function sanitize_user( $username, $strict = false ) {}

Sanitize username stripping out unsafe characters.
Removes tags, octets, entities, and if strict is enabled, will only keep alphanumeric, _, space, ., -, @. After sanitizing, it passes the username, raw username (the username in the parameter), and the value of $strict as parameters for the ‘sanitize_user’ filter.


  • string $username: The username to be sanitized.
  • bool $strict: If set limits $username to specific characters. Default false.

Return values

returns:The sanitized username, after passing through filters.

Defined filters

  • sanitize_user
    apply_filters( 'sanitize_user', $username, $raw_username, $strict )

Source code

function sanitize_user( $username, $strict = false ) {

	$raw_username = $username;

	$username = wp_strip_all_tags( $username );

	$username = remove_accents( $username );

	// Kill octets

	$username = preg_replace( '|%([a-fA-F0-9][a-fA-F0-9])|', '', $username );

	$username = preg_replace( '/&.+?;/', '', $username ); // Kill entities

	// If strict, reduce to ASCII for max portability.

	if ( $strict )

		$username = preg_replace( '|[^a-z0-9 _.\-@]|i', '', $username );

	$username = trim( $username );

	// Consolidate contiguous whitespace

	$username = preg_replace( '|\s+|', ' ', $username );

	return apply_filters( 'sanitize_user', $username, $raw_username, $strict );



No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: