What is the difference between sanitize_text_field() and wp_filter_nohtml_kses()?

What Do They Do?

wp_filter_nohtml_kses strips all HTML from a string, that’s it. It does it via the wp_kses function and it expects slashed data, here’s its implementation:

function wp_filter_nohtml_kses( $data ) {
    return addslashes( wp_kses( stripslashes( $data ), 'strip' ) );
}

sanitize_text_field on the other hand does more than that, the doc says:

  • Checks for invalid UTF-8,
  • Converts single < characters to entities
  • Strips all tags
  • Removes line breaks, tabs, and extra whitespace
  • Strips octets

Specificially the point of sanitize_text_field is to sanitize text fields. Since you want to sanitize a text field, you should use sanitize_text_field.

So Why Does One Article Recommend wp_filter_nohtml_kses?

It doesn’t.

The author correctly recognised the variable may contain HTML, and searched for a function to do just that, and found wp_filter_nohtml_kses.

However this is neither the best function for this job, or the appropriate one. sanitize_text_field targets the actual problem, that the field needs sanitising, and does a more than strip out tags.

The author could easily have chosen wp_strip_all_tags, but should have gone for sanitize_text_field.

Which brings us to the main points:

  1. Not all guides are correct
  2. When faced with a choice between 2 functions, pick the one that literally says what you want to do, not the obscure one
  3. wp_filter_nohtml_kses would not have protected against octal characters, and other things that sanitize_text_field does, but perhaps the author was unaware of those attack vectors?
  4. Some of the things sanitize_text_field does are less about security and more about cleanliness, e.g. stripping extra whitespace

Escaping vs Sanitising

URL’s have esc_url_raw() and so on.

Not quite, esc_url_raw is an escaping function, escaping is not sanitisation! Though this is a rare exception where it can be used as a sanitising function

  • Sanitising data cleans it
  • Validating data confirms it
  • Escaping data secures it

Sanitise and validate on input, escape on output.

Another way to think of it, is like a gameshow:

  • Sanitising is the cleanup they do to get you ready for TV
  • Validation is the judge at the end of the round who checks that you did what you were asked
  • Escaping is the giant wall with the shaped hole you have to fit through or it’ll push you off the ledge

For example, consider this value: " [email protected] <b>hello!</b> "

  • we sanitize with sanitize_email, eliminating trailing spaces, etc, giving us [email protected]
  • we can validate it with validate_email to check if it is indeed an email
  • At this point we can process the input

Some time passes…

  • now we need to output the data, so we escape it
  • echo esc_url( 'mailto:'.$email );

Now we get a mailto link with an email, it will always be a link. There is no dithering about it should be a link, it can be a link, it’s supposed to be a link, etc. It is guaranteed to be a link, there is now certainty. No assumptions need to be made.

Lets say that $email was sanitised and validated, and saved, yet the sites database was mangled or modified during a hack. Now, $email contains a JS bitcoin miner! Or it did until esc_url mangled it into an email. The email isn’t usable, but it has the format of an email.

For this reason, escaping is only done on output, uses an escaping function appropriate for the exected output, not the data ( esc_attr for html attributes, esc_html for text, esc_url for URLs, and so on ). Escaping is also done at the latest possible moment, closest to output. This way escaped data can’t be modified after its been escaped, and there’s no confusion about when something was escaped that might cause double escaping.

For this reason, avoid adding HTML to a variable then echoing it at the end, or passing around complex HTML fragments in variables. You have no way to know if they’re safe or not

Related Posts:

  1. Can i use the same sanitize function on multiple theme mod textboxes?
  2. How to use sanitize_callback?
  3. Trouble creating custom sanitization function for user list dropdown
  4. how to sanitize customizer checkbox control
  5. I need to get the control choices to sanitize_callback
  6. Customizer sanitize_callback for input type number
  7. How do I implement selective refresh with a customizer setting?
  8. How to create a theme customizer ‘sub’ panel?
  9. Use default value of wp_customizer in theme_mod output?
  10. How to upload multiple images with WP_Customize_Media_Control
  11. Is there any way to add placeholder for WordPress Customizer text input fields
  12. Custom editable content for front page from Theme Customizer
  13. Can I create customizer setting that can handle plugin shortcode?
  14. Add/remove controls dynamically based on other settings in Customizer
  15. How to mix partial and full page refresh in the same section of the customizer?
  16. Add a “loading” notice when Customizer is making changes
  17. Make Theme Options Native to Theme Customizer
  18. How do I conditionally enqueue stylesheets or scripts in theme customizer settings?
  19. Internalize get_theme_mod CSS Into Stylesheet?
  20. Customiser `active_callback` not working on control with `postMessage` transport method
  21. How to get control choices from $setting object passed to sanitize_callback
  22. Can I change a control’s transport in Customizer depending on the previewed page?
  23. How to hook on customizer section expanded/active/opened event?
  24. How do I use add_control to offer a list of all pages in the customiser?
  25. Visible Edit Shortcut for WordPress menu that uses nav walker
  26. Get_theme_mod not retrieving value
  27. Set Default Page On Customizer Live Preview
  28. How to hide few theme customization options – TwentySeventeen theme
  29. Panel description in Customizer does not show up
  30. How to extend Customizer payload sent when ‘Save & Publish’ is triggered
  31. Customizer Add Section argument ‘active_callback’ => “is_front_page” not working
  32. Theme customization based on grouped pages
  33. Customizer: Update Preview instantly when typing into a number input field
  34. add_theme_support(‘custom-header’) does not add the option to customize
  35. making customizer sections sortable but items not getting sorted first time items are moved
  36. Create custom control for WordPress customizer using JavaScript
  37. Customizer Not Applying Any Change, No Error Thrown
  38. How do I add a customizer control dynamically?
  39. Need a help on sanitization
  40. Make customizer controls get custom setting type value
  41. Background Color not being set in WP Customizer
  42. How to disable cropping of the site icon?
  43. How do I update the wpColorPicker palette after initialization?
  44. Selective refresh and registering widget areas
  45. Your theme has 1 widget areas, but this particular page doesn’t display them in wordpress
  46. Customizer: Category Select Sanitize
  47. Creating Dependant Text field in Customizer with Checkbox
  48. Customizer Ajax
  49. Theme Customizier sanitize_callback not working
  50. Binding Serialized Setting to JS for Realtime Response
  51. Unset color set in Theme Customizer
  52. Add post type titles in customizer dropdown list
  53. get_theme_mod filter ignores sanitize_callback
  54. DIVI Theme customizer changes not applied on existing pages [closed]
  55. Place a message in theme customizer sidebar
  56. Setting dirty on customizer
  57. Customiser sections not being displayed with `active_callback`
  58. How to allow certain PHP functions when using sanitize_callback in the word press customizer
  59. Output foreach loop used in WordPress wp_customize
  60. Changing Customizer Select To Checbox, But Retaining Classes
  61. Customizer related question
  62. How to add custom classes to the customizer panels, sections or controls?
  63. Add Links to Customizer
  64. Kirki: generate toggles for each taxonomy term
  65. Custom Customizer setting only saving value of 0
  66. Allow multiple settings to be stored in a single option in Theme customizer
  67. How to make WordPress customizer to autoload changes?
  68. Theme customizer not working
  69. where to change text for header?
  70. Theme Customizer for only author.php (per user baisi)
  71. Customizer API – Class doesn’t exist error
  72. Get register wp_customize settings in the front end
  73. Theme Customizer performance drops when adding a lot of settings
  74. How to Add Extra Settings to Appearance/Customizer Sections homepage
  75. How would you set Theme Customizer API Previewer Preview URL of a Logged out Page or Login Screen
  76. Sanitize callback function for select controll in customizer
  77. Creating a WordPress Customizer control/field with react
  78. How to save theme customizer values as sub-array?
  79. What is the method to switch to specific page on entering theme customizer screen?
  80. How to Display Error in my WordPress customizer API?
  81. Change a customizer control based on another control’s value dynamically
  82. Unable to Auto Post In Buddy Press Activity from Elementor-Pro Form
  83. Linking to a Customizer control
  84. How to add a link to an external website in the description of a customizer control (with Kirki)?
  85. Domain redirect seems to break WP customizer
  86. Top header to edit page not present in one page
  87. Using different header images for different devices
  88. Can you make sub-panels in customizer?
  89. “Display Site Title and Tagline” checkbox without adding Header Image option
  90. WordPress Theme Customization error
  91. How can I stop widgets from re-executing every time I access the logged-in homepage?
  92. Theme customizer API get functions
  93. how to make additional color options added to default color Customizer save their value
  94. Template tags not working in the customizer preview
  95. HTML inside Customizer
  96. Disabling and enabling content using Customizer
  97. I am looking for a font used in WordPress [closed]
  98. What is the section ID (name) for “Menus” in the Customizer?
  99. Issue displaying customiser setting with get_theme_mod
  100. How to return responsive images from a sanitize_callback?
techhipbettruvabetnorabahisbahis forumuedusedueduseduedusedueduedusedusedu