Sanitizing Fields

When writing field code, whether with Piklist or not, you should be extra cautious of how you handle data coming into WordPress and how it’s presented to the end user. Piklist makes sanitizing your data easy with the sanitize parameter.

Choose the appropriate type of sanitization for each of your fields.

email

Strips out all characters that are not allowable in an email address.

Codex reference for parameters: sanitize_email

'sanitize' => array(
      array(
        'type' => 'email'
      )
    )

file_name

Removes special characters that are illegal in filenames on certain operating systems and special characters requiring special escaping to manipulate at the command line. Replaces spaces and consecutive dashes with a single dash. Trim period, dash and underscore from beginning and end of filename.

Codex reference for parameters: sanitize_file_name

'sanitize' => array(
      array(
        'type' => 'file_name'
      )
    )

html_class

Sanitizes a html classname to ensure it only contains valid characters.

Codex reference for parameters: sanitize_html_class

'sanitize' => array(
  array(
   'type' => 'html_class'
   ,'options' => array(
     'fallback' => 'my-default-class'
   )
 )
)

text_field

Checks for invalid UTF-8, Convert single < characters to entity, strip all tags, remove line breaks, tabs and extra white space, strip octets.

Codex reference for parameters: sanitize_text_field

'sanitize' => array(
      array(
        'type' => 'text_field'
      )
    )

title

Specifically, HTML and PHP tags are stripped, and (in a ‘save’ context) accents are removed (accented characters are replaced with non-accented equivalents). Despite the name of this function, the returned value is intended to be suitable for use in a URL, not as a human-readable title.

Codex reference for parameters: sanitize_title

'sanitize' => array(
  array(
    'type' => 'title'
    ,'options' => array(
      'fallback' => 'my-fallback-title'
    )
    ,'context' => 'save'
  )
)

user

Sanitize username stripping out unsafe characters.

Codex reference for parameters: sanitize_user

'sanitize' => array(
  array(
   'type' => 'user'
   ,'options' => array(
     'strict' => 'true'
   )
 )
)

wp_filter_kses

Sanitize content with allowed HTML Kses rules.

Codex reference for parameters: wp_filter_kses

'sanitize' => array(
      array(
        'type' => 'wp_filter_kses'
      )
    )

wp_kses

Makes sure that only the allowed HTML element names, attribute names and attribute values plus only sane HTML entities will be saved.

Codex reference for parameters: wp_kses

'sanitize' => array(
  array(
    'type' => 'wp_kses'
    ,'options' => array(
      'allowed_html' => array(
        'strong' => array()
        ,'a' => array(
          'href' => array()
          ,'title' => array()
        )
      )
      ,'allowed_protocols' => array('http')
    )
  )
)

wp_kses

Makes sure that only the allowed HTML element names, attribute names and attribute values plus only sane HTML entities will be saved.

Codex reference for parameters: wp_kses

'sanitize' => array(
  array(
    'type' => 'wp_kses'
    ,'options' => array(
      'allowed_html' => array(
        'strong' => array()
        ,'a' => array(
          'href' => array()
          ,'title' => array()
        )
      )
      ,'allowed_protocols' => array('http')
    )
  )
)

Have ideas for improving the documentation?

This documentation is a community effort. Please create an issue or pull request to help!

Improve this page