sanitize_html_class( string $classname, string $fallback =  ): string

Sanitizes an HTML classname to ensure it only contains valid characters.

Description

Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty string then it will return the alternative value supplied.

Parameters

$classnamestringrequired
The classname to be sanitized.
$fallbackstringoptional
The value to return if the sanitization ends up as an empty string.

Default:''

Return

string The sanitized value.

Source

function sanitize_html_class( $classname, $fallback = '' ) {
	// Strip out any percent-encoded characters.
	$sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $classname );

	// Limit to A-Z, a-z, 0-9, '_', '-'.
	$sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $sanitized );

	if ( '' === $sanitized && $fallback ) {
		return sanitize_html_class( $fallback );
	}
	/**
	 * Filters a sanitized HTML class string.
	 *
	 * @since 2.8.0
	 *
	 * @param string $sanitized The sanitized HTML class.
	 * @param string $classname HTML class before sanitization.
	 * @param string $fallback  The fallback string.
	 */
	return apply_filters( 'sanitize_html_class', $sanitized, $classname, $fallback );
}

Hooks

apply_filters( ‘sanitize_html_class’, string $sanitized, string $classname, string $fallback )

Filters a sanitized HTML class string.

Changelog

VersionDescription
2.8.0Introduced.

User Contributed Notes

  1. Skip to note 6 content

    Created this function to help escape multiple HTML classes, you can give it an array of classes or a string of them separated by a delimiter:

    if( ! function_exists("sanitize_html_classes") ){
        function sanitize_html_classes($classes, $sep = " "){
            $return = "";
    
            if(!is_array($classes)) {
                $classes = explode($sep, $classes);
            }
    
            if(!empty($classes)){
                foreach($classes as $class){
                    $return .= sanitize_html_class($class) . " ";
                }
            }
    
            return $return;
        }
    }
  2. Skip to note 8 content

    Sanitize multiple HTML classes in one pass.

    Accepts either an array of $classes, or a space-separated string of class names and runs them to sanitize using the sanitize_html_class function.

    /**
     * Sanitize multiple HTML classes in one pass.
     *
     * @param    array  $classes           Classes to be sanitized.
     * @param    string $return_format     The return format, 'input', 'string', or 'array'.
     * @return   array|string
     */
    function prefix_sanitize_html_classes( $classes, $return_format = 'input' ) {
    	if ( 'input' === $return_format ) {
    		$return_format = is_array( $classes ) ? 'array' : 'string';
    	}
    
    	$classes           = is_array( $classes ) ? $classes : explode( ' ', $classes );
    	$sanitized_classes = array_map( 'sanitize_html_class', $classes );
    
    	if ( 'array' === $return_format ) {
    		return $sanitized_classes;
    	} else {
    		return implode( ' ', $sanitized_classes );
    	}
    }

You must log in before being able to contribute a note or feedback.