As you may already know, with WordPress Customizer API theme developers are able to create settings for their themes which allow site owners to fine tune things like color scheme, background image and other custom options and see a preview of these changes in real time.
Since we should never trust user input, the Customizer API requires to define a callback function for each setting to validate and sanitize input. Unfortunately I often run into the problem that I don’t know or don’t remember the proper WordPress sanitization function for a particular setting. That’s why I created this tutorial.
The following code examples below will demonstrate how to define sanitization callback functions for various data types. For order’s sake, the codes also include the method to add a section and a setting in Theme Customizer.
Jump to the code with a click:
How to sanitize radio box
function theme_slug_customizer( $wp_customize ) { //your section $wp_customize->add_section( 'theme_slug_customizer_your_section', array( 'title' => esc_html__( 'Your Section', 'theme_slug' ), 'priority' => 150 ) ); //radio box sanitization function function theme_slug_sanitize_radio( $input, $setting ){ //input must be a slug: lowercase alphanumeric characters, dashes and underscores are allowed only $input = sanitize_key($input); //get the list of possible radio box options $choices = $setting->manager->get_control( $setting->id )->choices; //return input if valid or return default option return ( array_key_exists( $input, $choices ) ? $input : $setting->default ); } //add setting to your section $wp_customize->add_setting( 'theme_slug_customizer_radio', array( 'sanitize_callback' => 'theme_slug_sanitize_radio' ) ); $wp_customize->add_control( 'theme_slug_customizer_radio', array( 'label' => esc_html__( 'Your Setting with Radio Box', 'theme_slug' ), 'section' => 'theme_slug_customizer_your_section', 'type' => 'radio', 'choices' => array( 'one' => esc_html__('Choice One','theme_slug'), 'two' => esc_html__('Choice Two','theme_slug'), 'three' => esc_html__('Choice Three','theme_slug') ) ) ); } add_action( 'customize_register', 'theme_slug_customizer' );
How to sanitize checkbox
function theme_slug_customizer( $wp_customize ) { //your section $wp_customize->add_section( 'theme_slug_customizer_your_section', array( 'title' => esc_html__( 'Your Section', 'theme_slug' ), 'priority' => 150 ) ); //checkbox sanitization function function theme_slug_sanitize_checkbox( $input ){ //returns true if checkbox is checked return ( isset( $input ) ? true : false ); } //add setting to your section $wp_customize->add_setting( 'theme_slug_customizer_checkbox', array( 'default' => '', 'sanitize_callback' => 'theme_slug_sanitize_checkbox' ) ); $wp_customize->add_control( 'theme_slug_customizer_checkbox', array( 'label' => esc_html__( 'Your Setting with Checkbox', 'theme_slug' ), 'section' => 'theme_slug_customizer_your_section', 'type' => 'checkbox' ) ); } add_action( 'customize_register', 'theme_slug_customizer' );
How to sanitize select options
function theme_slug_customizer( $wp_customize ) { //your section $wp_customize->add_section( 'theme_slug_customizer_your_section', array( 'title' => esc_html__( 'Your Section', 'theme_slug' ), 'priority' => 150 ) ); //select sanitization function function theme_slug_sanitize_select( $input, $setting ){ //input must be a slug: lowercase alphanumeric characters, dashes and underscores are allowed only $input = sanitize_key($input); //get the list of possible select options $choices = $setting->manager->get_control( $setting->id )->choices; //return input if valid or return default option return ( array_key_exists( $input, $choices ) ? $input : $setting->default ); } //add setting to your section $wp_customize->add_setting( 'theme_slug_customizer_select', array( 'sanitize_callback' => 'theme_slug_sanitize_select' ) ); $wp_customize->add_control( 'theme_slug_customizer_select', array( 'label' => esc_html__( 'Your Setting with select', 'theme_slug' ), 'section' => 'theme_slug_customizer_your_section', 'type' => 'select', 'choices' => array( '' => esc_html__('Please select','theme_slug'), 'one' => esc_html__('Choice One','theme_slug'), 'two' => esc_html__('Choice Two','theme_slug'), 'three' => esc_html__('Choice Three','theme_slug') ) ) ); } add_action( 'customize_register', 'theme_slug_customizer' );
How to sanitize text input and how to sanitize textarea
If we want to allow simple text only, it’s enough to call wp_filter_nohtml_kses()
native function for sanitize_callback
directly.
function theme_slug_customizer( $wp_customize ) { //your section $wp_customize->add_section( 'theme_slug_customizer_your_section', array( 'title' => esc_html__( 'Your Section', 'theme_slug' ), 'priority' => 150 ) ); //add setting to your section $wp_customize->add_setting( 'theme_slug_customizer_text', array( 'sanitize_callback' => 'wp_filter_nohtml_kses' //removes all HTML from content ) ); $wp_customize->add_control( 'theme_slug_customizer_text', array( 'label' => esc_html__( 'Your Setting with text input', 'theme_slug' ), 'section' => 'theme_slug_customizer_your_section', 'type' => 'text' ) ); } add_action( 'customize_register', 'theme_slug_customizer' );
How to sanitize email address
function theme_slug_customizer( $wp_customize ) { //your section $wp_customize->add_section( 'theme_slug_customizer_your_section', array( 'title' => esc_html__( 'Your Section', 'theme_slug' ), 'priority' => 150 ) ); //add setting to your section $wp_customize->add_setting( 'theme_slug_customizer_email', array( 'sanitize_callback' => 'sanitize_email' //removes all invalid characters ) ); $wp_customize->add_control( 'theme_slug_customizer_email', array( 'label' => esc_html__( 'Your Setting with email input', 'theme_slug' ), 'section' => 'theme_slug_customizer_your_section', 'type' => 'email' ) ); } add_action( 'customize_register', 'theme_slug_customizer' );
How to sanitize URL
function theme_slug_customizer( $wp_customize ) { //your section $wp_customize->add_section( 'theme_slug_customizer_your_section', array( 'title' => esc_html__( 'Your Section', 'theme_slug' ), 'priority' => 150 ) ); //add setting to your section $wp_customize->add_setting( 'theme_slug_customizer_url', array( 'sanitize_callback' => 'esc_url_raw' //cleans URL from all invalid characters ) ); $wp_customize->add_control( 'theme_slug_customizer_url', array( 'label' => esc_html__( 'Your Setting with URL input', 'theme_slug' ), 'section' => 'theme_slug_customizer_your_section', 'type' => 'url' ) ); } add_action( 'customize_register', 'theme_slug_customizer' );
How to sanitize number
function theme_slug_customizer( $wp_customize ) { //your section $wp_customize->add_section( 'theme_slug_customizer_your_section', array( 'title' => esc_html__( 'Your Section', 'theme_slug' ), 'priority' => 150 ) ); //add setting to your section $wp_customize->add_setting( 'theme_slug_customizer_number', array( 'sanitize_callback' => 'absint' //converts value to a non-negative integer ) ); $wp_customize->add_control( 'theme_slug_customizer_number', array( 'label' => esc_html__( 'Your Setting with number input', 'theme_slug' ), 'section' => 'theme_slug_customizer_your_section', 'type' => 'number' ) ); } add_action( 'customize_register', 'theme_slug_customizer' );
How to sanitize drop-down pages
function theme_slug_customizer( $wp_customize ) { //your section $wp_customize->add_section( 'theme_slug_customizer_your_section', array( 'title' => esc_html__( 'Your Section', 'theme_slug' ), 'priority' => 150 ) ); //add setting to your section $wp_customize->add_setting( 'theme_slug_customizer_dropdown_pages', array( 'sanitize_callback' => 'absint' //input value is a page ID so it must be a positive integer ) ); $wp_customize->add_control( 'theme_slug_customizer_dropdown_pages', array( 'label' => esc_html__( 'Your Setting with dropdown_pages input', 'theme_slug' ), 'section' => 'theme_slug_customizer_your_section', 'type' => 'dropdown-pages' ) ); } add_action( 'customize_register', 'theme_slug_customizer' );
How to sanitize file input
function theme_slug_customizer( $wp_customize ) { //your section $wp_customize->add_section( 'theme_slug_customizer_your_section', array( 'title' => esc_html__( 'Your Section', 'theme_slug' ), 'priority' => 150 ) ); //file input sanitization function function theme_slug_sanitize_file( $file, $setting ) { //allowed file types $mimes = array( 'jpg|jpeg|jpe' => 'image/jpeg', 'gif' => 'image/gif', 'png' => 'image/png' ); //check file type from file name $file_ext = wp_check_filetype( $file, $mimes ); //if file has a valid mime type return it, otherwise return default return ( $file_ext['ext'] ? $file : $setting->default ); } //add select setting to your section $wp_customize->add_setting( 'theme_slug_customizer_file', array( 'sanitize_callback' => 'theme_slug_sanitize_file' ) ); $wp_customize->add_control( new WP_Customize_Upload_Control( $wp_customize, 'theme_slug_customizer_file', array( 'label' => __( 'Your Setting with file input', 'theme_slug' ), 'section' => 'theme_slug_customizer_your_section' ) ) ); } add_action( 'customize_register', 'theme_slug_customizer' );
How to sanitize CSS
function theme_slug_customizer( $wp_customize ) { //your section $wp_customize->add_section( 'theme_slug_customizer_your_section', array( 'title' => esc_html__( 'Your Section', 'theme_slug' ), 'priority' => 150 ) ); //add setting to your section $wp_customize->add_setting( 'theme_slug_customizer_css', array( 'sanitize_callback' => 'wp_strip_all_tags' //strip all HTML tags including script and style ) ); $wp_customize->add_control( 'theme_slug_customizer_css', array( 'label' => esc_html__( 'Your Setting with CSS input', 'theme_slug' ), 'section' => 'theme_slug_customizer_your_section', 'type' => 'textarea' ) ); } add_action( 'customize_register', 'theme_slug_customizer' );
How to sanitize HTML color code
function theme_slug_customizer( $wp_customize ) { //your section $wp_customize->add_section( 'theme_slug_customizer_your_section', array( 'title' => esc_html__( 'Your Section', 'theme_slug' ), 'priority' => 150 ) ); //add setting to your section $wp_customize->add_setting( 'theme_slug_customizer_color', array( 'default' => '#000000', 'sanitize_callback' => 'sanitize_hex_color' //validates 3 or 6 digit HTML hex color code ) ); $wp_customize->add_control( new WP_Customize_Color_Control( $wp_customize, 'theme_slug_customizer_color', array( 'label' => __( 'Your Setting with color input', 'theme_slug' ), 'section' => 'theme_slug_customizer_your_section' ) ) ); } add_action( 'customize_register', 'theme_slug_customizer' );
How to sanitize HTML code
Use wp_kses_post()
function which keeps only HTML tags which are allowed in post content as well.
function theme_slug_customizer( $wp_customize ) { //your section $wp_customize->add_section( 'theme_slug_customizer_your_section', array( 'title' => esc_html__( 'Your Section', 'theme_slug' ), 'priority' => 150 ) ); //add setting to your section $wp_customize->add_setting( 'theme_slug_customizer_html_code', array( 'sanitize_callback' => 'wp_kses_post' //keeps only HTML tags that are allowed in post content ) ); $wp_customize->add_control( 'theme_slug_customizer_html_code', array( 'label' => esc_html__( 'Your Setting with HTML code', 'theme_slug' ), 'section' => 'theme_slug_customizer_your_section', 'type' => 'textarea' ) ); } add_action( 'customize_register', 'theme_slug_customizer' );
Alternatively you can use wp_kses()
function where you can define the allowed HTML tags and attributes like this:
$allowed_html = array( 'a' => array( 'href' => array(), 'title' => array() ), 'br' => array(), 'em' => array(), 'strong' => array(), ); wp_kses($input, $allowed_html);
How to sanitize Javascript code
We are using base64_encode()
function to save the script in database properly and base64_decode()
function to escape the script for the textarea in Customizer. Also use base64_decode()
function on frontend to echo the script.
function theme_slug_customizer( $wp_customize ) { //your section $wp_customize->add_section( 'theme_slug_customizer_your_section', array( 'title' => esc_html__( 'Your Section', 'theme_slug' ), 'priority' => 150 ) ); //script input sanitization function function theme_slug_sanitize_js_code($input){ return base64_encode($input); } //output escape function function theme_slug_escape_js_output($input){ return esc_textarea( base64_decode($input) ); } //add setting to your section $wp_customize->add_setting( 'theme_slug_customizer_js_code', array( 'sanitize_callback' => 'theme_slug_sanitize_js_code', //encode for DB insert 'sanitize_js_callback' => 'theme_slug_escape_js_output' //ecape script for the textarea ) ); $wp_customize->add_control( 'theme_slug_customizer_js_code', array( 'label' => esc_html__( 'Your Setting with JS code', 'theme_slug' ), 'section' => 'theme_slug_customizer_your_section', 'type' => 'textarea' ) ); } add_action( 'customize_register', 'theme_slug_customizer' );
List of WordPress sanitization functions
In case I forgot something, here is a list of sanitize functions. Maybe one of them is more suitable for your project.
- absint() – converts value to positive integer, useful for numbers, IDs, etc.
- esc_url_raw() – for inserting URL in database safely
- sanitize_email() – strips out all characters that are not allowable in an email address
- sanitize_file_name() – removes special characters that are illegal in filenames on certain operating system
- sanitize_hex_color() – returns 3 or 6 digit hex color with #, or nothing
- sanitize_hex_color_no_hash() – the same as above but without a #
- sanitize_html_class() – sanitizes an HTML classname to ensure it only contains valid characters
- sanitize_key() – lowercase alphanumeric characters, dashes and underscores are allowed
- sanitize_mime_type() – useful to save mime type in DB, e.g. uploaded file’s type
- sanitize_option() – sanitizes values like update_option() and add_option() does for various option types. Here is the list of avaliable options: https://codex.wordpress.org/Function_Reference/sanitize_option#Notes
- sanitize_sql_orderby() – ensures a string is a valid SQL order by clause
- sanitize_text_field() – removes all HTML markup, as well as extra whitespace, leaves nothing but plain text
- sanitize_title() – returned value intented to be suitable for use in a URL
- sanitize_title_for_query() – used for querying the database for a value from URL
- sanitize_title_with_dashes() – same as above but it does not replace special accented characters
- sanitize_user() – sanitize username stripping out unsafe characters
- wp_filter_post_kses(), wp_kses_post() – it keeps only HTML tags which are allowed in post content as well
- wp_kses() – allows only HTML tags and attributes that you specify
- wp_kses_data() – sanitize content with allowed HTML Kses rules
- wp_rel_nofollow() – adds rel nofollow string to all HTML A elements in content
I also give you some PHP functions to fill some gaps.
- filter_var($variable, $filter) – filters a variable with a specific filter
- strlen() – gets string length, useful for ZIP codes, phone numbers
That’s it! If you find this article useful, please follow us on Facebook and Twitter!