: str_replace(): Passing null to parameter #2 ($replace) of type array|string is deprecated in
* Properly strips all HTML tags including script and style
* This differs from strip_tags() because it removes the contents of
* the `<script>` and `<style>` tags. E.g. `strip_tags( '<script>something</script>' )`
* will return 'something'. wp_strip_all_tags will return ''
* @param string $text String containing HTML tags
* @param bool $remove_breaks Optional. Whether to remove left over line breaks and white space chars
* @return string The processed string.
function wp_strip_all_tags( $text, $remove_breaks = false ) {
if ( is_null( $text ) ) {
if ( ! is_scalar( $text ) ) {
* To maintain consistency with pre-PHP 8 error levels,
* wp_trigger_error() is used to trigger an E_USER_WARNING,
* rather than _doing_it_wrong(), which triggers an E_USER_NOTICE.
/* translators: 1: The function name, 2: The argument number, 3: The argument name, 4: The expected type, 5: The provided type. */
__( 'Warning: %1$s expects parameter %2$s (%3$s) to be a %4$s, %5$s given.' ),
$text = preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $text );
$text = strip_tags( $text );
$text = preg_replace( '/[\r\n\t ]+/', ' ', $text );
* Sanitizes a string from user input or from the database.
* - Checks for invalid UTF-8,
* - Converts single `<` characters to entities
* - Removes line breaks, tabs, and extra whitespace
* - Strips percent-encoded characters
* @see sanitize_textarea_field()
* @see wp_check_invalid_utf8()
* @see wp_strip_all_tags()
* @param string $str String to sanitize.
* @return string Sanitized string.
function sanitize_text_field( $str ) {
$filtered = _sanitize_text_fields( $str, false );
* Filters a sanitized text field string.
* @param string $filtered The sanitized string.
* @param string $str The string prior to being sanitized.
return apply_filters( 'sanitize_text_field', $filtered, $str );
* Sanitizes a multiline string from user input or from the database.
* The function is like sanitize_text_field(), but preserves
* new lines (\n) and other whitespace, which are legitimate
* input in textarea elements.
* @see sanitize_text_field()
* @param string $str String to sanitize.
* @return string Sanitized string.
function sanitize_textarea_field( $str ) {
$filtered = _sanitize_text_fields( $str, true );
* Filters a sanitized textarea field string.
* @param string $filtered The sanitized string.
* @param string $str The string prior to being sanitized.
return apply_filters( 'sanitize_textarea_field', $filtered, $str );
* Internal helper function to sanitize a string from user input or from the database.
* @param string $str String to sanitize.
* @param bool $keep_newlines Optional. Whether to keep newlines. Default: false.
* @return string Sanitized string.
function _sanitize_text_fields( $str, $keep_newlines = false ) {
if ( is_object( $str ) || is_array( $str ) ) {
$filtered = wp_check_invalid_utf8( $str );
if ( str_contains( $filtered, '<' ) ) {
$filtered = wp_pre_kses_less_than( $filtered );
// This will strip extra whitespace for us.
$filtered = wp_strip_all_tags( $filtered, false );
* Use HTML entities in a special case to make sure that
* later newline stripping stages cannot lead to a functional tag.
$filtered = str_replace( "<\n", "<\n", $filtered );
if ( ! $keep_newlines ) {
$filtered = preg_replace( '/[\r\n\t ]+/', ' ', $filtered );
$filtered = trim( $filtered );
// Remove percent-encoded characters.
while ( preg_match( '/%[a-f0-9]{2}/i', $filtered, $match ) ) {
$filtered = str_replace( $match[0], '', $filtered );
// Strip out the whitespace that may now exist after removing percent-encoded characters.
$filtered = trim( preg_replace( '/ +/', ' ', $filtered ) );
* i18n-friendly version of basename().
* @param string $path A path.
* @param string $suffix If the filename ends in suffix this will also be cut off.
function wp_basename( $path, $suffix = '' ) {
return urldecode( basename( str_replace( array( '%2F', '%5C' ), '/', urlencode( $path ) ), $suffix ) );
// phpcs:disable WordPress.WP.CapitalPDangit.MisspelledInComment,WordPress.WP.CapitalPDangit.MisspelledInText,WordPress.NamingConventions.ValidFunctionName.FunctionNameInvalid -- 8-)
* Forever eliminate "Wordpress" from the planet (or at least the little bit we can influence).
