Skip to content

Instantly share code, notes, and snippets.

@raazon
Forked from ControlledChaos/README.md
Created November 23, 2020 07:23
Show Gist options
  • Save raazon/6342c63da1eb225a3770648c9877d4b0 to your computer and use it in GitHub Desktop.
Save raazon/6342c63da1eb225a3770648c9877d4b0 to your computer and use it in GitHub Desktop.
Sanitization of WordPress Customizer controls

Sanitize the WordPress Customizer

WordPress Snippets

/*
* Sanitize Checkbox
*/
// Source: https://github.com/FlagshipWP/flagship-library/blob/develop/customizer/classes/customizer-base.php
/**
* Sanitize a checkbox to only allow 0 or 1
*
* @since 1.2.0
* @access public
* @param $input
* @return int
*/
public function sanitize_checkbox( $input ) {
return ( 1 === absint( $input ) ) ? 1 : 0;
}
//Source: https://github.com/WPTRT/code-examples/blob/master/customizer/sanitization-callbacks.php
/**
* Checkbox Sanitization Callback
*
* Sanitization callback for 'checkbox' type controls.
* This callback sanitizes $input as a Boolean value, either
* TRUE or FALSE.
*/
function theme_slug_sanitize_checkbox( $input ) {
// Boolean check
return ( ( isset( $input ) && true == $input ) ? true : false );
}
// Source: https://github.com/WPTRT/code-examples/blob/master/customizer/sanitization-callbacks.php
// Reference: https://make.wordpress.org/themes/2015/02/10/custom-css-boxes-in-themes/
// Reference: http://mikejolley.com/2013/08/keeping-your-shit-secure-whilst-developing-for-wordpress/
function theme_slug_sanitize_css( $input ) {
return wp_filter_nohtml_kses( $input );
}
/**
* Sanitization: css
* Control: text, textarea
*
* Sanitization callback for 'css' type textarea inputs. This
* callback sanitizes $input for valid CSS.
*
* NOTE: wp_strip_all_tags() can be passed directly as
* $wp_customize->add_setting() 'sanitize_callback'. It
* is wrapped in a callback here merely for example
* purposes.
*
* @uses wp_strip_all_tags() https://developer.wordpress.org/reference/functions/wp_strip_all_tags/
*/
function theme_slug_sanitize_css( $input ) {
return wp_strip_all_tags( $input );
}
/**
* Sanitization: html
* Control: textarea
*
* Sanitization callback for 'html' type text inputs. This
* callback sanitizes $input for HTML allowable in posts.
*
* https://codex.wordpress.org/Function_Reference/wp_kses
* https://gist.github.com/adamsilverstein/10783774
* https://github.com/devinsays/options-framework-plugin/blob/master/options-check/functions.php#L69
* http://ottopress.com/2010/wp-quickie-kses/
*
* @uses wp_filter_post_kses() https://developer.wordpress.org/reference/functions/wp_filter_post_kses/
* @uses wp_kses() https://developer.wordpress.org/reference/functions/wp_kses/
*/
function theme_slug_sanitize_html( $input ) {
global $allowedposttags;
return wp_kses( $input, $allowedposttags );
/*
$allowed = array(
'a' => array(
'href' => array(),
'title' => array(),
'target' => array(),
'class' => array()
),
'br' => array(),
'em' => array(),
'strong' => array(),
'p' => array(
'class' => array()
)
);
*/
//return wp_kses( $input, $allowed );
//return wp_post_kses( $input );
//return wp_filter_post_kses( $input );
}
//https://github.com/WPTRT/code-examples/blob/master/customizer/sanitization-callbacks.php
//https://shellcreeper.com/how-to-sanitize-image-upload/
//https://github.com/turtlepod/fx-favicon/blob/master/includes/settings.php#L52
/**
* Sanitization: image
* Control: text, WP_Customize_Image_Control
*
* Sanitization callback for images.
*
* @uses theme_slug_validate_image()
* @uses esc_url_raw() http://codex.wordpress.org/Function_Reference/esc_url_raw
*/
function theme_slug_sanitize_image( $input, $setting ) {
return esc_url_raw( theme_slug_validate_image( $input, $setting->default ) );
}
/**
* Validation: image
* Control: text, WP_Customize_Image_Control
*
* @uses wp_check_filetype() https://developer.wordpress.org/reference/functions/wp_check_filetype/
* @uses in_array() http://php.net/manual/en/function.in-array.php
*/
function theme_slug_validate_image( $input, $default = '' ) {
// Array of valid image file types
// The array includes image mime types
// that are included in wp_get_mime_types()
$mimes = array(
'jpg|jpeg|jpe' => 'image/jpeg',
'gif' => 'image/gif',
'png' => 'image/png',
'bmp' => 'image/bmp',
'tif|tiff' => 'image/tiff',
'ico' => 'image/x-icon'
);
// Return an array with file extension
// and mime_type
$file = wp_check_filetype( $input, $mimes );
// If $input has a valid mime_type,
// return it; otherwise, return
// the default.
return ( $file['ext'] ? $input : $default );
}
// Source: https://github.com/WPTRT/code-examples/blob/master/customizer/sanitization-callbacks.php
/**
* Sanitization: number_range
* Control: number, tel
*
* Sanitization callback for 'number' or 'tel' type text inputs. This
* callback sanitizes $input as an absolute integer within a defined
* min-max range.
*
* @uses absint() https://developer.wordpress.org/reference/functions/absint/
* @link is_int() http://php.net/manual/en/function.is-int.php
*/
function theme_slug_sanitize_number_range( $input ) {
// Ensure input is an absolute integer
$input = absint( $input );
// Get the input attributes
// associated with the setting
$atts = $setting->manager->get_control( $setting->id )->input_attrs;
// Get min
$min = ( isset( $atts['min'] ) ? $atts['min'] : $input );
// Get max
$max = ( isset( $atts['max'] ) ? $atts['max'] : $input );
// Get Step
$step = ( isset( $atts['step'] ) ? $atts['step'] : 1 );
// If the input is within the valid range,
// return it; otherwise, return the default
return ( $min <= $input && $input <= $max && is_int( $input / $step ) ? $input : $setting->default );
}
// Source: https://github.com/WPTRT/code-examples/blob/master/customizer/sanitization-callbacks.php
/**
* Sanitization: select
* Control: select, radio
*
* Sanitization callback for 'select' and 'radio' type controls.
* This callback sanitizes $input as a slug, and then validates
* $input against the choices defined for the control.
*
* @uses sanitize_key() https://developer.wordpress.org/reference/functions/sanitize_key/
* @uses $wp_customize->get_control() https://developer.wordpress.org/reference/classes/wp_customize_manager/get_control/
*/
function theme_slug_sanitize_select( $input, $setting ) {
// Ensure input is a slug
$input = sanitize_key( $input );
// Get list of choices from the control
// associated with the setting
$choices = $setting->manager->get_control( $setting->id )->choices;
// If the input is a valid key, return it;
// otherwise, return the default
return ( array_key_exists( $input, $choices ) ? $input : $setting->default );
}
esc_attr
esc_textarea
// Source: https://github.com/FlagshipWP/flagship-library/blob/develop/customizer/classes/customizer-base.php
/**
* Sanitize a string to allow only tags in the allowedtags array.
*
* @since 1.2.0
* @param string $string The unsanitized string.
* @return string The sanitized string.
*/
public function sanitize_text( $string ) {
global $allowedtags;
return wp_kses( $string , $allowedtags );
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment