WordPress Escaping and Sanitizing

Escaping or Sanitizing General Rules

Arrays

Instead of manually detecting arrays then using array_map(), as noted below, instead use map_deep( $arrayOrScalarVar, ‘<method>’.

For example:

$cleanVar = map_deep( $_REQUEST['id'], 'santize_key');

For wp_kses_post use wp_kses_post_deep(). See below for more info.

When processing an array of values use array_map( ‘<method>’ , $arrayVar).

For example array_map( ‘sanitize_key’ , (array) $_REQUEST[‘id’] ).

Unslash Warnings

There is no need to call wp_unslash() before sanitizing inputs.

Related Resources

• WordPress Developer – Plugin Handbook
• WordPress : Securing Input (sanitizing)
• WordPress: Securing Output (escaping)

---

Securing Input (sanitizing)

sanitize_email()

Strips out all characters that are not allowable in an email.

sanitize_file_name()

sanitize_hex_color()

sanitize_hex_color_no_hash()

sanitize_html_class()

sanitize_key()

Lowercase alphanumeric characters, dashes, and underscores are allowed.

sanitize_meta()

This function applies filters that can be hooked to perform specific sanitization procedures for the particular metadata type and key. Does not sanitize anything on its own. Custom filters must be hooked in to do the work. The filter hook tag has the form “sanitize_{$meta_type}_meta_{$meta_key}“.

sanitize_mime_type()

sanitize_option()

Only sanitizes specific options known to WordPress (primarily for internal use).
After the value has been handled by the functions in the switch statement, it will be passed through a sanitize_option_$option filter.

sanitize_sql_orderby()

💙 sanitize_text_field()

From the WordPress docs…

• Checks for invalid UTF-8,
• Converts single < characters to entities
• Strips all tags
• Removes line breaks, tabs, and extra whitespace
• Strips octets

Strips All Tags…

That means this CANNOT be used for anything that processes HTML elements.

The Code

/**
 * Sanitizes a string from user input or from the database.
 *
 * - Checks for invalid UTF-8,
 * - Converts single `<` characters to entities
 * - Strips all tags
 * - Removes line breaks, tabs, and extra whitespace
 * - Strips octets
 *
 * @param string $str String to sanitize.
 * @return string Sanitized string.
 */
function sanitize_text_field( $str ) {
	$filtered = _sanitize_text_fields( $str, false );

	/**
	 * Filters a sanitized text field string.
	 *
	 * @since 2.9.0
	 *
	 * @param string $filtered The sanitized string.
	 * @param string $str      The string prior to being sanitized.
	 */
	return apply_filters( 'sanitize_text_field', $filtered, $str );
}

💙 sanitize_textarea_field()

Like sanitize_text_field, but keeps newlines.

sanitize_title()

sanitize_title_for_query()

sanitize_title_with_dashes()

sanitize_user()

sanitize_url()

use esc_url_raw() – see below

wp_kses()

💙 wp_kses_post()

Calls wp_kses() with the ‘post’ context that automatically allows all HTML that is permitted in post content.

ℹ️ Processing an array or object? Use wp_kses_post_deep().

SLP Modifications

In SLP it allows HTML tags like Vue, etc. that are on the allowed HTML tags filter.

Converts & to &amp;

The wp_kses methods call wp_normalize_entities which bastardizes nearly all (but not ALL) occurrences of & in a string to &amp;.

That means wp_kses functions are basically useless for sanitizing query parameter strings.

The Code

 function wp_kses_post( $data ) {
    return wp_kses( $data, 'post' );
}

💙 wp_kses_post_deep()

Navigates through an array, object, or scalar, and sanitizes content for allowed HTML tags for post content.

function wp_kses_post_deep( $data ) {
    return map_deep( $data, 'wp_kses_post' );
}

---

Securing Output (escaping)

esc_attr()
Use on everything else that’s printed into an HTML element’s attribute.

esc_html()
Use anytime an HTML element encloses a section of data being displayed. This WILL NOT display HTML content, it is meant for being used inside HTML and will remove your HTML.

esc_js()
Use for inline Javascript.

esc_textarea() – Use this to encode text for use inside a textarea element.

esc_url()

Use on all URLs, including those in the src and href attributes of an HTML element.

Does encode things like & to wonky-ass WordPress HTML coded entities.

esc_url_raw()

Use when storing a URL in the database or in other cases where non-encoded URLs are needed.

Does NOT encode things like & to wonky-ass WordPress HTML coded entities.

esc_xml() – Use to escape XML block.

wp_kses() – See Santize above for more details.

💙 wp_kses_post() – See Sanitize above for more details.

💙 wp_kses_post_deep() – See Sanitize above for more details.

---

Nonces

wp_kses_data() – Alternative version of wp_kses() that allows only the HTML permitted in post comments.

wp_nonce_field( <action> , [ name = ‘_wpnonce’ ], [ referer = true ] , [ echo = true ])

– Add nonce input to a form.

check_admin_referer( <action> , [ name = ‘_wpnonce’ ])

– Check a received nonce is valid AND from an admin page.