* Violating our coding standards for a good function name.
* @param string $text The text to be modified.
* @return string The modified text.
function capital_P_dangit( $text ) {
// Simple replacement for titles.
$current_filter = current_filter();
if ( 'the_title' === $current_filter || 'wp_title' === $current_filter ) {
return str_replace( 'Wordpress', 'WordPress', $text );
// Still here? Use the more judicious replacement.
$dblq = _x( '“', 'opening curly double quote' );
array( ' Wordpress', '‘Wordpress', $dblq . 'Wordpress', '>Wordpress', '(Wordpress' ),
array( ' WordPress', '‘WordPress', $dblq . 'WordPress', '>WordPress', '(WordPress' ),
* @param string $mime_type Mime type.
* @return string Sanitized mime type.
function sanitize_mime_type( $mime_type ) {
$sani_mime_type = preg_replace( '/[^-+*.a-zA-Z0-9\/]/', '', $mime_type );
* Filters a mime type following sanitization.
* @param string $sani_mime_type The sanitized mime type.
* @param string $mime_type The mime type prior to sanitization.
return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
* Sanitizes space or carriage return separated URLs that are used to send trackbacks.
* @param string $to_ping Space or carriage return separated URLs
* @return string URLs starting with the http or https protocol, separated by a carriage return.
function sanitize_trackback_urls( $to_ping ) {
$urls_to_ping = preg_split( '/[\r\n\t ]/', trim( $to_ping ), -1, PREG_SPLIT_NO_EMPTY );
foreach ( $urls_to_ping as $k => $url ) {
if ( ! preg_match( '#^https?://.#i', $url ) ) {
unset( $urls_to_ping[ $k ] );
$urls_to_ping = array_map( 'sanitize_url', $urls_to_ping );
$urls_to_ping = implode( "\n", $urls_to_ping );
* Filters a list of trackback URLs following sanitization.
* The string returned here consists of a space or carriage return-delimited list
* @param string $urls_to_ping Sanitized space or carriage return separated URLs.
* @param string $to_ping Space or carriage return separated URLs before sanitization.
return apply_filters( 'sanitize_trackback_urls', $urls_to_ping, $to_ping );
* Adds slashes to a string or recursively adds slashes to strings within an array.
* This should be used when preparing data for core API that expects slashed data.
* This should not be used to escape data going directly into an SQL query.
* @since 5.5.0 Non-string values are left untouched.
* @param string|array $value String or array of data to slash.
* @return string|array Slashed `$value`, in the same type as supplied.
function wp_slash( $value ) {
if ( is_array( $value ) ) {
$value = array_map( 'wp_slash', $value );
if ( is_string( $value ) ) {
return addslashes( $value );
* Removes slashes from a string or recursively removes slashes from strings within an array.
* This should be used to remove slashes from data passed to core API that
* expects data to be unslashed.
* @param string|array $value String or array of data to unslash.
* @return string|array Unslashed `$value`, in the same type as supplied.
function wp_unslash( $value ) {
return stripslashes_deep( $value );
* Extracts and returns the first URL from passed content.
* @param string $content A string which might contain a URL.
* @return string|false The found URL.
function get_url_in_content( $content ) {
if ( empty( $content ) ) {
if ( preg_match( '/<a\s[^>]*?href=([\'"])(.+?)\1/is', $content, $matches ) ) {
return sanitize_url( $matches[2] );
* Returns the regexp for common whitespace characters.
* By default, spaces include new lines, tabs, nbsp entities, and the UTF-8 nbsp.
* This is designed to replace the PCRE \s sequence. In ticket #22692, that
* sequence was found to be unreliable due to random inclusion of the A0 byte.
* @return string The spaces regexp.
function wp_spaces_regexp() {
if ( empty( $spaces ) ) {
* Filters the regexp for common whitespace characters.
