$sanitizer provides sanitization functions for dealing with user input

The $sanitizer variable is provided to every template. Sanitizer provides these functions to fill the most common data sanitization needs with sites developed in ProcessWire. Always sanitize/filter any data you get from $input->get, $input->post, $input->cookie (and PHP's $_GET, $_POST, $_COOKIE if you use them).

Function Reference

$sanitizer->email($value)Sanitizes a value for an email address, then filters it. If not valid after sanitization, this function returns a blank string.
$sanitizer->entities($value)Entity encode a string. Wrapper for PHP's htmlentities() function that contains typical ProcessWire usage defaults (i.e. ENT_QUOTES and UTF-8).
$sanitizer->entities1($value)Same as above, but don't double encode something if already encoded.
$sanitizer->entitiesMarkdown($value)Entity encode while translating some markdown tags to HTML equivalents. See method phpdoc for additional details and options.
$sanitizer->fieldName($value)Sanitizes a value for a Field name. Same as the name() filter, except that it doesn't allow dashes.
$sanitizer->filename($value)Name filter for ProcessWire filenames (basenames only, not paths). Optionally specify a second boolean TRUE argument to beautify the filename as well.
$sanitizer->name($value)Sanitizes a value for a ProcessWire name, meaning all characters except for these ASCII characters: "a-zA-Z0-9_." (not including the quotes) are removed. It also truncates the length to 128 characters.
$sanitizer->pageName($value)Sanitizes a value for a URL friendly Page name. Same as the name() filter, except that it converts uppercase to lowercase, and it attempts UTF-8 to ASCII conversion.
$sanitizer->pageName($value, true)Sanitizes a value for a URL friendly Page name and cleans out leading or trailing dashes, and converts double dashes to single dashes. Use this if you are passing in a headline to convert to a page name (for example).
$sanitizer->pageNameTranslate($value)Same as above but with transliteration of non-ASCII and international characters to their ASCII equivalents.
$sanitizer->pagePathName($value)Sanitize a ProcessWire page path name (which may include slashes). Returned path is not guaranteed to match a page, just sanitized. Optionally specify a second boolean TRUE argument to beautify the returned path.
$sanitizer->purify($value)Purify HTML markup using HTML Purifier.
$sanitizer->templateName($value)Sanitizes a value to a ProcessWire template name.
$sanitizer->varName($value)Return given $value sanitized to be consistent with a PHP variable name.
$sanitizer->selectorField($value)Sanitizes a field name as used in a selector value. This function is only necessary if you are dealing with user submitted field names. This is rarely the case in the author's experience, but provided here for consistency with selectorValue()
$sanitizer->selectorValue($value)Sanitizes a string that needs to appear in a selector value. Replaces disallowed characters with spaces. If value is not already quoted, it will add quotes if it determines they are necessary (like if it contains commas). It limits the length to 100 characters (multibyte safe).
$sanitizer->text($value)Sanitize a single line of input text. Removes tags, removes newline characters, and truncates length to 1024 characters. This is multibyte safe if your PHP has multibyte support.
$sanitizer->text($value, $options)Same as the above, except you may provide an $options array to change the behavior. You may specify one or more options in the $options array. See the reference of $options later in this page.
$sanitizer->textarea($value)Same as the text() function above, except that multiple lines are allowed and maxLength is 16k.
$sanitizer->textarea($value, $options)Same as textarea() except that you may modify the options documented later in this page, noting that multiLine is already true, and maxLength is already 16384.
$sanitizer->unentities($value)Remove entity encoded characters from a string.
$sanitizer->url($value)Filters a URL value. Returns a valid URL or blank if it can't be made valid. If URL contains a domain and is valid but missing a protocol (like http://) it will add it. It won't add a protocol to local/relative URLs.

$options that may be provided to the text() and textarea() functions

The values given here are the default value when ommitted from the text() function.

