WordPress Version: 6.5
/**
* Sanitizes various option values based on the nature of the option.
*
* This is basically a switch statement which will pass $value through a number
* of functions depending on the $option.
*
* @since 2.0.5
*
* @global wpdb $wpdb WordPress database abstraction object.
*
* @param string $option The name of the option.
* @param mixed $value The unsanitized value.
* @return mixed Sanitized value.
*/
function sanitize_option($option, $value)
{
global $wpdb;
$original_value = $value;
$error = null;
switch ($option) {
case 'admin_email':
case 'new_admin_email':
$value = $wpdb->strip_invalid_text_for_column($wpdb->options, 'option_value', $value);
if (is_wp_error($value)) {
$error = $value->get_error_message();
} else {
$value = sanitize_email($value);
if (!is_email($value)) {
$error = __('The email address entered did not appear to be a valid email address. Please enter a valid email address.');
}
}
break;
case 'thumbnail_size_w':
case 'thumbnail_size_h':
case 'medium_size_w':
case 'medium_size_h':
case 'medium_large_size_w':
case 'medium_large_size_h':
case 'large_size_w':
case 'large_size_h':
case 'mailserver_port':
case 'comment_max_links':
case 'page_on_front':
case 'page_for_posts':
case 'rss_excerpt_length':
case 'default_category':
case 'default_email_category':
case 'default_link_category':
case 'close_comments_days_old':
case 'comments_per_page':
case 'thread_comments_depth':
case 'users_can_register':
case 'start_of_week':
case 'site_icon':
case 'fileupload_maxk':
$value = absint($value);
break;
case 'posts_per_page':
case 'posts_per_rss':
$value = (int) $value;
if (empty($value)) {
$value = 1;
}
if ($value < -1) {
$value = abs($value);
}
break;
case 'default_ping_status':
case 'default_comment_status':
// Options that if not there have 0 value but need to be something like "closed".
if ('0' === (string) $value || '' === $value) {
$value = 'closed';
}
break;
case 'blogdescription':
case 'blogname':
$value = $wpdb->strip_invalid_text_for_column($wpdb->options, 'option_value', $value);
if ($value !== $original_value) {
$value = $wpdb->strip_invalid_text_for_column($wpdb->options, 'option_value', wp_encode_emoji($original_value));
}
if (is_wp_error($value)) {
$error = $value->get_error_message();
} else {
$value = esc_html($value);
}
break;
case 'blog_charset':
if (is_string($value)) {
$value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value);
// Strips slashes.
} else {
$value = '';
}
break;
case 'blog_public':
// This is the value if the settings checkbox is not checked on POST. Don't rely on this.
if (null === $value) {
$value = 1;
} else {
$value = (int) $value;
}
break;
case 'date_format':
case 'time_format':
case 'mailserver_url':
case 'mailserver_login':
case 'mailserver_pass':
case 'upload_path':
$value = $wpdb->strip_invalid_text_for_column($wpdb->options, 'option_value', $value);
if (is_wp_error($value)) {
$error = $value->get_error_message();
} else {
$value = strip_tags($value);
$value = wp_kses_data($value);
}
break;
case 'ping_sites':
$value = explode("\n", $value);
$value = array_filter(array_map('trim', $value));
$value = array_filter(array_map('sanitize_url', $value));
$value = implode("\n", $value);
break;
case 'gmt_offset':
if (is_numeric($value)) {
$value = preg_replace('/[^0-9:.-]/', '', $value);
// Strips slashes.
