Wordpress Customizer API Sanitization Examples

Theme_Customization_API.php

<?php
///////////////////////////////
// HOW TO SANITIZE RADIO BOX //
///////////////////////////////
function theme_slug_customizer($wp_customize) {
    //your section
    $wp_customize->add_section(
        'theme_slug_customizer_your_section',
        array(
            'title' => esc_html__('Your Section', 'theme_slug'),
            'priority' => 150,
        )
    );
    //radio box sanitization function
    function theme_slug_sanitize_radio($input, $setting) {

        //input must be a slug: lowercase alphanumeric characters, dashes and underscores are allowed only
        $input = sanitize_key($input);

        //get the list of possible radio box options
        $choices = $setting->manager->get_control($setting->id)->choices;

        //return input if valid or return default option
        return (array_key_exists($input, $choices) ? $input : $setting->default);

    }
    //add setting to your section
    $wp_customize->add_setting(
        'theme_slug_customizer_radio',
        array(
            'sanitize_callback' => 'theme_slug_sanitize_radio',
        )
    );
    $wp_customize->add_control(
        'theme_slug_customizer_radio',
        array(
            'label' => esc_html__('Your Setting with Radio Box', 'theme_slug'),
            'section' => 'theme_slug_customizer_your_section',
            'type' => 'radio',
            'choices' => array(
                'one' => esc_html__('Choice One', 'theme_slug'),
                'two' => esc_html__('Choice Two', 'theme_slug'),
                'three' => esc_html__('Choice Three', 'theme_slug'),
            ),
        )
    );

}
add_action('customize_register', 'theme_slug_customizer');

//////////////////////////////
// HOW TO SANITIZE CHECKBOX //
//////////////////////////////
//checkbox sanitization function
function theme_slug_sanitize_checkbox($input) {

    //returns true if checkbox is checked
    return (isset($input) ? true : false);
}
//add setting to your section
$wp_customize->add_setting(
    'theme_slug_customizer_checkbox',
    array(
        'default' => '',
        'sanitize_callback' => 'theme_slug_sanitize_checkbox',
    )
);
$wp_customize->add_control(
    'theme_slug_customizer_checkbox',
    array(
        'label' => esc_html__('Your Setting with Checkbox', 'theme_slug'),
        'section' => 'theme_slug_customizer_your_section',
        'type' => 'checkbox',
    )
);

////////////////////////////////////
// HOW TO SANITIZE SELECT OPTIONS //
////////////////////////////////////
//select sanitization function
function theme_slug_sanitize_select($input, $setting) {
    //input must be a slug: lowercase alphanumeric characters, dashes and underscores are allowed only
    $input = sanitize_key($input);
    //get the list of possible select options
    $choices = $setting->manager->get_control($setting->id)->choices;
    //return input if valid or return default option
    return (array_key_exists($input, $choices) ? $input : $setting->default);
}
//add setting to your section
$wp_customize->add_setting(
    'theme_slug_customizer_select',
    array(
        'sanitize_callback' => 'theme_slug_sanitize_select',
    )
);
$wp_customize->add_control(
    'theme_slug_customizer_select',
    array(
        'label' => esc_html__('Your Setting with select', 'theme_slug'),
        'section' => 'theme_slug_customizer_your_section',
        'type' => 'select',
        'choices' => array(
            '' => esc_html__('Please select', 'theme_slug'),
            'one' => esc_html__('Choice One', 'theme_slug'),
            'two' => esc_html__('Choice Two', 'theme_slug'),
            'three' => esc_html__('Choice Three', 'theme_slug'),
        ),
    )
);

/////////////////////////////////////////////////////////////
// HOW TO SANITIZE TEXT INPUT AND HOW TO SANITIZE TEXTAREA //
/////////////////////////////////////////////////////////////
//add setting to your section
$wp_customize->add_setting(
    'theme_slug_customizer_text',
    array(
        'sanitize_callback' => 'wp_filter_nohtml_kses', //removes all HTML from content
    )
);