* This string is substituted for the \s sequence as needed in regular
* expressions. For websites not written in English, different characters
* may represent whitespace. For websites not encoded in UTF-8, the 0xC2 0xA0
* sequence may not be in use.
* @param string $spaces Regexp pattern for matching common whitespace characters.
$spaces = apply_filters( 'wp_spaces_regexp', '[\r\n\t ]|\xC2\xA0| ' );
* Enqueues the important emoji-related styles.
function wp_enqueue_emoji_styles() {
// Back-compat for plugins that disable functionality by unhooking this action.
$action = is_admin() ? 'admin_print_styles' : 'wp_print_styles';
if ( ! has_action( $action, 'print_emoji_styles' ) ) {
remove_action( $action, 'print_emoji_styles' );
img.wp-smiley, img.emoji {
display: inline !important;
box-shadow: none !important;
margin: 0 0.07em !important;
vertical-align: -0.1em !important;
background: none !important;
$handle = 'wp-emoji-styles';
wp_register_style( $handle, false );
wp_add_inline_style( $handle, $emoji_styles );
wp_enqueue_style( $handle );
* Prints the inline Emoji detection script if it is not already printed.
function print_emoji_detection_script() {
_print_emoji_detection_script();
* Prints inline Emoji detection script.
function _print_emoji_detection_script() {
* Filters the URL where emoji png images are hosted.
* @param string $url The emoji base URL for png images.
'baseUrl' => apply_filters( 'emoji_url', 'https://s.w.org/images/core/emoji/15.0.3/72x72/' ),
* Filters the extension of the emoji png files.
* @param string $extension The emoji extension for png files. Default .png.
'ext' => apply_filters( 'emoji_ext', '.png' ),
* Filters the URL where emoji SVG images are hosted.
* @param string $url The emoji base URL for svg images.
'svgUrl' => apply_filters( 'emoji_svg_url', 'https://s.w.org/images/core/emoji/15.0.3/svg/' ),
* Filters the extension of the emoji SVG files.
* @param string $extension The emoji extension for svg files. Default .svg.
'svgExt' => apply_filters( 'emoji_svg_ext', '.svg' ),
$version = 'ver=' . get_bloginfo( 'version' );
$settings['source'] = array(
/** This filter is documented in wp-includes/class-wp-scripts.php */
'wpemoji' => apply_filters( 'script_loader_src', includes_url( "js/wp-emoji.js?$version" ), 'wpemoji' ),
/** This filter is documented in wp-includes/class-wp-scripts.php */
'twemoji' => apply_filters( 'script_loader_src', includes_url( "js/twemoji.js?$version" ), 'twemoji' ),
$settings['source'] = array(
/** This filter is documented in wp-includes/class-wp-scripts.php */
'concatemoji' => apply_filters( 'script_loader_src', includes_url( "js/wp-emoji-release.min.js?$version" ), 'concatemoji' ),
wp_print_inline_script_tag(
sprintf( 'window._wpemojiSettings = %s;', wp_json_encode( $settings ) ) . "\n" .
file_get_contents( ABSPATH . WPINC . '/js/wp-emoji-loader' . wp_scripts_get_suffix() . '.js' )
* Converts emoji characters to their equivalent HTML entity.
* This allows us to store emoji in a DB using the utf8 character set.
* @param string $content The content to encode.
* @return string The encoded content.
function wp_encode_emoji( $content ) {
$emoji = _wp_emoji_list( 'partials' );
foreach ( $emoji as $emojum ) {
$emoji_char = html_entity_decode( $emojum );
if ( str_contains( $content, $emoji_char ) ) {
$content = preg_replace( "/$emoji_char/", $emojum, $content );
* Converts emoji to a static img element.
* @param string $text The content to encode.
* @return string The encoded content.
function wp_staticize_emoji( $text ) {
if ( ! str_contains( $text, '&#x' ) ) {
if ( ( function_exists( 'mb_check_encoding' ) && mb_check_encoding( $text, 'ASCII' ) ) || ! preg_match( '/[^\x00-\x7F]/', $text ) ) {
// The text doesn't contain anything that might be emoji, so we can return early.
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
