WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/26/2016 05:16:09 AM (3 years ago)
Author:
pento
Message:

General: Add a sanitize_textarea_field() function.

Like its predecessor (sanitize_text_field()), sanitize_textarea_field() is a helper function to sanitise user input. As the name suggests, this function is for sanitising input from textarea fields - it strips tags and invalid UTF-8 characters, like sanitize_text_field(), but retains newlines and extra inline whitespace.

Props ottok, nbachiyski, chriscct7, pento.
Fixes #32257.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/formatting.php

    r38717 r38944  
    46544654 * @since 2.9.0
    46554655 *
     4656 * @see sanitize_textarea_field()
    46564657 * @see wp_check_invalid_utf8()
    46574658 * @see wp_strip_all_tags()
     
    46614662 */
    46624663function sanitize_text_field( $str ) {
     4664    $filtered = _sanitize_text_fields( $str, false );
     4665
     4666    /**
     4667     * Filters a sanitized text field string.
     4668     *
     4669     * @since 2.9.0
     4670     *
     4671     * @param string $filtered The sanitized string.
     4672     * @param string $str      The string prior to being sanitized.
     4673     */
     4674    return apply_filters( 'sanitize_text_field', $filtered, $str );
     4675}
     4676
     4677/**
     4678 * Sanitizes a multiline string from user input or from the database.
     4679 *
     4680 * The function is like sanitize_text_field(), but preserves
     4681 * new lines (\n) and other whitespace, which are legitimate
     4682 * input in textarea elements.
     4683 *
     4684 * @see sanitize_text_field()
     4685 *
     4686 * @since 4.7.0
     4687 *
     4688 * @param string $str String to sanitize.
     4689 * @return string Sanitized string.
     4690 */
     4691function sanitize_textarea_field( $str ) {
     4692    $filtered = _sanitize_text_fields( $str, true );
     4693
     4694    /**
     4695     * Filters a sanitized textarea field string.
     4696     *
     4697     * @since 4.7.0
     4698     *
     4699     * @param string $filtered The sanitized string.
     4700     * @param string $str      The string prior to being sanitized.
     4701     */
     4702    return apply_filters( 'sanitize_textarea_field', $filtered, $str );
     4703}
     4704
     4705/**
     4706 * Internal helper function to sanitize a string from user input or from the db
     4707 *
     4708 * @since 4.7.0
     4709 * @access private
     4710 *
     4711 * @param string $str String to sanitize.
     4712 * @param bool $keep_newlines optional Whether to keep newlines. Default: false.
     4713 * @return string Sanitized string.
     4714 */
     4715function _sanitize_text_fields( $str, $keep_newlines = false ) {
    46634716    $filtered = wp_check_invalid_utf8( $str );
    46644717
     
    46664719        $filtered = wp_pre_kses_less_than( $filtered );
    46674720        // This will strip extra whitespace for us.
    4668         $filtered = wp_strip_all_tags( $filtered, true );
    4669     } else {
    4670         $filtered = trim( preg_replace('/[\r\n\t ]+/', ' ', $filtered) );
    4671     }
     4721        $filtered = wp_strip_all_tags( $filtered, false );
     4722
     4723        // Use html entities in a special case to make sure no later
     4724        // newline stripping stage could lead to a functional tag
     4725        $filtered = str_replace("<\n", "&lt;\n", $filtered);
     4726    }
     4727
     4728    if ( ! $keep_newlines ) {
     4729        $filtered = preg_replace( '/[\r\n\t ]+/', ' ', $filtered );
     4730    }
     4731    $filtered = trim( $filtered );
    46724732
    46734733    $found = false;
     
    46824742    }
    46834743
    4684     /**
    4685      * Filters a sanitized text field string.
    4686      *
    4687      * @since 2.9.0
    4688      *
    4689      * @param string $filtered The sanitized string.
    4690      * @param string $str      The string prior to being sanitized.
    4691      */
    4692     return apply_filters( 'sanitize_text_field', $filtered, $str );
     4744    return $filtered;
    46934745}
    46944746
Note: See TracChangeset for help on using the changeset viewer.