$wp_customize->add_control(
    'theme_slug_customizer_text',
    array(
        'label' => esc_html__('Your Setting with text input', 'theme_slug'),
        'section' => 'theme_slug_customizer_your_section',
        'type' => 'text',
    )
);

///////////////////////////////////
// HOW TO SANITIZE EMAIL ADDRESS //
///////////////////////////////////
//add setting to your section
$wp_customize->add_setting(
    'theme_slug_customizer_email',
    array(
        'sanitize_callback' => 'sanitize_email', //removes all invalid characters
    )
);
$wp_customize->add_control(
    'theme_slug_customizer_email',
    array(
        'label' => esc_html__('Your Setting with email input', 'theme_slug'),
        'section' => 'theme_slug_customizer_your_section',
        'type' => 'email',
    )
);

/////////////////////////
// HOW TO SANITIZE URL //
/////////////////////////
//add setting to your section
$wp_customize->add_setting(
    'theme_slug_customizer_url',
    array(
        'sanitize_callback' => 'esc_url_raw', //cleans URL from all invalid characters
    )
);
$wp_customize->add_control(
    'theme_slug_customizer_url',
    array(
        'label' => esc_html__('Your Setting with URL input', 'theme_slug'),
        'section' => 'theme_slug_customizer_your_section',
        'type' => 'url',
    )
);

////////////////////////////
// HOW TO SANITIZE NUMBER //
////////////////////////////
//add setting to your section
$wp_customize->add_setting(
    'theme_slug_customizer_number',
    array(
        'sanitize_callback' => 'absint', //converts value to a non-negative integer
    )
);
$wp_customize->add_control(
    'theme_slug_customizer_number',
    array(
        'label' => esc_html__('Your Setting with number input', 'theme_slug'),
        'section' => 'theme_slug_customizer_your_section',
        'type' => 'number',
    )
);

/////////////////////////////////////
// HOW TO SANITIZE DROP-DOWN PAGES //
/////////////////////////////////////
//add setting to your section
$wp_customize->add_setting(
    'theme_slug_customizer_dropdown_pages',
    array(
        'sanitize_callback' => 'absint', //input value is a page ID so it must be a positive integer
    )
);
$wp_customize->add_control(
    'theme_slug_customizer_dropdown_pages',
    array(
        'label' => esc_html__('Your Setting with dropdown_pages input', 'theme_slug'),
        'section' => 'theme_slug_customizer_your_section',
        'type' => 'dropdown-pages',
    )
);

////////////////////////////////
// HOW TO SANITIZE FILE INPUT //
////////////////////////////////
//file input sanitization function
function theme_slug_sanitize_file($file, $setting) {
    //allowed file types
    $mimes = array(
        'jpg|jpeg|jpe' => 'image/jpeg',
        'gif' => 'image/gif',
        'png' => 'image/png',
    );
    //check file type from file name
    $file_ext = wp_check_filetype($file, $mimes);
    //if file has a valid mime type return it, otherwise return default
    return ($file_ext['ext'] ? $file : $setting->default);
}
//add select setting to your section
$wp_customize->add_setting(
    'theme_slug_customizer_file',
    array(
        'sanitize_callback' => 'theme_slug_sanitize_file',
    )
);
$wp_customize->add_control(
    new WP_Customize_Upload_Control(
        $wp_customize,
        'theme_slug_customizer_file',
        array(
            'label' => __('Your Setting with file input', 'theme_slug'),
            'section' => 'theme_slug_customizer_your_section',
        )
    )
);

