get_error_message(); 
  13. } else { 
  14. $value = sanitize_email( $value ); 
  15. if ( ! is_email( $value ) ) { 
  16. $error = __( 'The email address entered did not appear to be a valid email address. Please enter a valid email address.' ); 
  17. break; 
  18.  
  19. case 'thumbnail_size_w': 
  20. case 'thumbnail_size_h': 
  21. case 'medium_size_w': 
  22. case 'medium_size_h': 
  23. case 'medium_large_size_w': 
  24. case 'medium_large_size_h': 
  25. case 'large_size_w': 
  26. case 'large_size_h': 
  27. case 'mailserver_port': 
  28. case 'comment_max_links': 
  29. case 'page_on_front': 
  30. case 'page_for_posts': 
  31. case 'rss_excerpt_length': 
  32. case 'default_category': 
  33. case 'default_email_category': 
  34. case 'default_link_category': 
  35. case 'close_comments_days_old': 
  36. case 'comments_per_page': 
  37. case 'thread_comments_depth': 
  38. case 'users_can_register': 
  39. case 'start_of_week': 
  40. case 'site_icon': 
  41. $value = absint( $value ); 
  42. break; 
  43.  
  44. case 'posts_per_page': 
  45. case 'posts_per_rss': 
  46. $value = (int) $value; 
  47. if ( empty($value) ) 
  48. $value = 1; 
  49. if ( $value < -1 ) 
  50. $value = abs($value); 
  51. break; 
  52.  
  53. case 'default_ping_status': 
  54. case 'default_comment_status': 
  55. // Options that if not there have 0 value but need to be something like "closed" 
  56. if ( $value == '0' || $value == '') 
  57. $value = 'closed'; 
  58. break; 
  59.  
  60. case 'blogdescription': 
  61. case 'blogname': 
  62. $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 
  63. if ( $value !== $original_value ) { 
  64. $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', wp_encode_emoji( $original_value ) ); 
  65.  
  66. if ( is_wp_error( $value ) ) { 
  67. $error = $value->get_error_message(); 
  68. } else { 
  69. $value = esc_html( $value ); 
  70. break; 
  71.  
  72. case 'blog_charset': 
  73. $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes 
  74. break; 
  75.  
  76. case 'blog_public': 
  77. // This is the value if the settings checkbox is not checked on POST. Don't rely on this. 
  78. if ( null === $value ) 
  79. $value = 1; 
  80. else 
  81. $value = intval( $value ); 
  82. break; 
  83.  
  84. case 'date_format': 
  85. case 'time_format': 
  86. case 'mailserver_url': 
  87. case 'mailserver_login': 
  88. case 'mailserver_pass': 
  89. case 'upload_path': 
  90. $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 
  91. if ( is_wp_error( $value ) ) { 
  92. $error = $value->get_error_message(); 
  93. } else { 
  94. $value = strip_tags( $value ); 
  95. $value = wp_kses_data( $value ); 
  96. break; 
  97.  
  98. case 'ping_sites': 
  99. $value = explode( "\n", $value ); 
  100. $value = array_filter( array_map( 'trim', $value ) ); 
  101. $value = array_filter( array_map( 'esc_url_raw', $value ) ); 
  102. $value = implode( "\n", $value ); 
  103. break; 
  104.  
  105. case 'gmt_offset': 
  106. $value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes 
  107. break; 
  108.  
  109. case 'siteurl': 
  110. $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 
  111. if ( is_wp_error( $value ) ) { 
  112. $error = $value->get_error_message(); 
  113. } else { 
  114. if ( preg_match( '#http(s?)://(.+)#i', $value ) ) { 
  115. $value = esc_url_raw( $value ); 
  116. } else { 
  117. $error = __( 'The WordPress address you entered did not appear to be a valid URL. Please enter a valid URL.' ); 
  118. break; 
  119.  
  120. case 'home': 
  121. $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 
  122. if ( is_wp_error( $value ) ) { 
  123. $error = $value->get_error_message(); 
  124. } else { 
  125. if ( preg_match( '#http(s?)://(.+)#i', $value ) ) { 
  126. $value = esc_url_raw( $value ); 
  127. } else { 
  128. $error = __( 'The Site address you entered did not appear to be a valid URL. Please enter a valid URL.' ); 
  129. break; 
  130.  
