云策 WordPress 开发者社区

函数文档

sanitize_text_field()

查看官方原文 ↗
💡 云策文档标注

概述

sanitize_text_field() 是 WordPress 核心函数,用于对来自用户输入或数据库的字符串进行清理,确保其安全性和一致性。它通过检查无效 UTF-8、移除 HTML 标签、转换特殊字符等方式处理字符串,常用于表单数据、API 输入等场景。

关键要点

  • 清理字符串,检查无效 UTF-8 编码
  • 转换单引号等特殊字符为 HTML 实体
  • 移除所有 HTML 标签
  • 删除换行符、制表符和多余空白
  • 去除百分号编码字符
  • 仅处理字符串,不适用于数组(需使用 map_deep 或递归函数)
  • 不能防止 SQL 注入,数据库查询应使用 wpdb::prepare()
  • 通过 sanitize_text_field 过滤器可自定义清理逻辑

代码示例

// 基本用法
$unsafe_input = 'alert("XSS")hello';
$safe_input = sanitize_text_field($unsafe_input);
echo $safe_input; // 输出: hello

// 清理数组(使用 map_deep)
$form_data = array('key' => 'value');
$sanitized_array = map_deep($form_data, 'sanitize_text_field');

// 或使用 array_map
$sanitized_array = array_map('sanitize_text_field', $array);

注意事项

  • sanitize_text_field() 仅适用于字符串,处理数组需额外方法如 map_deep() 或递归函数
  • 不提供 SQL 注入防护,数据库操作应结合 wpdb::prepare()
  • 函数自 WordPress 2.9.0 引入,广泛用于核心和插件开发
  • 相关函数包括 sanitize_textarea_field()、wp_check_invalid_utf8()、wp_strip_all_tags()
📄 原文内容

Sanitizes a string from user input or from the database.

Description

  • Checks for invalid UTF-8,
  • Converts single < characters to entities
  • Strips all tags
  • Removes line breaks, tabs, and extra whitespace
  • Strips percent-encoded characters

See also

Parameters

$strstringrequired
String to sanitize.

Return

string Sanitized string.

More Information

Basic Usage

Source

function sanitize_text_field( $str ) {
	$filtered = _sanitize_text_fields( $str, false );

	/**
	 * Filters a sanitized text field string.
	 *
	 * @since 2.9.0
	 *
	 * @param string $filtered The sanitized string.
	 * @param string $str      The string prior to being sanitized.
	 */
	return apply_filters( 'sanitize_text_field', $filtered, $str );
}

View all references View on Trac View on GitHub

Hooks

apply_filters( ‘sanitize_text_field’, string $filtered, string $str )

Filters a sanitized text field string.

Uses Description
_sanitize_text_fields()wp-includes/formatting.php

Internal helper function to sanitize a string from user input or from the database.
apply_filters()wp-includes/plugin.php

Calls the callback functions that have been added to a filter hook.
Used by Description
WP_Debug_Data::get_wp_themes_inactive()wp-admin/includes/class-wp-debug-data.php

Gets the WordPress inactive themes section of the debug data.
WP_Debug_Data::get_wp_dropins()wp-admin/includes/class-wp-debug-data.php

Gets the WordPress drop-in section of the debug data.
WP_Debug_Data::get_wp_mu_plugins()wp-admin/includes/class-wp-debug-data.php

Gets the WordPress MU plugins section of the debug data.
WP_Debug_Data::get_wp_plugins_raw_data()wp-admin/includes/class-wp-debug-data.php

Gets the raw plugin data for the WordPress active and inactive sections of the debug data.
WP_Font_Utils::sanitize_font_family()wp-includes/fonts/class-wp-font-utils.php

Sanitizes and formats font family names.
WP_Font_Utils::get_font_face_slug()wp-includes/fonts/class-wp-font-utils.php

Generates a slug from font face properties, e.g. open sans;normal;400;100%;U+0-10FFFF
WP_Font_Collection::get_sanitization_schema()wp-includes/fonts/class-wp-font-collection.php

Retrieves the font collection sanitization schema.
WP_REST_Templates_Controller::get_wp_templates_author_text_field()wp-includes/rest-api/endpoints/class-wp-rest-templates-controller.php