} else {
$value = '';
}
break;
case 'siteurl':
$value = $wpdb->strip_invalid_text_for_column($wpdb->options, 'option_value', $value);
if (is_wp_error($value)) {
$error = $value->get_error_message();
} else if (preg_match('#http(s?)://(.+)#i', $value)) {
$value = sanitize_url($value);
} else {
$error = __('The WordPress address you entered did not appear to be a valid URL. Please enter a valid URL.');
}
break;
case 'home':
$value = $wpdb->strip_invalid_text_for_column($wpdb->options, 'option_value', $value);
if (is_wp_error($value)) {
$error = $value->get_error_message();
} else if (preg_match('#http(s?)://(.+)#i', $value)) {
$value = sanitize_url($value);
} else {
$error = __('The Site address you entered did not appear to be a valid URL. Please enter a valid URL.');
}
break;
case 'WPLANG':
$allowed = get_available_languages();
if (!is_multisite() && defined('WPLANG') && '' !== WPLANG && 'en_US' !== WPLANG) {
$allowed[] = WPLANG;
}
if (!in_array($value, $allowed, true) && !empty($value)) {
$value = get_option($option);
}
break;
case 'illegal_names':
$value = $wpdb->strip_invalid_text_for_column($wpdb->options, 'option_value', $value);
if (is_wp_error($value)) {
$error = $value->get_error_message();
} else {
if (!is_array($value)) {
$value = explode(' ', $value);
}
$value = array_values(array_filter(array_map('trim', $value)));
if (!$value) {
$value = '';
}
}
break;
case 'limited_email_domains':
case 'banned_email_domains':
$value = $wpdb->strip_invalid_text_for_column($wpdb->options, 'option_value', $value);
if (is_wp_error($value)) {
$error = $value->get_error_message();
} else {
if (!is_array($value)) {
$value = explode("\n", $value);
}
$domains = array_values(array_filter(array_map('trim', $value)));
$value = array();
foreach ($domains as $domain) {
if (!preg_match('/(--|\.\.)/', $domain) && preg_match('|^([a-zA-Z0-9-\.])+$|', $domain)) {
$value[] = $domain;
}
}
if (!$value) {
$value = '';
}
}
break;
case 'timezone_string':
$allowed_zones = timezone_identifiers_list(DateTimeZone::ALL_WITH_BC);
if (!in_array($value, $allowed_zones, true) && !empty($value)) {
$error = __('The timezone you have entered is not valid. Please select a valid timezone.');
}
break;
case 'permalink_structure':
case 'category_base':
case 'tag_base':
$value = $wpdb->strip_invalid_text_for_column($wpdb->options, 'option_value', $value);
if (is_wp_error($value)) {
$error = $value->get_error_message();
} else {
$value = sanitize_url($value);
$value = str_replace('http://', '', $value);
}
if ('permalink_structure' === $option && null === $error && '' !== $value && !preg_match('/%[^\/%]+%/', $value)) {
$error = sprintf(
/* translators: %s: Documentation URL. */
__('A structure tag is required when using custom permalinks. <a href="%s">Learn more</a>'),
__('https://wordpress.org/documentation/article/customize-permalinks/#choosing-your-permalink-structure')
);
}
break;
case 'default_role':
if (!get_role($value) && get_role('subscriber')) {
$value = 'subscriber';
}
break;
case 'moderation_keys':
case 'disallowed_keys':
$value = $wpdb->strip_invalid_text_for_column($wpdb->options, 'option_value', $value);
if (is_wp_error($value)) {
$error = $value->get_error_message();
} else {
$value = explode("\n", $value);
$value = array_filter(array_map('trim', $value));
$value = array_unique($value);
$value = implode("\n", $value);
}
break;
}
if (null !== $error) {
if ('' === $error && is_wp_error($value)) {
/* translators: 1: Option name, 2: Error code. */
$error = sprintf(__('Could not sanitize the %1$s option. Error code: %2$s'), $option, $value->get_error_code());
}
$value = get_option($option);
if (function_exists('add_settings_error')) {
add_settings_error($option, "invalid_{$option}", $error);
}
}
/**
* Filters an option value following sanitization.
*
* @since 2.3.0
* @since 4.3.0 Added the `$original_value` parameter.
*
* @param mixed $value The sanitized option value.
* @param string $option The option name.
* @param mixed $original_value The original value passed to the function.
*/
return apply_filters("sanitize_option_{$option}", $value, $option, $original_value);
}