How To Add a Link Through Sanitized Customizer Input?

ThemeChills · January 16, 2016, 11:25pm

Hi everyone,

This may be super simple, but how would I allow a user to be able to add a hyperlink or a simple html tag (i.e. ) through the Customizer, whilst still making sure to sanitize the data.

For example, I have:

<?php echo esc_attr( get_theme_mod( 'theme_slug_customizer_text' ) ); ?>

Which displays the output, but due to the fact that I am escaping the attribute and have a sanitize function on the backend, the actual html tag renders out as text.

Like I said, this may be super simple but wasn’t able to find a solution, any ideas?

Thanks,

Leo

sodasi_web · January 17, 2016, 6:19am

if (filter_var($url, FILTER_VALIDATE_URL) === FALSE) {
   die('Not a valid URL');
}

and you don’t need to sanitize anymore. Or use preg_match

ThemeChills · January 17, 2016, 7:21am

Thanks @sodasi_web. Not too sure that is what I was going for…

This is for the theme customizer, a user would enter in there text snippet with an anchor link for example. WordPress does state the input need to be sanitized, so don’t think the above is what I am looking for.

Thanks none the less, appreciate it.

Leo

phpface · January 17, 2016, 7:40am

The cutomizer input must be sanitized by WP function or your define function.

You may take a look into this function http://codex.wordpress.org/Function_Reference/wp_kses

And in your case, I think this could help http://pastebin.com/Xv5dBYSx

sodasi_web · January 17, 2016, 7:45am

if you check that a url is a valid url then this is the sanitiziation

Alo check and :

esc_url( $url, (array) $protocols = null ) (since 2.8)
Always use esc_url when sanitizing URLs (in text
nodes, attribute nodes or anywhere else). Rejects URLs that do not have
one of the provided whitelisted protocols (defaulting to http, https, ftp, ftps, mailto, news, irc, gopher, nntp, feed, and telnet), eliminates invalid characters, and removes dangerous characters. Replaces clean_url() which was deprecated in 3.0.
This function encodes characters as HTML entities: use it when generating an (X)HTML or XML document. Encodes ampersands (&) and single quotes (’) as numeric entity references (&#038, &#039).

ThemeChills · January 17, 2016, 7:49am

Thanks @sodasi_web, @phpface, what if it is not specifically a URL, but a tag?

e.g. markup would render like so:

<h1>Hello <span>World</span></h1>

So I need the span to not be filtered, would the above work?

sodasi_web · January 17, 2016, 7:54am

What I send it to you is going to work only if you have links only else you can ue the following function to eliminate some tags

wp_kses('< h1 >Hello <span>World</span>< / h1 >', "h1");
https://codex.wordpress.org/Function_Reference/wp_kses

ThemeChills · January 17, 2016, 10:41am

Thanks guys, that did the trick.

Out of curiosity, can one call a function through wp_kses()? If so, what would the syntax look like?

Thanks,

Leo