Using sanitize_text_field can break site_token

[mahowell]

If, for example, the sequence %B2 exists somewhere in the site_token, sanitize_text_field( $_POST['site_token'] ) will strip it out breaking the site_token.

In class-syndication-wp-rest-client.php: update_post_meta( $site_ID, 'syn_site_token', push_syndicate_encrypt( sanitize_text_field( $_POST['site_token'] ) ) );

Not sure the best way to sanitize this field or if it even needs to be sanitized, but my current workaround:

function syndication_sanitize( $filtered, $str ) {
    if ( is_admin() && ! empty( $_POST ) && 'syn_site' === get_post_type() ) {
        return $str;
    } else {
        return $filtered;
    }
}
add_filter( 'sanitize_text_field', 'syndication_sanitize', 10, 2 );

[emgk]

The above code snippet is preventing to sanitize the value and can break site.

I have investigated this issue, confirmed that it's a bug. it's sanitizing the token string see the link. https://github.com/WordPress/WordPress/blob/master/wp-includes/formatting.php#L4746-L4749

[philipjohn]

Thanks both. Do either of you feel like opening a Pull Request to fix this issue?

[wpbt]

I have this issue: need to access reCAPTCHA token in the server.

$token = ( $post['prefid_recaptcha_token'] ) ? sanitize_text_field( $post['prefid_recaptcha_token'] ) : '';

And I'm not sure if using sanitize_text_field() will be appropriate here and can't use sanitize_key() because it will convert all uppercase letters to lowercase and ultimately failing the whole process.

Note: if the token doesn't contain spaces and other special characters, sanitize_text_field() should work most of the times! Is there any workaround for this?

Thanks!