Returns a human readable text for the author of the template.
wp_get_theme_preview_path()wp-includes/theme-previews.php

Filters the blog option to return the path for the previewed theme.
wp_attach_theme_preview_middleware()wp-includes/theme-previews.php

Adds a middleware to apiFetch to set the theme for the preview.
WP_REST_Pattern_Directory_Controller::prepare_item_for_response()wp-includes/rest-api/endpoints/class-wp-rest-pattern-directory-controller.php

Prepare a raw block pattern before it gets output in a REST API response.
WP_REST_Site_Health_Controller::get_directory_sizes()wp-includes/rest-api/endpoints/class-wp-rest-site-health-controller.php

Gets the current directory sizes for this install.
WP_Application_Passwords::create_new_application_password()wp-includes/class-wp-application-passwords.php

Creates a new application password.
WP_Application_Passwords::update_application_password()wp-includes/class-wp-application-passwords.php

Updates an application password.
WP_REST_Plugins_Controller::sanitize_plugin_param()wp-includes/rest-api/endpoints/class-wp-rest-plugins-controller.php

Sanitizes the “plugin” parameter to be a proper plugin file with “.php” appended.
WP_REST_Attachments_Controller::edit_media_item()wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

Applies edits to a media item and creates a new attachment record.
WP_Sitemaps::render_sitemaps()wp-includes/sitemaps/class-wp-sitemaps.php

Renders sitemap templates based on rewrite rules.
wp_ajax_toggle_auto_updates()wp-admin/includes/ajax-actions.php

Handles enabling or disable plugin and theme auto-updates via AJAX.
wp_ajax_health_check_get_sizes()wp-admin/includes/ajax-actions.php

Handles site health check to get directories and database sizes via AJAX.
WP_Privacy_Requests_Table::get_views()wp-admin/includes/class-wp-privacy-requests-table.php

Gets an associative array ( id => link ) with the list of views available on this table.
WP_Privacy_Requests_Table::prepare_items()wp-admin/includes/class-wp-privacy-requests-table.php

Prepares items to output.
_wp_personal_data_handle_actions()wp-admin/includes/privacy-tools.php

Handle list table actions.
WP_Customize_Manager::handle_load_themes_request()wp-includes/class-wp-customize-manager.php

Loads themes into the theme browsing/installation UI.
WP_Widget_Custom_HTML::update()wp-includes/widgets/class-wp-widget-custom-html.php

Handles updating settings for the current Custom HTML widget instance.
rest_sanitize_value_from_schema()wp-includes/rest-api.php

Sanitize a value based on a schema.
WP_REST_Attachments_Controller::create_item()wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

Creates a single attachment.
wp_ajax_delete_plugin()wp-admin/includes/ajax-actions.php

Handles deleting a plugin via AJAX.
WP_Customize_Nav_Menu_Setting::sanitize()wp-includes/customize/class-wp-customize-nav-menu-setting.php

Sanitize an input.
WP_Customize_Nav_Menus::ajax_search_available_items()wp-includes/class-wp-customize-nav-menus.php

Ajax handler for searching available menu items.
wp_ajax_update_plugin()wp-admin/includes/ajax-actions.php

Handles updating a plugin via AJAX.
validate_another_blog_signup()wp-signup.php

Validates a new site sign-up for an existing user.
validate_blog_signup()wp-signup.php

Validates new site signup.
WP_Plugins_List_Table::prepare_items()wp-admin/includes/class-wp-plugins-list-table.php
WP_Links_List_Table::prepare_items()wp-admin/includes/class-wp-links-list-table.php
WP_MS_Themes_List_Table::prepare_items()wp-admin/includes/class-wp-ms-themes-list-table.php
WP_Theme_Install_List_Table::prepare_items()wp-admin/includes/class-wp-theme-install-list-table.php
edit_user()wp-admin/includes/user.php

Edit user settings based on contents of $_POST
WP_Plugin_Install_List_Table::prepare_items()wp-admin/includes/class-wp-plugin-install-list-table.php
media_handle_upload()wp-admin/includes/media.php

Saves a file submitted from a POST request and create an attachment post for it.
edit_post()wp-admin/includes/post.php

Updates an existing post with values provided in $_POST.
wp_ajax_save_attachment()wp-admin/includes/ajax-actions.php

