WordPress Sensitization & Escaping Quick Examples

What is Sensitization?

Get secure user inputs.

What is Escaping?

Print / echo the secure output.


# Sanitize: Secure Input:

sanitize_email()
sanitize_file_name()
sanitize_html_class()
sanitize_key()
sanitize_meta()
sanitize_mime_type()
sanitize_option()
sanitize_sql_orderby()
sanitize_text_field()
sanitize_title()
sanitize_title_for_query()
sanitize_title_with_dashes()
sanitize_user()
esc_url_raw()
wp_filter_post_kses()
wp_filter_nohtml_kses()

# Escaping: Securing Output:

esc_html()
esc_url()
esc_js()
esc_attr() 
esc_textarea()

( with Localization )
esc_html__()
esc_html_e()
esc_html_x()
esc_attr__()
esc_attr_e()
esc_attr_x()


Examples ( Sanitize: Secure Input ):

sanitize_email()

$sanitized_email = sanitize_email('     admin@example.com!     ');
echo $sanitized_email; // It trim whitespace and special character and will output: 'admin@example.com'

sanitize_file_name()

echo sanitize_file_name("_profile pic--1_.png"); //Output "profile-pic-1_.png"

sanitize_html_class()

// If you want to explicitly style a post, you can use the sanitized version of the post title as a class
$post_class = sanitize_html_class( $post->post_title );
echo $post_class;
sanitize_key()
echo sanitize_key("https://WordPress.org"); //Output "httpswordpressorg"

sanitize_meta()

$clean_value = sanitize_meta( 'birth-year', $user_input, 'user' );

sanitize_mime_type()

sanitize_mime_type( $mime_type );

sanitize_option()

sanitize_option( 'admin_email', 'admin@example.com!' );

sanitize_sql_orderby()
Ensures a string is a valid SQL ‘order by’ clause.

$attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] );

sanitize_text_field()

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );

sanitize_title()

echo sanitize_title("Sanitizing, in WordPress"); //Output "sanitizing-in-wordpress"

sanitize_title_for_query()

$query['name'] = sanitize_title_for_query( $query['name'] );

sanitize_title_with_dashes()

echo sanitize_title_with_dashes("I'm in LOVE with WordPress!!!1"); // this will print: im-in-love-with-wordpress1

sanitize_user()
Only keep alphanumeric, _, space, ., -, @

$user = sanitize_user( $user );

esc_url_raw()
Use esc_url_raw() if you want to store a URL in a database or use in URL redirecting.
Else use esc_url()

$url = esc_url_raw( 'https://wordpress.org/' );

wp_filter_post_kses()
Sanitize content for allowed HTML tags for post content.

$content = wp_filter_post_kses( 'This tag is <p> working</p>.' );

wp_filter_nohtml_kses()
Strips all of the HTML in the content.

$content = wp_filter_nohtml_kses('This tag is <p> working</p>.' );

Examples ( Escaping: Securing Output ):

esc_html()

echo esc_html( '<strong>text</strong> <b>bold</b>' );

esc_url()

<img src="<?php echo esc_url( 'https://wordpress.org/logo.png' ); ?>" data-wpmedia-src="<?php echo esc_url( 'https://wordpress.org/logo.png' ); ?>" />

esc_js()

var value = '<?php echo esc_js( $value ); ?>';

esc_attr()
Encodes the , &, ” and ‘ characters.

<?php $fname = ( isset( $_POST['fname'] ) ) ? $_POST['fname'] : ''; ?>
<input type="text" name="fname" value="<?php echo esc_attr( $fname ); ?>">

esc_textarea()
Use esc_textarea() instead of esc_html() while displays text in textarea. Because esc_textarea() can double encode entities.

<textarea><?php echo esc_textarea( 'Content goes here.' ); ?></textarea>

( with Localization )

esc_html__()

echo esc_html__('Text to translate', 'text-domain');

esc_html_e()

esc_html_e('Text to translate', 'text-domain')

esc_html_e()

esc_html_x('Date translate', 'post date', 'text-domain')

esc_attr__()

echo esc_attr__('Text to translate', 'text-domain');

esc_attr_e()

esc_attr_e('Text to translate', 'text-domain');

esc_attr_x()

esc_attr_x('Date translate', 'post date', 'text-domain')

$clean_value = sanitize_meta( 'birth-year', $user_input, 'user' );

sanitize_mime_type()

sanitize_mime_type( $mime_type );

sanitize_option()

sanitize_option( 'admin_email', 'admin@example.com!' );

sanitize_sql_orderby()

Ensures a string is a valid SQL ‘order by’ clause.

$attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] );

sanitize_text_field()

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );

Examples ( Escaping: Securing Output ):

esc_html()

echo esc_html( '<strong>text</strong> <b>bold</b>' );

Streamline your web font requests. Introducing “text=”

Google Fonts provides the attribute text= for

Optimizing your font requests (Beta)
Helps, If you google fonts for particular texts then use it. In some cases, this can reduce the size of the font file by up to 90%.

Visit: https://developers.google.com/fonts/docs/getting_started?hl=en

How to Use?

Checkout below example. Here, Google Fonts apply only for text “LOGO”.

  1. Your Google Font with requested font text e.g. http://fonts.googleapis.com/css?family=Special+Elite&text=LOGO

Here, Added text=LOGO. So, Google Font apply only for the text ‘LOGO’.

NOTE: Here, It apply for UPPER CASE letters. If we use text-transform: uppercase;.
Then it apply for that text too.

[codepen_embed height=”268″ theme_id=”0″ slug_hash=”Wrojpa” default_tab=”result” user=”maheshwaghmare”]See the Pen <a href=’http://codepen.io/maheshwaghmare/pen/Wrojpa/’>Wrojpa</a&gt; by Mahesh Waghmare (<a href=’http://codepen.io/maheshwaghmare’&gt;@maheshwaghmare</a>) on <a href=’http://codepen.io’>CodePen</a&gt;.[/codepen_embed]