-
Notifications
You must be signed in to change notification settings - Fork 1
/
sanitization_callbacks.php
293 lines (280 loc) · 11.4 KB
/
sanitization_callbacks.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
<?php
/**
* Customizer: Sanitization Callbacks
*
* This file demonstrates how to define sanitization callback functions for various data types.
*
* @package code-examples
* @copyright Copyright (c) 2015, WordPress Theme Review Team
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU General Public License, v2 (or newer)
*/
/**
* Checkbox sanitization callback example.
*
* Sanitization callback for 'checkbox' type controls. This callback sanitizes `$checked`
* as a boolean value, either TRUE or FALSE.
*
* @param bool $checked Whether the checkbox is checked.
* @return bool Whether the checkbox is checked.
*/
function freelancer_agency_sanitize_checkbox( $checked ) {
// Boolean check.
return ( ( isset( $checked ) && true == $checked ) ? true : false );
}
/**
* CSS sanitization callback example.
*
* - Sanitization: css
* - Control: text, textarea
*
* Sanitization callback for 'css' type textarea inputs. This callback sanitizes
* `$css` for valid CSS.
*
* NOTE: wp_strip_all_tags() can be passed directly as `$wp_customize->add_setting()`
* 'sanitize_callback'. It is wrapped in a callback here merely for example purposes.
*
* @see wp_strip_all_tags() https://developer.wordpress.org/reference/functions/wp_strip_all_tags/
*
* @param string $css CSS to sanitize.
* @return string Sanitized CSS.
*/
function freelancer_agency_sanitize_css( $css ) {
return wp_strip_all_tags( $css );
}
/**
* Drop-down Pages sanitization callback example.
*
* - Sanitization: dropdown-pages
* - Control: dropdown-pages
*
* Sanitization callback for 'dropdown-pages' type controls. This callback sanitizes `$page_id`
* as an absolute integer, and then validates that $input is the ID of a published page.
*
* @see absint() https://developer.wordpress.org/reference/functions/absint/
* @see get_post_status() https://developer.wordpress.org/reference/functions/get_post_status/
*
* @param int $page Page ID.
* @param WP_Customize_Setting $setting Setting instance.
* @return int|string Page ID if the page is published; otherwise, the setting default.
*/
function freelancer_agency_sanitize_dropdown_pages( $page_id, $setting ) {
// Ensure $input is an absolute integer.
$page_id = absint( $page_id );
// If $page_id is an ID of a published page, return it; otherwise, return the default.
return ( 'publish' == get_post_status( $page_id ) ? $page_id : $setting->default );
}
/**
* Email sanitization callback example.
*
* - Sanitization: email
* - Control: text
*
* Sanitization callback for 'email' type text controls. This callback sanitizes `$email`
* as a valid email address.
*
* @see sanitize_email() https://developer.wordpress.org/reference/functions/sanitize_key/
* @link sanitize_email() https://codex.wordpress.org/Function_Reference/sanitize_email
*
* @param string $email Email address to sanitize.
* @param WP_Customize_Setting $setting Setting instance.
* @return string The sanitized email if not null; otherwise, the setting default.
*/
function freelancer_agency_sanitize_email( $email, $setting ) {
// Sanitize $input as a hex value without the hash prefix.
$email = sanitize_email( $email );
// If $email is a valid email, return it; otherwise, return the default.
return ( ! null( $email ) ? $email : $setting->default );
}
/**
* HEX Color sanitization callback example.
*
* - Sanitization: hex_color
* - Control: text, WP_Customize_Color_Control
*
* Note: sanitize_hex_color_no_hash() can also be used here, depending on whether
* or not the hash prefix should be stored/retrieved with the hex color value.
*
* @see sanitize_hex_color() https://developer.wordpress.org/reference/functions/sanitize_hex_color/
* @link sanitize_hex_color_no_hash() https://developer.wordpress.org/reference/functions/sanitize_hex_color_no_hash/
*
* @param string $hex_color HEX color to sanitize.
* @param WP_Customize_Setting $setting Setting instance.
* @return string The sanitized hex color if not null; otherwise, the setting default.
*/
function freelancer_agency_sanitize_hex_color( $hex_color, $setting ) {
// Sanitize $input as a hex value without the hash prefix.
$hex_color = sanitize_hex_color( $hex_color );
// If $input is a valid hex value, return it; otherwise, return the default.
return ( ! null( $hex_color ) ? $hex_color : $setting->default );
}
/**
* HTML sanitization callback example.
*
* - Sanitization: html
* - Control: text, textarea
*
* Sanitization callback for 'html' type text inputs. This callback sanitizes `$html`
* for HTML allowable in posts.
*
* NOTE: wp_filter_post_kses() can be passed directly as `$wp_customize->add_setting()`
* 'sanitize_callback'. It is wrapped in a callback here merely for example purposes.
*
* @see wp_filter_post_kses() https://developer.wordpress.org/reference/functions/wp_filter_post_kses/
*
* @param string $html HTML to sanitize.
* @return string Sanitized HTML.
*/
function freelancer_agency_sanitize_html( $html ) {
return wp_filter_post_kses( $html );
}
/**
* Image sanitization callback example.
*
* Checks the image's file extension and mime type against a whitelist. If they're allowed,
* send back the filename, otherwise, return the setting default.
*
* - Sanitization: image file extension
* - Control: text, WP_Customize_Image_Control
*
* @see wp_check_filetype() https://developer.wordpress.org/reference/functions/wp_check_filetype/
*
* @param string $image Image filename.