/////////////////////////
// HOW TO SANITIZE CSS //
/////////////////////////
//add setting to your section
$wp_customize->add_setting(
    'theme_slug_customizer_color',
    array(
        'default' => '#000000',
        'sanitize_callback' => 'sanitize_hex_color', //validates 3 or 6 digit HTML hex color code
    )
);
$wp_customize->add_control(
    new WP_Customize_Color_Control(
        $wp_customize,
        'theme_slug_customizer_color',
        array(
            'label' => __('Your Setting with color input', 'theme_slug'),
            'section' => 'theme_slug_customizer_your_section',
        )
    )
);

///////////////////////////////
// HOW TO SANITIZE HTML CODE //
///////////////////////////////
//add setting to your section
$wp_customize->add_setting(
    'theme_slug_customizer_html_code',
    array(
        'sanitize_callback' => 'wp_kses_post', //keeps only HTML tags that are allowed in post content
    )
);
$wp_customize->add_control(
    'theme_slug_customizer_html_code',
    array(
        'label' => esc_html__('Your Setting with HTML code', 'theme_slug'),
        'section' => 'theme_slug_customizer_your_section',
        'type' => 'textarea',
    )
);
$allowed_html = array(
    'a' => array(
        'href' => array(),
        'title' => array(),
    ),
    'br' => array(),
    'em' => array(),
    'strong' => array(),
);
wp_kses($input, $allowed_html);

/////////////////////////////////////
// HOW TO SANITIZE JAVASCRIPT CODE //
/////////////////////////////////////
//script input sanitization function
function theme_slug_sanitize_js_code($input) {
    return base64_encode($input);
}
//output escape function
function theme_slug_escape_js_output($input) {
    return esc_textarea(base64_decode($input));
}
//add setting to your section
$wp_customize->add_setting(
    'theme_slug_customizer_js_code',
    array(
        'sanitize_callback' => 'theme_slug_sanitize_js_code', //encode for DB insert
        'sanitize_js_callback' => 'theme_slug_escape_js_output', //ecape script for the textarea
    )
);
$wp_customize->add_control(
    'theme_slug_customizer_js_code',
    array(
        'label' => esc_html__('Your Setting with JS code', 'theme_slug'),
        'section' => 'theme_slug_customizer_your_section',
        'type' => 'textarea',
    )
);


/////////////////////////////////////////////
//LIST OF WORDPRESS SANITIZATION FUNCTIONS //
/////////////////////////////////////////////

absint(); // - converts value to positive integer, useful for numbers, IDs, etc.
esc_url_raw(); // - for inserting URL in database safely
sanitize_email(); // - strips out all characters that are not allowable in an email address
sanitize_file_name(); // - removes special characters that are illegal in filenames on certain operating system
sanitize_hex_color(); // - returns 3 or 6 digit hex color with #, or nothing
sanitize_hex_color_no_hash(); // - the same as above but without a #
sanitize_html_class(); // - sanitizes an HTML classname to ensure it only contains valid characters
sanitize_key(); // - lowercase alphanumeric characters, dashes and underscores are allowed
sanitize_mime_type(); // - useful to save mime type in DB, e.g. uploaded file's type
sanitize_option(); // - sanitizes values like update_option() and add_option() does for various option types. Here is the list of avaliable options: https://codex.wordpress.org/Function_Reference/sanitize_option#Notes
sanitize_sql_orderby(); // - ensures a string is a valid SQL order by clause
sanitize_text_field(); // - removes all HTML markup, as well as extra whitespace, leaves nothing but plain text
sanitize_title(); // - returned value intented to be suitable for use in a URL
sanitize_title_for_query(); // - used for querying the database for a value from URL
sanitize_title_with_dashes(); // - same as above but it does not replace special accented characters
sanitize_user(); // - sanitize username stripping out unsafe characters
wp_filter_post_kses(); wp_kses_post(); // - it keeps only HTML tags which are allowed in post content as well
wp_kses(); // - allows only HTML tags and attributes that you specify
wp_kses_data(); // - sanitize content with allowed HTML Kses rules
wp_rel_nofollow(); // - adds rel nofollow string to all HTML A elements in content