ControlledChaos
9/19/2016 - 7:19 PM

Sanitization of WordPress Customizer controls

Sanitization of WordPress Customizer controls

Sanitize the WordPress Customizer

WordPress Snippets

/*
* Sanitize Checkbox
*/

// Source: https://github.com/FlagshipWP/flagship-library/blob/develop/customizer/classes/customizer-base.php
	/**
	 * Sanitize a checkbox to only allow 0 or 1
	 *
	 * @since  1.2.0
	 * @access public
	 * @param  $input
	 * @return int
	 */
	public function sanitize_checkbox( $input ) {
		return ( 1 === absint( $input ) ) ? 1 : 0;
	}
	
	//Source: https://github.com/WPTRT/code-examples/blob/master/customizer/sanitization-callbacks.php
	
	/**
 * Checkbox Sanitization Callback 
 * 
 * Sanitization callback for 'checkbox' type controls.
 * This callback sanitizes $input as a Boolean value, either
 * TRUE or FALSE.
 */
function theme_slug_sanitize_checkbox( $input ) {
	
	// Boolean check 
	return ( ( isset( $input ) && true == $input ) ? true : false );
}

// Source: https://github.com/WPTRT/code-examples/blob/master/customizer/sanitization-callbacks.php
// Reference: https://make.wordpress.org/themes/2015/02/10/custom-css-boxes-in-themes/
// Reference: http://mikejolley.com/2013/08/keeping-your-shit-secure-whilst-developing-for-wordpress/

function theme_slug_sanitize_css( $input ) {
	return wp_filter_nohtml_kses( $input );
}


/**
 * Sanitization: css 
 * Control: text, textarea 
 * 
 * Sanitization callback for 'css' type textarea inputs. This 
 * callback sanitizes $input for valid CSS.
 * 
 * NOTE: wp_strip_all_tags() can be passed directly as 
 * $wp_customize->add_setting() 'sanitize_callback'. It 
 * is wrapped in a callback here merely for example 
 * purposes.
 * 
 * @uses	wp_strip_all_tags()	https://developer.wordpress.org/reference/functions/wp_strip_all_tags/
 */
function theme_slug_sanitize_css( $input ) {
	return wp_strip_all_tags( $input );
}
/**
 * Sanitization: html
 * Control: textarea
 *
 * Sanitization callback for 'html' type text inputs. This
 * callback sanitizes $input for HTML allowable in posts.
 *
 * https://codex.wordpress.org/Function_Reference/wp_kses
 * https://gist.github.com/adamsilverstein/10783774
 * https://github.com/devinsays/options-framework-plugin/blob/master/options-check/functions.php#L69
 * http://ottopress.com/2010/wp-quickie-kses/
 * 
 * @uses	wp_filter_post_kses()	https://developer.wordpress.org/reference/functions/wp_filter_post_kses/
 * @uses	wp_kses()	https://developer.wordpress.org/reference/functions/wp_kses/
 */

function theme_slug_sanitize_html( $input ) {
	global $allowedposttags;

	return wp_kses( $input, $allowedposttags );
/*
	$allowed = array(
			    'a' => array(
			        'href' => array(),
			        'title' => array(),
			        'target' => array(),
			        'class' => array()
			    ),
			    'br' => array(),
			    'em' => array(),
			    'strong' => array(),
			    'p' => array(
			        'class' => array()
			    )
			);
*/
	//return wp_kses( $input, $allowed );

	//return wp_post_kses( $input );
	//return wp_filter_post_kses( $input );
}
//https://github.com/WPTRT/code-examples/blob/master/customizer/sanitization-callbacks.php
//https://shellcreeper.com/how-to-sanitize-image-upload/
//https://github.com/turtlepod/fx-favicon/blob/master/includes/settings.php#L52