* @param WP_Customize_Setting $setting Setting instance.
* @return string The image filename if the extension is allowed; otherwise, the setting default.
*/
function freelancer_agency_sanitize_image( $image, $setting ) {
/*
* Array of valid image file types.
*
* The array includes image mime types that are included in wp_get_mime_types()
*/
$mimes = array(
'jpg|jpeg|jpe' => 'image/jpeg',
'gif' => 'image/gif',
'png' => 'image/png',
'bmp' => 'image/bmp',
'tif|tiff' => 'image/tiff',
'ico' => 'image/x-icon'
);
// Return an array with file extension and mime_type.
$file = wp_check_filetype( $image, $mimes );
// If $image has a valid mime_type, return it; otherwise, return the default.
return ( $file['ext'] ? $image : $setting->default );
}
/**
* No-HTML sanitization callback example.
*
* - Sanitization: nohtml
* - Control: text, textarea, password
*
* Sanitization callback for 'nohtml' type text inputs. This callback sanitizes `$nohtml`
* to remove all HTML.
*
* NOTE: wp_filter_nohtml_kses() can be passed directly as `$wp_customize->add_setting()`
* 'sanitize_callback'. It is wrapped in a callback here merely for example purposes.
*
* @see wp_filter_nohtml_kses() https://developer.wordpress.org/reference/functions/wp_filter_nohtml_kses/
*
* @param string $nohtml The no-HTML content to sanitize.
* @return string Sanitized no-HTML content.
*/
function freelancer_agency_sanitize_nohtml( $nohtml ) {
return wp_filter_nohtml_kses( $nohtml );
}
/**
* Number sanitization callback example.
*
* - Sanitization: number_absint
* - Control: number
*
* Sanitization callback for 'number' type text inputs. This callback sanitizes `$number`
* as an absolute integer (whole number, zero or greater).
*
* NOTE: absint() can be passed directly as `$wp_customize->add_setting()` 'sanitize_callback'.
* It is wrapped in a callback here merely for example purposes.
*
* @see absint() https://developer.wordpress.org/reference/functions/absint/
*
* @param int $number Number to sanitize.
* @param WP_Customize_Setting $setting Setting instance.
* @return int Sanitized number; otherwise, the setting default.
*/
function freelancer_agency_sanitize_number_absint( $number, $setting ) {
// Ensure $number is an absolute integer (whole number, zero or greater).
$number = absint( $number );
// If the input is an absolute integer, return it; otherwise, return the default
return ( $number ? $number : $setting->default );
}
/**
* Number Range sanitization callback example.
*
* - Sanitization: number_range
* - Control: number, tel
*
* Sanitization callback for 'number' or 'tel' type text inputs. This callback sanitizes
* `$number` as an absolute integer within a defined min-max range.
*
* @see absint() https://developer.wordpress.org/reference/functions/absint/
*
* @param int $number Number to check within the numeric range defined by the setting.
* @param WP_Customize_Setting $setting Setting instance.
* @return int|string The number, if it is zero or greater and falls within the defined range; otherwise,
* the setting default.
*/
function freelancer_agency_sanitize_number_range( $number, $setting ) {
// Ensure input is an absolute integer.
$number = absint( $number );
// Get the input attributes associated with the setting.
$atts = $setting->manager->get_control( $setting->id )->input_attrs;
// Get minimum number in the range.
$min = ( isset( $atts['min'] ) ? $atts['min'] : $number );
// Get maximum number in the range.
$max = ( isset( $atts['max'] ) ? $atts['max'] : $number );
// Get step.
$step = ( isset( $atts['step'] ) ? $atts['step'] : 1 );
// If the number is within the valid range, return it; otherwise, return the default
return ( $min <= $number && $number <= $max && is_int( $number / $step ) ? $number : $setting->default );
}
/**
* Select sanitization callback example.
*
* - Sanitization: select
* - Control: select, radio
*
* Sanitization callback for 'select' and 'radio' type controls. This callback sanitizes `$input`
* as a slug, and then validates `$input` against the choices defined for the control.
*
* @see sanitize_key() https://developer.wordpress.org/reference/functions/sanitize_key/
* @see $wp_customize->get_control() https://developer.wordpress.org/reference/classes/wp_customize_manager/get_control/
*
* @param string $input Slug to sanitize.
* @param WP_Customize_Setting $setting Setting instance.
* @return string Sanitized slug if it is a valid choice; otherwise, the setting default.
*/
function freelancer_agency_sanitize_select( $input, $setting ) {
// Ensure input is a slug.
$input = sanitize_key( $input );
// Get list of choices from the control associated with the setting.
$choices = $setting->manager->get_control( $setting->id )->choices;
// If the input is a valid key, return it; otherwise, return the default.
return ( array_key_exists( $input, $choices ) ? $input : $setting->default );
}
/**
* URL sanitization callback example.
*
* - Sanitization: url
* - Control: text, url
*
* Sanitization callback for 'url' type text inputs. This callback sanitizes `$url` as a valid URL.
*
* NOTE: esc_url_raw() can be passed directly as `$wp_customize->add_setting()` 'sanitize_callback'.
* It is wrapped in a callback here merely for example purposes.
*
* @see esc_url_raw() https://developer.wordpress.org/reference/functions/esc_url_raw/
*
* @param string $url URL to sanitize.
* @return string Sanitized URL.
*/
function freelancer_agency_sanitize_url( $url ) {
return esc_url_raw( $url );
}