WP_Customize_Widgets::sanitize_widget_instance() WordPress Method
The sanitize_widget_instance() method of the WP_Customize_Widgets class is used to sanitize a widget instance before it is saved. This is a static method. This method is called by the update() method of the WP_Widget class. It does not do anything if the $instance is not an array. Otherwise, it loops through each $instance['widget-id'] and calls the sanitize_widget_instance() method for each widget. The purpose of this method is to ensure that the data saved for a widget instance is valid and clean. This is important because widget data is often displayed on the front-end of a website and we want to avoid any security issues or errors that could be caused by invalid data. This method is also used by the WP_Customize_Widgets::sanitize_widget_js_instance() method to sanitize widget instances that are passed to the JavaScript part of the Customizer.
WP_Customize_Widgets::sanitize_widget_instance( array $value, string $id_base = null ) #
Sanitizes a widget instance.
Description
Unserialize the JS-instance for storing in the options. It’s important that this filter only get applied to an instance once.
Parameters
- $value
(array)(Required)Widget instance to sanitize.
- $id_base
(string)(Optional) Base of the ID of the widget being sanitized.
Default value: null
Return
(array|void) Sanitized widget instance.
Source
File: wp-includes/class-wp-customize-widgets.php
public function sanitize_widget_instance( $value, $id_base = null ) {
global $wp_widget_factory;
if ( array() === $value ) {
return $value;
}
if ( isset( $value['raw_instance'] ) && $id_base && wp_use_widgets_block_editor() ) {
$widget_object = $wp_widget_factory->get_widget_object( $id_base );
if ( ! empty( $widget_object->widget_options['show_instance_in_rest'] ) ) {
if ( 'block' === $id_base && ! current_user_can( 'unfiltered_html' ) ) {
/*
* The content of the 'block' widget is not filtered on the fly while editing.
* Filter the content here to prevent vulnerabilities.
*/
$value['raw_instance']['content'] = wp_kses_post( $value['raw_instance']['content'] );
}
return $value['raw_instance'];
}
}
if (
empty( $value['is_widget_customizer_js_value'] ) ||
empty( $value['instance_hash_key'] ) ||
empty( $value['encoded_serialized_instance'] )
) {
return;
}
$decoded = base64_decode( $value['encoded_serialized_instance'], true );
if ( false === $decoded ) {
return;
}
if ( ! hash_equals( $this->get_instance_hash_key( $decoded ), $value['instance_hash_key'] ) ) {
return;
}
$instance = unserialize( $decoded );
if ( false === $instance ) {
return;
}
return $instance;
}
Expand full source codeCollapse full source codeView on TracView on GitHub
Changelog
| Version | Description |
|---|---|
| 5.8.0 | Added the $id_base parameter. |
| 3.9.0 | Introduced. |