sanitize_html_class

The timeline below displays how wordpress function sanitize_html_class has changed across different WordPress versions. If a version is not listed, refer to the next available version below.

WordPress Version: 6.2

/**
 * Sanitizes an HTML classname to ensure it only contains valid characters.
 *
 * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty
 * string then it will return the alternative value supplied.
 *
 * @todo Expand to support the full range of CDATA that a class attribute can contain.
 *
 * @since 2.8.0
 *
 * @param string $classname The classname to be sanitized.
 * @param string $fallback  Optional. The value to return if the sanitization ends up as an empty string.
 *                          Default empty string.
 * @return string The sanitized value.
 */
function sanitize_html_class($classname, $fallback = '')
{
    // Strip out any percent-encoded characters.
    $sanitized = preg_replace('|%[a-fA-F0-9][a-fA-F0-9]|', '', $classname);
    // Limit to A-Z, a-z, 0-9, '_', '-'.
    $sanitized = preg_replace('/[^A-Za-z0-9_-]/', '', $sanitized);
    if ('' === $sanitized && $fallback) {
        return sanitize_html_class($fallback);
    }
    /**
     * Filters a sanitized HTML class string.
     *
     * @since 2.8.0
     *
     * @param string $sanitized The sanitized HTML class.
     * @param string $classname HTML class before sanitization.
     * @param string $fallback  The fallback string.
     */
    return apply_filters('sanitize_html_class', $sanitized, $classname, $fallback);
}

WordPress Version: 5.5

/**
 * Sanitizes an HTML classname to ensure it only contains valid characters.
 *
 * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty
 * string then it will return the alternative value supplied.
 *
 * @todo Expand to support the full range of CDATA that a class attribute can contain.
 *
 * @since 2.8.0
 *
 * @param string $class    The classname to be sanitized
 * @param string $fallback Optional. The value to return if the sanitization ends up as an empty string.
 *  Defaults to an empty string.
 * @return string The sanitized value
 */
function sanitize_html_class($class, $fallback = '')
{
    // Strip out any %-encoded octets.
    $sanitized = preg_replace('|%[a-fA-F0-9][a-fA-F0-9]|', '', $class);
    // Limit to A-Z, a-z, 0-9, '_', '-'.
    $sanitized = preg_replace('/[^A-Za-z0-9_-]/', '', $sanitized);
    if ('' === $sanitized && $fallback) {
        return sanitize_html_class($fallback);
    }
    /**
     * Filters a sanitized HTML class string.
     *
     * @since 2.8.0
     *
     * @param string $sanitized The sanitized HTML class.
     * @param string $class     HTML class before sanitization.
     * @param string $fallback  The fallback string.
     */
    return apply_filters('sanitize_html_class', $sanitized, $class, $fallback);
}

WordPress Version: 5.4

/**
 * Sanitizes an HTML classname to ensure it only contains valid characters.
 *
 * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty
 * string then it will return the alternative value supplied.
 *
 * @todo Expand to support the full range of CDATA that a class attribute can contain.
 *
 * @since 2.8.0
 *
 * @param string $class    The classname to be sanitized
 * @param string $fallback Optional. The value to return if the sanitization ends up as an empty string.
 *  Defaults to an empty string.
 * @return string The sanitized value
 */
function sanitize_html_class($class, $fallback = '')
{
    // Strip out any %-encoded octets.
    $sanitized = preg_replace('|%[a-fA-F0-9][a-fA-F0-9]|', '', $class);
    // Limit to A-Z, a-z, 0-9, '_', '-'.
    $sanitized = preg_replace('/[^A-Za-z0-9_-]/', '', $sanitized);
    if ('' == $sanitized && $fallback) {
        return sanitize_html_class($fallback);
    }
    /**
     * Filters a sanitized HTML class string.
     *
     * @since 2.8.0
     *
     * @param string $sanitized The sanitized HTML class.
     * @param string $class     HTML class before sanitization.
     * @param string $fallback  The fallback string.
     */
    return apply_filters('sanitize_html_class', $sanitized, $class, $fallback);
}

