<?php function sanitize_html_class( $class, $fallback = '' ) { //Strip out any % encoded octets $sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $class ); //Limit to A-Z,a-z,0-9,_,- $sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $sanitized ); if ( '' == $sanitized ) $sanitized = $fallback; /** * Filter a sanitized HTML class string. * * @since 2.8.0 * * @param string $sanitized The sanitized HTML class. * @param string $class HTML class before sanitization. * @param string $fallback The fallback string. */ // N/A // return apply_filters( 'sanitize_html_class', $sanitized, $class, $fallback ); return $sanitized; } $class_name = '300"; onload="/* some JavaScript */'; var_dump( '<div class="' . sanitize_html_class( $class_name ) . '"></div>' ); var_dump( '<div class="' . $class_name . '"></div>' );
You have javascript disabled. You will not be able to edit any code.