/**
 * Sanitization: image
 * Control: text, WP_Customize_Image_Control
 *
 * Sanitization callback for images.
 *
 * @uses	theme_slug_validate_image()		
 * @uses	esc_url_raw()				http://codex.wordpress.org/Function_Reference/esc_url_raw
 */
function theme_slug_sanitize_image( $input, $setting ) {
	return esc_url_raw( theme_slug_validate_image( $input, $setting->default ) );
}

/**
 * Validation: image
 * Control: text, WP_Customize_Image_Control
 *
 * @uses	wp_check_filetype()		https://developer.wordpress.org/reference/functions/wp_check_filetype/
 * @uses	in_array()				http://php.net/manual/en/function.in-array.php
 */
 
function theme_slug_validate_image( $input, $default = '' ) {
	// Array of valid image file types
	// The array includes image mime types
	// that are included in wp_get_mime_types()
	$mimes = array(
		'jpg|jpeg|jpe' => 'image/jpeg',
		'gif'          => 'image/gif',
		'png'          => 'image/png',
		'bmp'          => 'image/bmp',
		'tif|tiff'     => 'image/tiff',
		'ico'          => 'image/x-icon'
	);
	// Return an array with file extension
	// and mime_type
	$file = wp_check_filetype( $input, $mimes );
	// If $input has a valid mime_type,
	// return it; otherwise, return
	// the default.
	return ( $file['ext'] ? $input : $default );
}
// Source: https://github.com/WPTRT/code-examples/blob/master/customizer/sanitization-callbacks.php

/**
 * Sanitization: number_range 
 * Control: number, tel 
 * 
 * Sanitization callback for 'number' or 'tel' type text inputs. This 
 * callback sanitizes $input as an absolute integer within a defined 
 * min-max range.
 * 
 * @uses	absint()	https://developer.wordpress.org/reference/functions/absint/ 
 * @link	is_int()	http://php.net/manual/en/function.is-int.php
 */
function theme_slug_sanitize_number_range( $input ) {
	
	// Ensure input is an absolute integer
	$input = absint( $input );
	
	// Get the input attributes
	// associated with the setting
	$atts = $setting->manager->get_control( $setting->id )->input_attrs;
	
	// Get min 
	$min = ( isset( $atts['min'] ) ? $atts['min'] : $input );
	
	// Get max 
	$max = ( isset( $atts['max'] ) ? $atts['max'] : $input );
	
	// Get Step
	$step = ( isset( $atts['step'] ) ? $atts['step'] : 1 );
	
	// If the input is within the valid range, 
	// return it; otherwise, return the default
	return ( $min <= $input && $input <= $max && is_int( $input / $step ) ? $input : $setting->default );
}
// Source: https://github.com/WPTRT/code-examples/blob/master/customizer/sanitization-callbacks.php

/**
 * Sanitization: select  
 * Control: select, radio 
 * 
 * Sanitization callback for 'select' and 'radio' type controls. 
 * This callback sanitizes $input as a slug, and then validates
 * $input against the choices defined for the control.
 * 
 * @uses	sanitize_key()			https://developer.wordpress.org/reference/functions/sanitize_key/
 * @uses	$wp_customize->get_control()	https://developer.wordpress.org/reference/classes/wp_customize_manager/get_control/
 */
function theme_slug_sanitize_select( $input, $setting ) {
	
	// Ensure input is a slug
	$input = sanitize_key( $input );
	
	// Get list of choices from the control
	// associated with the setting
	$choices = $setting->manager->get_control( $setting->id )->choices;
	
	// If the input is a valid key, return it;
	// otherwise, return the default
	return ( array_key_exists( $input, $choices ) ? $input : $setting->default );
}
esc_attr
esc_textarea

// Source: https://github.com/FlagshipWP/flagship-library/blob/develop/customizer/classes/customizer-base.php

/**
 * Sanitize a string to allow only tags in the allowedtags array.
 *
 * @since  1.2.0
 * @param  string $string The unsanitized string.
 * @return string The sanitized string.
 */
public function sanitize_text( $string ) {
	global $allowedtags;
	return wp_kses( $string , $allowedtags );
}