Sanitization is the next best thing after validation. It’s the practice of stripping away anything that may be dangerous in the context you’re sanitizing for. Its most important goal in 90% of cases is to prevent XSS attacks. Sanitization usually happens right after you receive the data and before you save it in the database.
There are over 20 sanitization functions built into WordPress. The full list is in the official Sanitization Documentation. I could just give you that list, but you’ll forget the first one before you get to the last one. Instead, it’s more productive to think about sanitization functions as being in one of four categories.
1. General Purpose
This is your go-to, 90% of use cases, text sanitization category. It’s for when you have some text and want it to be safe. There are only 2 functions here:
- sanitize_text_field()
- sanitize_textarea_field()
sanitize_text_field() is the most basic text sanitization function. It’s pretty ruthless. You use it for single-line text content, i.e., a text input field. Here’s what it does:
- checks for invalid UTF-8,
- converts single < characters to entities,
- strips all tags,
- removes line breaks, tabs, and extra whitespace,
- strips percent-encoded characters.
sanitize_textarea_field() does what sanitize_text_field() does except it preserves new lines (\n) and other whitespace. These are expected in textarea elements.
2. Specific Data Format
This category is for when the input has a strict, expected format. The goal isn’t just to ensure safety, but to enforce a structure. The functions in this list are:
- sanitize_email()
- sanitize_file_name()
- sanitize_hex_color()
- sanitize_html_class() – creates a valid CSS class name from a string.
- sanitize_key() – leaves only lowercase alphanumeric characters, dashes, and underscores (“String Key” becomes “stringkey”). Useful for programmatic keys, e.g., meta keys.
- sanitize_mime_type()
- sanitize_title() – sanitizes a string into a slug (“My Amazing Post” becomes “my-amazing-post”).
- sanitize_user() – sanitizes a username.
- sanitize_url()
- absint() – converts a value to a non-negative integer.
Most of these functions are self-explanatory. You use them only if you have specific requirements for the data. All of them do different things. Consult the documentation when using them.
3. HTML Content
This category is arguably the most tricky. It’s for when you want to allow users to submit some HTML, like in a comment or a rich text editor. Once again, there are only 2 functions here:
- wp_kses()
- wp_kses_post()
What the hell does “kses” mean? I asked the same question the first time I saw it. According to a user comment from the wp_kses() documentation, this name comes from XSS, which is read similarly. It’s also a recursive acronym for “kses strips evil scripts”.
wp_kses() strips out all HTML tags and attributes except the explicitly allowed ones. Here’s an example of calling this function:
$allowed_tags = array(
'a' => array(
'href' => array(),
),
'strong' => array(),
);
wp_kses( $unsafe_content, $allowed_tags );This will strip all tags except for “a” and “strong”, and it will strip all attributes on those tags except for “href” on “a” tags.
wp_kses_post() is a shorthand for calling wp_kses() with all tags and attributes allowed in the editor. WordPress itself likely uses it to sanitize the content you input in the Block Editor. It’s a good general sanitization function for when you want to allow rich text markup but want to ensure the content is secure.
4. Miscellaneous
This is the catch-all category. Those are rarely used functions that I didn’t think were appropriate for the previous categories, either because they didn’t fit their requirements or because they were so niche it’d be a waste of space putting them there.
Don’t even bother trying to remember them unless you’re megamind. Maybe it’s good to read through them once in a while and think if you could use them in whatever you’re writing.
The list:
- sanitize_hex_color_no_hash()
- sanitize_meta()
- sanitize_option()
- sanitize_sql_orderby()
- sanitize_term()
- sanitize_term_field()
- sanitize_title_for_query()
- sanitize_title_with_dashes()
- and more… (search for functions starting with “sanitize_”)