WordPress-Coding-Standards icon indicating copy to clipboard operation
WordPress-Coding-Standards copied to clipboard
verified publisher icon WordPress

ValidatedSanitizedInput: allow use of array_keys() without sanitization/unslashing ?

Open jrfnl opened this issue 6 years ago • 2 comments

Open question: should using array_keys() on superglobals be allowed without sanitization ?

I'm pretty sure we shouldn't demand unslashing when that function is used as WP doesn't actually slash the array keys, but the sniff currently throws both a "missing unslash" as well as a "missing sanitization" error.

Refs:

  • https://developer.wordpress.org/reference/functions/add_magic_quotes/
  • https://www.php.net/manual/en/function.array-keys.php

Opinions ?

jrfnl avatar Mar 30 '19 16:03 jrfnl

I'd say to let it through.

GaryJones avatar Mar 31 '19 10:03 GaryJones

Unslashing is fine, but sanitizing is not. Since array keys can be arbitrary strings, therefore aren't safe.

However array_keys shouldn't report an error when it's sanitized right away, e.g. array_map( 'sanitize_text_field', wp_unslash( array_keys( $_POST['foo'] ) ) )

kkmuffme avatar Aug 17 '23 11:08 kkmuffme