WordPress Version: 5.1

/**
 * Sanitizes an HTML classname to ensure it only contains valid characters.
 *
 * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty
 * string then it will return the alternative value supplied.
 *
 * @todo Expand to support the full range of CDATA that a class attribute can contain.
 *
 * @since 2.8.0
 *
 * @param string $class    The classname to be sanitized
 * @param string $fallback Optional. The value to return if the sanitization ends up as an empty string.
 *  Defaults to an empty string.
 * @return string The sanitized value
 */
function sanitize_html_class($class, $fallback = '')
{
    //Strip out any % encoded octets
    $sanitized = preg_replace('|%[a-fA-F0-9][a-fA-F0-9]|', '', $class);
    //Limit to A-Z,a-z,0-9,_,-
    $sanitized = preg_replace('/[^A-Za-z0-9_-]/', '', $sanitized);
    if ('' == $sanitized && $fallback) {
        return sanitize_html_class($fallback);
    }
    /**
     * Filters a sanitized HTML class string.
     *
     * @since 2.8.0
     *
     * @param string $sanitized The sanitized HTML class.
     * @param string $class     HTML class before sanitization.
     * @param string $fallback  The fallback string.
     */
    return apply_filters('sanitize_html_class', $sanitized, $class, $fallback);
}

WordPress Version: 4.6

/**
 * Sanitizes an HTML classname to ensure it only contains valid characters.
 *
 * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty
 * string then it will return the alternative value supplied.
 *
 * @todo Expand to support the full range of CDATA that a class attribute can contain.
 *
 * @since 2.8.0
 *
 * @param string $class    The classname to be sanitized
 * @param string $fallback Optional. The value to return if the sanitization ends up as an empty string.
 * 	Defaults to an empty string.
 * @return string The sanitized value
 */
function sanitize_html_class($class, $fallback = '')
{
    //Strip out any % encoded octets
    $sanitized = preg_replace('|%[a-fA-F0-9][a-fA-F0-9]|', '', $class);
    //Limit to A-Z,a-z,0-9,_,-
    $sanitized = preg_replace('/[^A-Za-z0-9_-]/', '', $sanitized);
    if ('' == $sanitized && $fallback) {
        return sanitize_html_class($fallback);
    }
    /**
     * Filters a sanitized HTML class string.
     *
     * @since 2.8.0
     *
     * @param string $sanitized The sanitized HTML class.
     * @param string $class     HTML class before sanitization.
     * @param string $fallback  The fallback string.
     */
    return apply_filters('sanitize_html_class', $sanitized, $class, $fallback);
}

WordPress Version: 4.4

/**
 * Sanitizes an HTML classname to ensure it only contains valid characters.
 *
 * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty
 * string then it will return the alternative value supplied.
 *
 * @todo Expand to support the full range of CDATA that a class attribute can contain.
 *
 * @since 2.8.0
 *
 * @param string $class    The classname to be sanitized
 * @param string $fallback Optional. The value to return if the sanitization ends up as an empty string.
 * 	Defaults to an empty string.
 * @return string The sanitized value
 */
function sanitize_html_class($class, $fallback = '')
{
    //Strip out any % encoded octets
    $sanitized = preg_replace('|%[a-fA-F0-9][a-fA-F0-9]|', '', $class);
    //Limit to A-Z,a-z,0-9,_,-
    $sanitized = preg_replace('/[^A-Za-z0-9_-]/', '', $sanitized);
    if ('' == $sanitized && $fallback) {
        return sanitize_html_class($fallback);
    }
    /**
     * Filter a sanitized HTML class string.
     *
     * @since 2.8.0
     *
     * @param string $sanitized The sanitized HTML class.
     * @param string $class     HTML class before sanitization.
     * @param string $fallback  The fallback string.
     */
    return apply_filters('sanitize_html_class', $sanitized, $class, $fallback);
}

