Make WordPress Core

Changeset 32353


Ignore:
Timestamp:
05/05/2015 11:13:51 AM (10 years ago)
Author:
boonebgorges
Message:

Improve sanitization of 'name' param in get_terms().

Values of 'name' that contain db-encoded character on insert - like an
ampersand, which is HTML-encoded in the database - will only match if they go
through the same sanitize_term_field() routine.

Fixes #32248.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/taxonomy.php

    r32351 r32353  
    18581858
    18591859    if ( ! empty( $args['name'] ) ) {
    1860         if ( is_array( $args['name'] ) ) {
    1861             $name = array_map( 'sanitize_text_field', $args['name'] );
    1862             $where .= " AND t.name IN ('" . implode( "', '", array_map( 'esc_sql', $name ) ) . "')";
    1863         } else {
    1864             $name = sanitize_text_field( $args['name'] );
    1865             $where .= $wpdb->prepare( " AND t.name = %s", $name );
    1866         }
     1860        $names = (array) $args['name'];
     1861        foreach ( $names as &$_name ) {
     1862            $_name = sanitize_term_field( 'name', $_name, 0, reset( $taxonomies ), 'db' );
     1863        }
     1864
     1865        $where .= " AND t.name IN ('" . implode( "', '", array_map( 'esc_sql', $names ) ) . "')";
    18671866    }
    18681867
  • trunk/tests/phpunit/tests/term/getTerms.php

    r31532 r32353  
    539539
    540540        $this->assertEqualSets( array( $t3, $t1 ), $found );
     541    }
     542
     543    /**
     544     * @ticket 32248
     545     */
     546    public function test_name_should_match_encoded_html_entities() {
     547        register_taxonomy( 'wptests_tax', 'post' );
     548
     549        $t = $this->factory->term->create( array(
     550            'taxonomy' => 'wptests_tax',
     551            'name' => 'Foo & Bar',
     552            'slug' => 'foo-and-bar',
     553        ) );
     554
     555        $found = get_terms( 'wptests_tax', array(
     556            'hide_empty' => false,
     557            'fields' => 'ids',
     558            'name' => 'Foo & Bar',
     559        ) );
     560        $this->assertEqualSets( array( $t ), $found );
     561
     562        // array format.
     563        $found = get_terms( 'wptests_tax', array(
     564            'hide_empty' => false,
     565            'fields' => 'ids',
     566            'name' => array( 'Foo & Bar' ),
     567        ) );
     568        $this->assertEqualSets( array( $t ), $found );
    541569    }
    542570
Note: See TracChangeset for help on using the changeset viewer.