Appearance
Sanitize
The Sanitize node cleans input field values using specified sanitization methods. Use it before saving user-submitted data to the database to prevent XSS attacks, strip unwanted HTML, and normalize data types.
Configuration
| Property | Type | Default | Description |
|---|---|---|---|
fields | array | [] | Required. An array of field sanitization definitions. |
Each field definition has:
| Property | Type | Description |
|---|---|---|
field | string | The field name to sanitize. |
method | string | The sanitization method to apply. |
Sanitization Methods
| Method | Description |
|---|---|
trim | Remove leading and trailing whitespace. |
strip_tags | Remove all HTML and PHP tags. |
esc_html | Escape HTML entities (<, >, &, ", '). Uses WordPress esc_html(). |
sanitize_email | Strip invalid characters from an email address. Uses WordPress sanitize_email(). |
to_int | Cast the value to an integer. |
to_float | Cast the value to a float. |
Input
Accepts a single object or an array of rows. Each row is processed individually.
Output
Returns the same data structure with the specified fields sanitized. Fields not listed in the config are left unchanged.
Example
Input:
json
{
"name": " <script>alert('xss')</script>John ",
"email": "john@@example..com",
"age": "25"
}Config:
json
[
{ "field": "name", "method": "strip_tags" },
{ "field": "name", "method": "trim" },
{ "field": "email", "method": "sanitize_email" },
{ "field": "age", "method": "to_int" }
]Output:
json
{
"name": "alert('xss')John",
"email": "john@example.com",
"age": 25
}INFO
Multiple sanitization methods can be applied to the same field by including multiple entries. They are applied in order.
Example Use Cases
Contact form sanitization
json
[
{ "field": "name", "method": "strip_tags" },
{ "field": "name", "method": "trim" },
{ "field": "email", "method": "sanitize_email" },
{ "field": "message", "method": "esc_html" },
{ "field": "message", "method": "trim" }
]Numeric input sanitization
json
[
{ "field": "price", "method": "to_float" },
{ "field": "quantity", "method": "to_int" }
]Typical pipeline placement
Context --> Validate --> Sanitize --> Save Row --> OutputWARNING
Always sanitize user input before writing to the database. Even if your form has client-side validation, the REST API endpoint can be called directly, bypassing all frontend checks.
TIP
Sanitize runs after Validate in a typical pipeline. This way, invalid data is rejected first, and only valid data gets sanitized and saved.