Co-Authors-Plus icon indicating copy to clipboard operation
Co-Authors-Plus copied to clipboard

Published 20 hours ago verified publisher icon Automattic

add wp_unslash() and sanitize_text_field() calls to inputs

Open paulschreiber opened this issue 9 years ago • 7 comments

paulschreiber avatar Oct 03 '15 03:10 paulschreiber

@mjangda Can we merge this?

paulschreiber avatar Dec 14 '15 04:12 paulschreiber

Noted some spots where the sanitize/unslash are not necessary. We don't really need them for the following either:

  • sanitize_title
  • wp_verify_nonce

mjangda avatar Dec 14 '15 19:12 mjangda

  • PHPCS will complain if they're not present cc @westonruter
  • Do you see any downside to having them present?

paulschreiber avatar Dec 14 '15 19:12 paulschreiber

PHPCS should be updated to whitelist sanitization usages when an input var is used in array_key_exists()

westonruter avatar Dec 14 '15 19:12 westonruter

Filed https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/498

Please provide additional details there.

paulschreiber avatar Dec 15 '15 04:12 paulschreiber

I would love to use this plugin, but the fact that a PR on input sanitisation has been blocked for a year is giving me pause... Any chance some progress could be made on this please?

IanRogers-LShift avatar Feb 09 '17 17:02 IanRogers-LShift

@mjangda @westonruter What's the harm in the extra wp_unslash() calls? It's safer/easier to use them everywhere than to create an exception list and manually check it on every code change.

paulschreiber avatar Feb 21 '17 00:02 paulschreiber

WPCS 3.0 is nearly out, with a much-improved sniffs around this. With the conflicts in the PR, and the desire to see all of PHPCS violations fixed, I'm going to close this one out now, but it can be referred to when a fresh PR is made.

GaryJones avatar Jul 27 '23 23:07 GaryJones