Changeset 38944 for trunk/src/wp-includes/formatting.php

Timestamp:

10/26/2016 05:16:09 AM (9 years ago)

Author:

pento

Message:

General: Add a sanitize_textarea_field() function.

Like its predecessor (sanitize_text_field()), sanitize_textarea_field() is a helper function to sanitise user input. As the name suggests, this function is for sanitising input from textarea fields - it strips tags and invalid UTF-8 characters, like sanitize_text_field(), but retains newlines and extra inline whitespace.

Props ottok, nbachiyski, chriscct7, pento.
Fixes #32257.

File:

• trunk/src/wp-includes/formatting.php (modified) (4 diffs)

trunk/src/wp-includes/formatting.php

@@ -4654 +4654 @@
  * @since 2.9.0
  *
+ * @see sanitize_textarea_field()
  * @see wp_check_invalid_utf8()
  * @see wp_strip_all_tags()
@@ -4661 +4662 @@
  */
 function sanitize_text_field( $str ) {
+    $filtered = _sanitize_text_fields( $str, false );
+
+    /**
+     * Filters a sanitized text field string.
+     *
+     * @since 2.9.0
+     *
+     * @param string $filtered The sanitized string.
+     * @param string $str      The string prior to being sanitized.
+     */
+    return apply_filters( 'sanitize_text_field', $filtered, $str );
+}
+
+/**
+ * Sanitizes a multiline string from user input or from the database.
+ *
+ * The function is like sanitize_text_field(), but preserves
+ * new lines (\n) and other whitespace, which are legitimate
+ * input in textarea elements.
+ *
+ * @see sanitize_text_field()
+ *
+ * @since 4.7.0
+ *
+ * @param string $str String to sanitize.
+ * @return string Sanitized string.
+ */
+function sanitize_textarea_field( $str ) {
+    $filtered = _sanitize_text_fields( $str, true );
+
+    /**
+     * Filters a sanitized textarea field string.
+     *
+     * @since 4.7.0
+     *
+     * @param string $filtered The sanitized string.
+     * @param string $str      The string prior to being sanitized.
+     */
+    return apply_filters( 'sanitize_textarea_field', $filtered, $str );
+}
+
+/**
+ * Internal helper function to sanitize a string from user input or from the db
+ *
+ * @since 4.7.0
+ * @access private
+ *
+ * @param string $str String to sanitize.
+ * @param bool $keep_newlines optional Whether to keep newlines. Default: false.
+ * @return string Sanitized string.
+ */
+function _sanitize_text_fields( $str, $keep_newlines = false ) {
     $filtered = wp_check_invalid_utf8( $str );
 
@@ -4666 +4719 @@
         $filtered = wp_pre_kses_less_than( $filtered );
         // This will strip extra whitespace for us.
-        $filtered = wp_strip_all_tags( $filtered, true );
-    } else {
-        $filtered = trim( preg_replace('/[\r\n\t ]+/', ' ', $filtered) );
-    }
+        $filtered = wp_strip_all_tags( $filtered, false );
+
+        // Use html entities in a special case to make sure no later
+        // newline stripping stage could lead to a functional tag
+        $filtered = str_replace("<\n", "&lt;\n", $filtered);
+    }
+
+    if ( ! $keep_newlines ) {
+        $filtered = preg_replace( '/[\r\n\t ]+/', ' ', $filtered );
+    }
+    $filtered = trim( $filtered );
 
     $found = false;
@@ -4682 +4742 @@
     }
 
-    /**
-     * Filters a sanitized text field string.
-     *
-     * @since 2.9.0
-     *
-     * @param string $filtered The sanitized string.
-     * @param string $str      The string prior to being sanitized.
-     */
-    return apply_filters( 'sanitize_text_field', $filtered, $str );
+    return $filtered;
 }