sanitize_user_field()
云策文档标注
概述
sanitize_user_field() 函数用于根据上下文对用户字段进行清理,确保数据安全。它支持多种上下文,如 'raw'、'edit'、'db'、'display'、'attribute' 和 'js',并应用相应的过滤器和转义函数。
关键要点
- 函数根据 $context 参数(如 'raw'、'edit'、'db'、'display'、'attribute'、'js')清理用户字段值,默认使用 'display' 上下文。
- 对于 'edit' 上下文,应用动态过滤器如 edit_user_{$field} 或 edit_{$field},并对描述字段使用 esc_html(),其他字段使用 esc_attr()。
- 对于 'db' 上下文,应用 pre_user_{$field} 或 pre_{$field} 过滤器。
- 对于其他上下文(如 'display'),应用 user_{$field} 或 {$field} 过滤器,并根据字段类型(如 'user_url')或上下文('attribute'、'js')进行额外转义。
- 函数处理整数字段(如 'ID')的类型转换,并在转义后恢复整数类型。
代码示例
function sanitize_user_field( $field, $value, $user_id, $context ) {
$int_fields = array( 'ID' );
if ( in_array( $field, $int_fields, true ) ) {
$value = (int) $value;
}
if ( 'raw' === $context ) {
return $value;
}
if ( ! is_string( $value ) && ! is_numeric( $value ) ) {
return $value;
}
$prefixed = str_contains( $field, 'user_' );
if ( 'edit' === $context ) {
if ( $prefixed ) {
$value = apply_filters( "edit_{$field}", $value, $user_id );
} else {
$value = apply_filters( "edit_user_{$field}", $value, $user_id );
}
if ( 'description' === $field ) {
$value = esc_html( $value );
} else {
$value = esc_attr( $value );
}
} elseif ( 'db' === $context ) {
if ( $prefixed ) {
$value = apply_filters( "pre_{$field}", $value );
} else {
$value = apply_filters( "pre_user_{$field}", $value );
}
} else {
if ( $prefixed ) {
$value = apply_filters( "{$field}", $value, $user_id, $context );
} else {
$value = apply_filters( "user_{$field}", $value, $user_id, $context );
}
}
if ( 'user_url' === $field ) {
$value = esc_url( $value );
}
if ( 'attribute' === $context ) {
$value = esc_attr( $value );
} elseif ( 'js' === $context ) {
$value = esc_js( $value );
}
if ( in_array( $field, $int_fields, true ) ) {
$value = (int) $value;
}
return $value;
}注意事项
- 函数使用动态过滤器,如 edit_user_{$field} 和 pre_user_{$field},开发者可以挂钩这些过滤器来自定义清理逻辑。
- 在 'attribute' 和 'js' 上下文中,函数会分别应用 esc_attr() 和 esc_js() 进行转义,确保输出安全。
- 对于整数字段(如 'ID'),函数在清理过程中会进行类型转换,避免数据丢失。
原文内容
Sanitizes user field based on context.
Description
Possible context values are: ‘raw’, ‘edit’, ‘db’, ‘display’, ‘attribute’ and ‘js’. The ‘display’ context is used by default. ‘attribute’ and ‘js’ contexts are treated like ‘display’ when calling filters.
Parameters
$fieldstringrequired-
The user Object field name.
$valuemixedrequired-
The user Object value.
$user_idintrequired-
User ID.
$contextstringrequired-
How to sanitize user fields. Looks for
'raw','edit','db','display','attribute'and'js'.
Source
function sanitize_user_field( $field, $value, $user_id, $context ) {
$int_fields = array( 'ID' );
if ( in_array( $field, $int_fields, true ) ) {
$value = (int) $value;
}
if ( 'raw' === $context ) {
return $value;
}
if ( ! is_string( $value ) && ! is_numeric( $value ) ) {
return $value;
}
$prefixed = str_contains( $field, 'user_' );
if ( 'edit' === $context ) {
if ( $prefixed ) {
/** This filter is documented in wp-includes/post.php */
$value = apply_filters( "edit_{$field}", $value, $user_id );
} else {
/**
* Filters a user field value in the 'edit' context.
*
* The dynamic portion of the hook name, `$field`, refers to the prefixed user
* field being filtered, such as 'user_login', 'user_email', 'first_name', etc.
*
* @since 2.9.0
*
* @param mixed $value Value of the prefixed user field.
* @param int $user_id User ID.
*/
$value = apply_filters( "edit_user_{$field}", $value, $user_id );
}
if ( 'description' === $field ) {
$value = esc_html( $value ); // textarea_escaped?
} else {
$value = esc_attr( $value );
}
} elseif ( 'db' === $context ) {
if ( $prefixed ) {
/** This filter is documented in wp-includes/post.php */
$value = apply_filters( "pre_{$field}", $value );
} else {
/**
* Filters the value of a user field in the 'db' context.
*
* The dynamic portion of the hook name, `$field`, refers to the prefixed user
* field being filtered, such as 'user_login', 'user_email', 'first_name', etc.
*
* @since 2.9.0
*
* @param mixed $value Value of the prefixed user field.
*/
$value = apply_filters( "pre_user_{$field}", $value );
}
} else {
// Use display filters by default.
if ( $prefixed ) {
/** This filter is documented in wp-includes/post.php */
$value = apply_filters( "{$field}", $value, $user_id, $context );
} else {
/**
* Filters the value of a user field in a standard context.
*
* The dynamic portion of the hook name, `$field`, refers to the prefixed user
* field being filtered, such as 'user_login', 'user_email', 'first_name', etc.
*
* @since 2.9.0
*
* @param mixed $value The user object value to sanitize.
* @param int $user_id User ID.
* @param string $context The context to filter within.
*/
$value = apply_filters( "user_{$field}", $value, $user_id, $context );
}
}
if ( 'user_url' === $field ) {
$value = esc_url( $value );
}
if ( 'attribute' === $context ) {
$value = esc_attr( $value );
} elseif ( 'js' === $context ) {
$value = esc_js( $value );
}
// Restore the type for integer fields after esc_attr().
if ( in_array( $field, $int_fields, true ) ) {
$value = (int) $value;
}
return $value;
}
Hooks
- apply_filters( “edit_user_{$field}”, mixed $value, int $user_id )
-
Filters a user field value in the ‘edit’ context.
- apply_filters( “edit_{$field}”, mixed $value, int $post_id )
-
Filters the value of a specific post field to edit.
- apply_filters( “pre_user_{$field}”, mixed $value )
-
Filters the value of a user field in the ‘db’ context.
- apply_filters( “pre_{$field}”, mixed $value )
-
Filters the value of a specific post field before saving.
- apply_filters( “user_{$field}”, mixed $value, int $user_id, string $context )
-
Filters the value of a user field in a standard context.
- apply_filters( “{$field}”, mixed $value, int $post_id, string $context )
-
Filters the value of a specific post field for display.
Changelog
| Version | Description |
|---|---|
| 2.3.0 | Introduced. |