<?php
function sanitize_html_class( $class, $fallback = '' ) {
//Strip out any % encoded octets
$sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $class );
//Limit to A-Z,a-z,0-9,_,-
$sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $sanitized );
if ( '' == $sanitized )
$sanitized = $fallback;
/**
* Filter a sanitized HTML class string.
*
* @since 2.8.0
*
* @param string $sanitized The sanitized HTML class.
* @param string $class HTML class before sanitization.
* @param string $fallback The fallback string.
*/
// N/A // return apply_filters( 'sanitize_html_class', $sanitized, $class, $fallback );
return $sanitized;
}
$class_name = '300"; onload="/* some JavaScript */';
var_dump( '<div class="' . sanitize_html_class( $class_name ) . '"></div>' );
var_dump( '<div class="' . $class_name . '"></div>' );
- Output for 7.4.0 - 7.4.33, 8.0.1 - 8.0.30, 8.1.0 - 8.1.28, 8.2.0 - 8.2.19, 8.3.0 - 8.3.7
- string(43) "<div class="300onloadsomeJavaScript"></div>"
string(55) "<div class="300"; onload="/* some JavaScript */"></div>"
preferences:
118.66 ms | 402 KiB | 123 Q