WordPress-Coding-Standards icon indicating copy to clipboard operation
WordPress-Coding-Standards copied to clipboard

Published 20 hours ago verified publisher icon WordPress

Include rawurlencode() in list of sanitizing functions

Open paulschreiber opened this issue 8 years ago • 3 comments

I have some code like so:

$data['host'] = isset( $_SERVER['HTTP_HOST'] ) ? rawurlencode( sanitize_text_field( wp_unslash( $_SERVER['HTTP_HOST'] ) ) ) : ''; // input var ok

@mjangda informs me the sanitize_text_field() and wp_unslash() calls are unnecessary and rawurlencode() should be enough to make the data safe.

Currently, removing them results in a WordPress.VIP.ValidatedSanitizedInput.InputNotSanitized error.

paulschreiber avatar Mar 08 '17 18:03 paulschreiber

I'm not 100% sure that $_SERVER['HTTP_HOST'] will always be safe as provided by the web server. Potentially some web server may pass along the Host: header without validation. So some sanitization should be be done on that value, though here sanitize_text_field() isn't right and it should be something more specific.

The rawurlencode() function does not sanitize. It is more like an escaping function.

westonruter avatar Mar 08 '17 19:03 westonruter

There is esc_url_raw(), which is more of a sanitization function (it replaced sanitize_url()).

JDGrimes avatar Mar 08 '17 20:03 JDGrimes

The only problem with esc_url_raw() is that it adds the protocol. So in the case of the HTTP_HOST, you'd have to do this:

$sanitized_host = wp_parse_url( esc_url_raw( wp_unslash( $_SERVER['HTTP_HOST'] ), PHP_URL_HOST ) );

westonruter avatar Mar 08 '17 20:03 westonruter