In my plugin people can add placeholders that are substituted later in the workflow.
A typical placeholder might look like %name%, %address% %postal_code%
However in the database sanitize_text_field saves it as %name%, dress% %postal_code% - it strips the leading % from only one instance. I can workaround it by using esc_html, but am curious about what is going on here.
Can anyone explain it?
In my plugin people can add placeholders that are substituted later in the workflow.
A typical placeholder might look like %name%, %address% %postal_code%
However in the database sanitize_text_field saves it as %name%, dress% %postal_code% - it strips the leading % from only one instance. I can workaround it by using esc_html, but am curious about what is going on here.
Can anyone explain it?
Share Improve this question edited Feb 16 at 0:16 Steve asked Feb 15 at 22:51 SteveSteve 2991 gold badge4 silver badges15 bronze badges 2 |1 Answer
Reset to default 1Can anyone explain it?
The official docs for that function say it strips percent encoded characters.
- Checks for invalid UTF-8,
- Converts single < characters to entities
- Strips all tags
- Removes line breaks, tabs, and extra whitespace
- Strips percent-encoded characters
https://developer.wordpress/reference/functions/sanitize_text_field/
It looks like it's stripped out %ad and it has nothing to do with instances or leading/trailing, that function doesn't understand that it's a CSV etc, % probably isn't the best character to use for this.
Why just the %ad though? In this case it's the URL encoded value for aka a soft hyphen, or ­.
See https://www.w3schools/tags//ref_urlencode.asp for a more comprehensive table.
esc_htmlto sanitise data on its way into the database,esc_htmlis an escaping function not a sanitising function – Tom J Nowell ♦ Commented Feb 15 at 23:38