Handles updating attachment attributes via AJAX.
WP_Customize_Manager::save()wp-includes/class-wp-customize-manager.php

Handles customize_save WP Ajax request to save/update a changeset.
WP_Nav_Menu_Widget::update()wp-includes/widgets/class-wp-nav-menu-widget.php

Handles updating settings for the current Navigation Menu widget instance.
WP_Widget_Tag_Cloud::update()wp-includes/widgets/class-wp-widget-tag-cloud.php

Handles updating settings for the current Tag Cloud widget instance.
WP_Widget_Recent_Comments::update()wp-includes/widgets/class-wp-widget-recent-comments.php

Handles updating settings for the current Recent Comments widget instance.
WP_Widget_Recent_Posts::update()wp-includes/widgets/class-wp-widget-recent-posts.php

Handles updating the settings for the current Recent Posts widget instance.
WP_Widget_Categories::update()wp-includes/widgets/class-wp-widget-categories.php

Handles updating settings for the current Categories widget instance.
WP_Widget_Calendar::update()wp-includes/widgets/class-wp-widget-calendar.php

Handles updating settings for the current Calendar widget instance.
WP_Widget_Text::update()wp-includes/widgets/class-wp-widget-text.php

Handles updating settings for the current Text widget instance.
WP_Widget_Archives::update()wp-includes/widgets/class-wp-widget-archives.php

Handles updating settings for the current Archives widget instance.
WP_Widget_Meta::update()wp-includes/widgets/class-wp-widget-meta.php

Handles updating settings for the current Meta widget instance.
WP_Widget_Search::update()wp-includes/widgets/class-wp-widget-search.php

Handles updating settings for the current Search widget instance.
WP_Widget_Pages::update()wp-includes/widgets/class-wp-widget-pages.php

Handles updating settings for the current Pages widget instance.
register_new_user()wp-includes/user.php

Handles registering a new user.
wp_page_menu()wp-includes/post-template.php

Displays or retrieves a list of pages with an optional home link.

Show 50 moreShow less

Changelog

Version Description
2.9.0 Introduced.

User Contributed Notes

  3. Skip to note 8 content


    凱寧


    You must log in to vote on the helpfulness of this noteVote results for this note: 3You must log in to vote on the helpfulness of this note

    Check whether the string is a valid UTF-8 character, and remove all HTML tags.

    $str = "<h2>Title</h2>";
sanitize_text_field( $str ); // it will return "title" without any HTML tags!

  4. Skip to note 9 content


    Douglas “BearlyDoug” Hazard


    You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note

    I ran across an issue with one of my plugins, as it was going through the initial security review, where I had an array that wasn’t passing a security check. The sanitize_text_field() function only works on a string, not an array’d item.

    I located this nice little tidbit of code to sanitize an array, properly.

    /***
 * To ensure arrays are properly sanitized to WordPress Codex standards,
 * they encourage usage of sanitize_text_field(). That only works with a single
 * variable (string). This function allows for a full blown array to get sanitized
 * properly, while sanitizing each individual value in a key -> value pair.
 *
 * Source: <a href="https://wordpress.stackexchange.com/questions/24736/wordpress-sanitize-array" rel="nofollow ugc">https://wordpress.stackexchange.com/questions/24736/wordpress-sanitize-array</a>
 * Author: Broshi, answered Feb 5 '17 at 9:14
 */
function wporg_recursive_sanitize_text_field( $array ) {
	foreach ( $array as $key => &$value ) {
		if ( is_array( $value ) ) {
			$value = wporg_recursive_sanitize_text_field( $value );
		} else {
			$value = sanitize_text_field( $value );
		}
	}
	return $array;
}

    IMHO, this needs to become a core feature of WordPress’ sanitation functions. Lior Broshi is the gentleman that came up with this creative solution (I have obtained his permission to share this).

  5. Skip to note 10 content


    thejaydip


    You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note

    <br />
    $unsafe_input = 'alert("XSS")hello';<br />
    $safe_input = sanitize_text_field($unsafe_input);<br />
    echo $safe_input; // Output: hello<br />

    Use sanitize_text_field() when:
    (1) You’re handling free-form user input from forms, URLs, or APIs.
    (2) The value will be stored in the database, output in HTML, or used in queries.