WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/26/2016 05:16:09 AM (4 years ago)
Author:
pento
Message:

General: Add a sanitize_textarea_field() function.

Like its predecessor (sanitize_text_field()), sanitize_textarea_field() is a helper function to sanitise user input. As the name suggests, this function is for sanitising input from textarea fields - it strips tags and invalid UTF-8 characters, like sanitize_text_field(), but retains newlines and extra inline whitespace.

Props ottok, nbachiyski, chriscct7, pento.
Fixes #32257.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/tests/phpunit/tests/formatting/SanitizeTextField.php

    r25002 r38944  
    55 */
    66class Tests_Formatting_SanitizeTextField extends WP_UnitTestCase {
    7     // #11528
    8     function test_sanitize_text_field() {
    9         $inputs = array(
    10             'оРангутанг', //Ensure UTF8 text is safe the Р is D0 A0 and A0 is the non-breaking space.
    11             'САПР', //Ensure UTF8 text is safe the Р is D0 A0 and A0 is the non-breaking space.
    12             'one is < two',
    13             'tags <span>are</span> <em>not allowed</em> here',
    14             ' we should trim leading and trailing whitespace ',
    15             'we  also  trim  extra  internal  whitespace',
    16             'tabs   get removed too',
    17             'newlines are not welcome
    18             here',
    19             'We also %AB remove %ab octets',
    20             'We don\'t need to wory about %A
    21             B removing %a
    22             b octets even when %a   B they are obscured by whitespace',
    23             '%AB%BC%DE', //Just octets
    24             'Invalid octects remain %II',
    25             'Nested octects %%%ABABAB %A%A%ABBB',
     7    function data_sanitize_text_field() {
     8        return array(
     9            array(
     10                'оРангутанг', //Ensure UTF8 text is safe the Р is D0 A0 and A0 is the non-breaking space.
     11                'оРангутанг',
     12            ),
     13            array(
     14                'САПР', //Ensure UTF8 text is safe the Р is D0 A0 and A0 is the non-breaking space.
     15                'САПР',
     16            ),
     17            array(
     18                'one is < two',
     19                'one is &lt; two',
     20            ),
     21            array(
     22                "one is <\n two",
     23                array(
     24                    'oneline' => 'one is &lt; two',
     25                    'multiline' => "one is &lt;\n two",
     26                ),
     27            ),
     28            array(
     29                "foo <div\n> bar",
     30                array(
     31                    'oneline' => 'foo bar',
     32                    'multiline' => "foo  bar",
     33                ),
     34            ),
     35            array(
     36                "foo <\ndiv\n> bar",
     37                array(
     38                    'oneline' => 'foo &lt; div > bar',
     39                    'multiline' => "foo &lt;\ndiv\n> bar",
     40                ),
     41            ),
     42            array(
     43                'tags <span>are</span> <em>not allowed</em> here',
     44                'tags are not allowed here',
     45            ),
     46            array(
     47                ' we should trim leading and trailing whitespace ',
     48                'we should trim leading and trailing whitespace',
     49            ),
     50            array(
     51                'we  trim  extra  internal  whitespace  only  in  single  line  texts',
     52                array(
     53                    'oneline' => 'we trim extra internal whitespace only in single line texts',
     54                    'multiline' => 'we  trim  extra  internal  whitespace  only  in  single  line  texts',
     55                ),
     56            ),
     57            array(
     58                "tabs \tget removed in single line texts",
     59                array(
     60                    'oneline' => 'tabs get removed in single line texts',
     61                    'multiline' => "tabs \tget removed in single line texts",
     62                ),
     63            ),
     64            array(
     65                "newlines are allowed only\n in multiline texts",
     66                array(
     67                    'oneline' => 'newlines are allowed only in multiline texts',
     68                    'multiline' => "newlines are allowed only\n in multiline texts",
     69                ),
     70            ),
     71            array(
     72                'We also %AB remove %ab octets',
     73                'We also remove octets',
     74            ),
     75            array(
     76                'We don\'t need to wory about %A
     77                B removing %a
     78                b octets even when %a   B they are obscured by whitespace',
     79                array (
     80                    'oneline' => 'We don\'t need to wory about %A B removing %a b octets even when %a B they are obscured by whitespace',
     81                    'multiline' => "We don't need to wory about %A\n                B removing %a\n             b octets even when %a   B they are obscured by whitespace",
     82                ),
     83            ),
     84            array(
     85                '%AB%BC%DE', //Just octets
     86                '', //Emtpy as we strip all the octets out
     87            ),
     88            array(
     89                'Invalid octects remain %II',
     90                'Invalid octects remain %II',
     91            ),
     92            array(
     93                'Nested octects %%%ABABAB %A%A%ABBB',
     94                'Nested octects',
     95            ),
    2696        );
    27         $expected = array(
    28             'оРангутанг',
    29             'САПР',
    30             'one is &lt; two',
    31             'tags are not allowed here',
    32             'we should trim leading and trailing whitespace',
    33             'we also trim extra internal whitespace',
    34             'tabs get removed too',
    35             'newlines are not welcome here',
    36             'We also remove octets',
    37             'We don\'t need to wory about %A B removing %a b octets even when %a B they are obscured by whitespace',
    38             '', //Emtpy as we strip all the octets out
    39             'Invalid octects remain %II',
    40             'Nested octects',
    41         );
     97    }
    4298
    43         foreach ($inputs as $key => $input) {
    44             $this->assertEquals($expected[$key], sanitize_text_field($input));
     99    /**
     100     * @ticket 32257
     101     * @dataProvider data_sanitize_text_field
     102     */
     103    function test_sanitize_text_field( $string, $expected ) {
     104        if ( is_array( $expected ) ) {
     105            $expected_oneline = $expected['oneline'];
     106            $expected_multiline = $expected['multiline'];
     107        } else {
     108            $expected_oneline = $expected_multiline = $expected;
    45109        }
     110        $this->assertEquals( $expected_oneline, sanitize_text_field( $string ) );
     111        $this->assertEquals( $expected_multiline, sanitize_textarea_field( $string ) );
     112
    46113    }
    47114}
Note: See TracChangeset for help on using the changeset viewer.