WordPress Version: 4.3

/**
 * Sanitizes an HTML classname to ensure it only contains valid characters.
 *
 * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty
 * string then it will return the alternative value supplied.
 *
 * @todo Expand to support the full range of CDATA that a class attribute can contain.
 *
 * @since 2.8.0
 *
 * @param string $class    The classname to be sanitized
 * @param string $fallback Optional. The value to return if the sanitization ends up as an empty string.
 * 	Defaults to an empty string.
 * @return string The sanitized value
 */
function sanitize_html_class($class, $fallback = '')
{
    //Strip out any % encoded octets
    $sanitized = preg_replace('|%[a-fA-F0-9][a-fA-F0-9]|', '', $class);
    //Limit to A-Z,a-z,0-9,_,-
    $sanitized = preg_replace('/[^A-Za-z0-9_-]/', '', $sanitized);
    if ('' == $sanitized) {
        $sanitized = $fallback;
    }
    /**
     * Filter a sanitized HTML class string.
     *
     * @since 2.8.0
     *
     * @param string $sanitized The sanitized HTML class.
     * @param string $class     HTML class before sanitization.
     * @param string $fallback  The fallback string.
     */
    return apply_filters('sanitize_html_class', $sanitized, $class, $fallback);
}

WordPress Version: 4.0

/**
 * Sanitizes an HTML classname to ensure it only contains valid characters.
 *
 * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty
 * string then it will return the alternative value supplied.
 *
 * @todo Expand to support the full range of CDATA that a class attribute can contain.
 *
 * @since 2.8.0
 *
 * @param string $class The classname to be sanitized
 * @param string $fallback Optional. The value to return if the sanitization ends up as an empty string.
 * 	Defaults to an empty string.
 * @return string The sanitized value
 */
function sanitize_html_class($class, $fallback = '')
{
    //Strip out any % encoded octets
    $sanitized = preg_replace('|%[a-fA-F0-9][a-fA-F0-9]|', '', $class);
    //Limit to A-Z,a-z,0-9,_,-
    $sanitized = preg_replace('/[^A-Za-z0-9_-]/', '', $sanitized);
    if ('' == $sanitized) {
        $sanitized = $fallback;
    }
    /**
     * Filter a sanitized HTML class string.
     *
     * @since 2.8.0
     *
     * @param string $sanitized The sanitized HTML class.
     * @param string $class     HTML class before sanitization.
     * @param string $fallback  The fallback string.
     */
    return apply_filters('sanitize_html_class', $sanitized, $class, $fallback);
}

WordPress Version: 3.8

/**
 * Sanitizes an HTML classname to ensure it only contains valid characters.
 *
 * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty
 * string then it will return the alternative value supplied.
 *
 * @todo Expand to support the full range of CDATA that a class attribute can contain.
 *
 * @since 2.8.0
 *
 * @param string $class The classname to be sanitized
 * @param string $fallback Optional. The value to return if the sanitization end's up as an empty string.
 * 	Defaults to an empty string.
 * @return string The sanitized value
 */
function sanitize_html_class($class, $fallback = '')
{
    //Strip out any % encoded octets
    $sanitized = preg_replace('|%[a-fA-F0-9][a-fA-F0-9]|', '', $class);
    //Limit to A-Z,a-z,0-9,_,-
    $sanitized = preg_replace('/[^A-Za-z0-9_-]/', '', $sanitized);
    if ('' == $sanitized) {
        $sanitized = $fallback;
    }
    /**
     * Filter a sanitized HTML class string.
     *
     * @since 2.8.0
     *
     * @param string $sanitized The sanitized HTML class.
     * @param string $class     HTML class before sanitization.
     * @param string $fallback  The fallback string.
     */
    return apply_filters('sanitize_html_class', $sanitized, $class, $fallback);
}

WordPress Version: 3.7

/**
 * Sanitizes an HTML classname to ensure it only contains valid characters.
 *
 * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty
 * string then it will return the alternative value supplied.
 *
 * @todo Expand to support the full range of CDATA that a class attribute can contain.
 *
 * @since 2.8.0
 *
 * @param string $class The classname to be sanitized
 * @param string $fallback Optional. The value to return if the sanitization end's up as an empty string.
 * 	Defaults to an empty string.
 * @return string The sanitized value
 */
function sanitize_html_class($class, $fallback = '')
{
    //Strip out any % encoded octets
    $sanitized = preg_replace('|%[a-fA-F0-9][a-fA-F0-9]|', '', $class);
    //Limit to A-Z,a-z,0-9,_,-
    $sanitized = preg_replace('/[^A-Za-z0-9_-]/', '', $sanitized);
    if ('' == $sanitized) {
        $sanitized = $fallback;
    }
    return apply_filters('sanitize_html_class', $sanitized, $class, $fallback);
}