  131. case 'WPLANG': 
  132. $allowed = get_available_languages(); 
  133. if ( ! is_multisite() && defined( 'WPLANG' ) && '' !== WPLANG && 'en_US' !== WPLANG ) { 
  134. $allowed[] = WPLANG; 
  135. if ( ! in_array( $value, $allowed ) && ! empty( $value ) ) { 
  136. $value = get_option( $option ); 
  137. break; 
  138.  
  139. case 'illegal_names': 
  140. $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 
  141. if ( is_wp_error( $value ) ) { 
  142. $error = $value->get_error_message(); 
  143. } else { 
  144. if ( ! is_array( $value ) ) 
  145. $value = explode( ' ', $value ); 
  146.  
  147. $value = array_values( array_filter( array_map( 'trim', $value ) ) ); 
  148.  
  149. if ( ! $value ) 
  150. $value = ''; 
  151. break; 
  152.  
  153. case 'limited_email_domains': 
  154. case 'banned_email_domains': 
  155. $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 
  156. if ( is_wp_error( $value ) ) { 
  157. $error = $value->get_error_message(); 
  158. } else { 
  159. if ( ! is_array( $value ) ) 
  160. $value = explode( "\n", $value ); 
  161.  
  162. $domains = array_values( array_filter( array_map( 'trim', $value ) ) ); 
  163. $value = array(); 
  164.  
  165. foreach ( $domains as $domain ) { 
  166. if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\.])+$|', $domain ) ) { 
  167. $value[] = $domain; 
  168. if ( ! $value ) 
  169. $value = ''; 
  170. break; 
  171.  
  172. case 'timezone_string': 
  173. $allowed_zones = timezone_identifiers_list(); 
  174. if ( ! in_array( $value, $allowed_zones ) && ! empty( $value ) ) { 
  175. $error = __( 'The timezone you have entered is not valid. Please select a valid timezone.' ); 
  176. break; 
  177.  
  178. case 'permalink_structure': 
  179. case 'category_base': 
  180. case 'tag_base': 
  181. $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 
  182. if ( is_wp_error( $value ) ) { 
  183. $error = $value->get_error_message(); 
  184. } else { 
  185. $value = esc_url_raw( $value ); 
  186. $value = str_replace( 'http://', '', $value ); 
  187.  
  188. if ( 'permalink_structure' === $option && '' !== $value && ! preg_match( '/%[^\/%]+%/', $value ) ) { 
  189. $error = sprintf( 
  190. /** translators: %s: Codex URL */ 
  191. __( 'A structure tag is required when using custom permalinks. <a href="%s">Learn more</a>' ),  
  192. __( 'https://codex.wordpress.org/Using_Permalinks#Choosing_your_permalink_structure' ) 
  193. ); 
  194. break; 
  195.  
  196. case 'default_role' : 
  197. if ( ! get_role( $value ) && get_role( 'subscriber' ) ) 
  198. $value = 'subscriber'; 
  199. break; 
  200.  
  201. case 'moderation_keys': 
  202. case 'blacklist_keys': 
  203. $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 
  204. if ( is_wp_error( $value ) ) { 
  205. $error = $value->get_error_message(); 
  206. } else { 
  207. $value = explode( "\n", $value ); 
  208. $value = array_filter( array_map( 'trim', $value ) ); 
  209. $value = array_unique( $value ); 
  210. $value = implode( "\n", $value ); 
  211. break; 
  212.  
  213. if ( ! empty( $error ) ) { 
  214. $value = get_option( $option ); 
  215. if ( function_exists( 'add_settings_error' ) ) { 
  216. add_settings_error( $option, "invalid_{$option}", $error ); 
  217.  
  218. /** 
  219. * Filters an option value following sanitization. 
  220. * @since 2.3.0 
  221. * @since 4.3.0 Added the `$original_value` parameter. 
  222. * @param string $value The sanitized option value. 
  223. * @param string $option The option name. 
  224. * @param string $original_value The original value passed to the function. 
  225. */ 
  226. return apply_filters( "sanitize_option_{$option}", $value, $option, $original_value );