get_theme_mod filter ignores sanitize_callback

Sanitization via the sanitize_callback function takes place when you save the the theme mod.

Retrieving a theme mod via get_theme_mod() (which runs the theme_mod_{$name} filter) does not use the sanitize_callback function. So, whatever you’ve set $_GET['header_layout'] to will be used regardless of whether it is valid or not.

From wp-includes\theme.php:

/**
 * Retrieve theme modification value for the current theme.
 *
 * If the modification name does not exist, then the $default will be passed
 * through {@link https://secure.php.net/sprintf sprintf()} PHP function with the first
 * string the template directory URI and the second string the stylesheet
 * directory URI.
 *
 * @since 2.1.0
 *
 * @param string      $name    Theme modification name.
 * @param bool|string $default
 * @return string
 */
function get_theme_mod( $name, $default = false ) {
    $mods = get_theme_mods();

    if ( isset( $mods[$name] ) ) {
        /**
         * Filters the theme modification, or 'theme_mod', value.
         *
         * The dynamic portion of the hook name, `$name`, refers to
         * the key name of the modification array. For example,
         * 'header_textcolor', 'header_image', and so on depending
         * on the theme options.
         *
         * @since 2.2.0
         *
         * @param string $current_mod The value of the current theme modification.
         */
        return apply_filters( "theme_mod_{$name}", $mods[$name] );
    }

    if ( is_string( $default ) )
        $default = sprintf( $default, get_template_directory_uri(), get_stylesheet_directory_uri() );

    /** This filter is documented in wp-includes/theme.php */
    return apply_filters( "theme_mod_{$name}", $default );
}

Related Posts:

  1. Use default value of wp_customizer in theme_mod output?
  2. get_theme_mod doesn’t return the theme customizer preview’s new values in after_setup_theme hook
  3. Why does get_theme_mod return blank (or default value) but get_option returns saved value?
  4. Why is remove_setting and remove_control not working?
  5. Get_theme_mod not retrieving value
  6. get_theme_mod not working
  7. get_theme_mod() only working when the customizer is open
  8. Customizer live preview not working, refreshes but nothing change
  9. adding checkbox to theme customizer
  10. get_theme_mod only returns false
  11. Fetch customizer image and output as an inline css style background image
  12. How to properly delete and rename the custom settings/section/control in theme customizer?
  13. Where is Customizer related data stored is the database?
  14. Repeater field in Customizer
  15. Adjust the Device Preview sizes used in the WP 4.5 Customizer
  16. WP Customizer – Prevent live preview
  17. How to print the value of a custom control in the Customizer?
  18. Customizer JS API dynamically add sections and controls
  19. Theme customizer – possible to disable Live Preview?
  20. Theme Customization API options on install
  21. Get current post ID of customizer preview window
  22. Add button to Customizer
  23. Customizer active callback live toggle controls
  24. Customizer Issue, Default Settings not working
  25. WP customizer + gulp + browsersync = refused to display in iframe?
  26. Rename and rearrange customizer section
  27. Theme Customizer Custom Background / Header Image
  28. Customizer not saving image settings
  29. Theme Customizer – My panel disappears
  30. Author functions don’t work in customizer’s selective refresh
  31. How to remove mixed content warnings in WP Customizer
  32. Using Theme Customizer Built-In Sections
  33. Theme Customizer changes are dissappearing when change page
  34. Customizer Selective Refresh doesn’t refresh properly with saved value
  35. WordPress Customizer sanitize_callback: How to Reset to Default on Fail
  36. WordPress code editor VS customizer “built-in CSS editor”?
  37. How do i remove the ‘WooCommerce’ section from Customizer in Twenty Sixteen Theme?
  38. Customizer options
  39. Issue with Customizer: only last field shown in section
  40. How do i add edit shortcut icon in wordpress without using selective refresh
  41. Dynamic IDs in WordPress Customizer value bindings
  42. Custom panel/section link styling in customizer
  43. Customizer chokes on my theme in 4.9, where should I be looking?
  44. Theme Customizer – Text without a setting (a comment or tag)
  45. Translations appear in the WP Customizer, but not on the website!
  46. How To Remove or Hide Appearance->Background from Admin Menu
  47. Custom switch not hiding sub-fields on Customizer’s load
  48. WordPress Customizer Selective Refresh: works only on first setting change
  49. How to use WP_Customize_Cropped_Image_Control settings in the customizer preview?
  50. WordPress Customizer: Why widgets and nav_menus are components, not panel or section?
  51. Add customiser controls directly to a panel
  52. How to use sanitize_callback?
  53. datepicker works on widgets options page, but not on customizer
  54. get_theme_mod Not Functioning Properly
  55. Get Image Width From WP_Customize_Image_Control() File Set in WP Theme Customizer
  56. My background color customizer doesnt work
  57. theme customizer issue
  58. Initials of email looks strange on WordPress Website
  59. Customizer section gone after adding second
  60. Show/hide section in theme customizer based on selection from another section
  61. Sidebar visibility in {WordPress template Hyerarchy, Newspaper Theme, TagDiv Composer}
  62. How to create a tooltip behind a customizer setting label?
  63. WordPress Customizer allow line break
  64. Amend description of menu location in customizer WordPress
  65. Hooks to watch customizer value change
  66. How to add UI buttons in customizer like twentyseventeen
  67. How to use variable from customizer.php in customizer.js
  68. How to delete old custom-css-stuff in the customizer-live-preview?
  69. Output values from Customizer isn’t working
  70. What is the id for the widgets section of the WordPress theme customizer?
  71. No option to select home page in theme customizer
  72. How to import and export settings from live customizer?
  73. WP 3.8 theme customizer error
  74. Initialize WordPress customizer variables
  75. Adding custom link with get parameter to a menu button
  76. Getting text from custom field from customizer
  77. WordPress navigation URL became hashed URL automatically
  78. Want to permanently remove pagination number page/2/ in WordPress
  79. How to make a block for header font styling at customizer via function.php?
  80. Customizer – binding jQuery created controls
  81. @font-face in Customize Control
  82. add a section in wordpress theme to upload image and process it
  83. Broken Customizer After Migration To The Skeleton Architecture
  84. Creating default object from empty value in wp_customize?
  85. Exiting Customizer alert
  86. Why is my custom WordPress Customizer section disappearing after about a second?
  87. Hide Customizer Setting on ‘ready’
  88. Manipulating customizer panels and fields?
  89. Issues Saving Long String Option
  90. Use the customiser to set the background-image of a div
  91. WordPress Customizer Not Setting Custom Settings or Controls
  92. Disable customizer control sorting within sections
  93. Using get_theme_mod with checkbox to display content
  94. WordPress Customizer Hides my Sections / Controls inside of is_admin()
  95. Default Customizer Code
  96. How to work around case sensitivity of HEX values?
  97. WP Theme Customizer – Responsive Elements
  98. Customizer sanitize_callback for input type number
  99. How to check WP Customize Control
  100. Custom logo manage by customizer and theme options