$options = array(
    // set to true to allow multiple lines of copy
    'multiLine' => false,
    // maximum allowed characters for multibyte strings
    'maxLength' => 255,
    // maximum number of bytes allowed in the string (multibyte safe)
    'maxBytes' => 1024,
    // strip markup tags
    'stripTags' => true,
    // markup tags that are allowed. Example: "<strong><em>"
    'allowableTags' => '',
    // character to replace newlines with, OR specify boolean TRUE to remove extra lines
    'newlineReplacement' => ' ',
    // character set of $value provided
    'inCharset' => 'UTF-8',
    // character set to convert to (if different from inCharset)
    'outCharset' => 'UTF-8'

New $sanitizer methods added to ProcessWire 2.6.14+

The following new methods were added in ProcessWire 2.6.14. In this version (and newer) all of the Sanitizer methods (including these and those above) may also be called from $input->get or $input->post, substituting the $value argument for the requested variable name. For instance, $input->post->pageName('varname'); where 'varname' is the name of the input variable name.

$sanitizer->string($value)Sanitize value to string. Note that this makes no assumptions about what is a "safe" string, so you should always apply another
sanitizer to it.
$sanitizer->string($value, 'name')Same as above, except applies a secondary sanitizer 'name' to the returned value. The 'name' can be any sanitizer method name.
$sanitizer->date($value)Sanitize a date or date/time string, making sure it is valid, and return a unix timestamp.
$sanitizer->date($value, $format)Same as above, but returns the date in the given PHP date(), strftime() or wireDate() format (string) rather than a unix timestamp. Note: you may also provide a 3rd array $options argument for more options–see the phpdoc with the method for full details.
$sanitizer->match($value, $regex)Validate that $value matches $regex pattern. If it does, value is returned. If not, blank is returned. The $regex pattern can be any valid PCRE regular expression.
$sanitizer->int($value)Sanitized an integer (unsigned, unless you specify a negative minimum value)
$sanitizer->int($value, $options)Same as above, but with an extra $options array that you provide, containing one or more of the following properties: "min" (int) containing the minimum allowed value; "max" (int) containing the maximum allowed value; "blankValue" (mixed) containing the value you want to substitute rather than "0" as a blank value (null or blank string, for example)
$sanitizer->intUnsigned($value)Sanitize to unsigned (0 or positive) integer. Behavior is the same as the int() method above with no options. You may also specify an $options array as the second argument. See the int() method for details.
$sanitizer->intSigned($value)Sanitize to signed integer (negative or positive). You may also specify an $options array as the second argument. See the int() method for details.
$sanitizer->float($value)Sanitize to floating point value. Unlike PHP float typecasting, this method can translate any international floating point format to a PHP float value.
$sanitizer->float($value, $options)Same as above, but with an $options array to modify behavior, containing one or more of the following: "precision" (int) containing the number of digits to round to; "mode" (int) containing a PHP round constant with default being PHP_ROUND_HALF_UP; "blankValue" (mixed) containing the value to return when given a null or blank string (default=0.0); "min" (float) containing the minimum value you allow; "max" (float) containing the maximum value you allow.
$sanitizer->array($value)Sanitize array or CSV string to array of strings. If given something other than an array or CSV string, it becomes the first item in the returned array.
$sanitizer->array($value, 'name')Same as above, but applies the given sanitizer method 'name' to all items in the array. The 'name' can be any sanitizer method.
$sanitizer->array($value, 'name', $options)Same as above, but with additional options to modify behavior. See the phpdoc with this method for full details.
$sanitizer->intArray($value)Sanitize array or CSV string to array of unsigned integers. Can also sanitize to unsigned integers if given a negative 'min' option; see the next method variation below.
$sanitizer->intArray($value, $options)Same as above, but with an array of $options to modify behavior. It accepts any option that the array() or int() method accepts. For example, specify a 'min' (int) option to make that the minimum allowed value, or a 'max' (int) option to make that the maximum allowed value.
$sanitizer->option($value, $allowed)Return $value if it exists in the $allowed array of values, or null if it doesn't.
$sanitizer->options($values, $allowed)Return array of given $values that that also exist in $allowed array whitelist of values.
$sanitizer->bool($value)Convert the given value to a boolean. Behaves similarly to PHP bool typecasting, except that it can identify "true" and "false" as strings and return the appropriate boolean. If given an array, it returns true if the array contains at least one item, or false if it is empty.
$sanitizer->testAll($value)Tests the given $value against all available Sanitizer methods. Returns an associative array indexed by method name with each element containing the sanitized result.


No comments yet. Be the first to post!

Post a Comment

Your e-mail is kept confidential and not included with your comment. Website is optional.