Make WordPress Core

Changeset 55346


Ignore:
Timestamp:
02/15/2023 01:04:06 PM (14 months ago)
Author:
SergeyBiryukov
Message:

Docs: Improve code comments in some sanitizing functions.

This aims to clarify a few inline comments related to removing percent-encoded characters and HTML entities.

Affected functions:

  • sanitize_user()
  • sanitize_title_with_dashes()
  • sanitize_html_class()
  • _sanitize_text_fields()
  • get_comments_number_text()

Follow-up to [465], [3454], [11433], [12503], [37987].

Props ace100, tanjimtc71, codemonksuvro, SergeyBiryukov.
Fixes #57712.

Location:
trunk/src/wp-includes
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/canonical.php

    r54785 r55346  
    737737    }
    738738
    739     // Hex encoded octets are case-insensitive.
     739    // Hex-encoded octets are case-insensitive.
    740740    if ( false !== strpos( $requested_url, '%' ) ) {
    741741        if ( ! function_exists( 'lowercase_octets' ) ) {
  • trunk/src/wp-includes/comment-template.php

    r55308 r55346  
    945945            if ( 'on' === _x( 'off', 'Comment number declension: on or off' ) ) {
    946946                $text = preg_replace( '#<span class="screen-reader-text">.+?</span>#', '', $more );
    947                 $text = preg_replace( '/&.+?;/', '', $text ); // Kill entities.
     947                $text = preg_replace( '/&.+?;/', '', $text ); // Remove HTML entities.
    948948                $text = trim( strip_tags( $text ), '% ' );
    949949
  • trunk/src/wp-includes/formatting.php

    r55289 r55346  
    21122112 * Sanitizes a username, stripping out unsafe characters.
    21132113 *
    2114  * Removes tags, octets, entities, and if strict is enabled, will only keep
    2115  * alphanumeric, _, space, ., -, @. After sanitizing, it passes the username,
    2116  * raw username (the username in the parameter), and the value of $strict as
    2117  * parameters for the {@see 'sanitize_user'} filter.
     2114 * Removes tags, percent-encoded characters, HTML entities, and if strict is enabled,
     2115 * will only keep alphanumeric, _, space, ., -, @. After sanitizing, it passes the username,
     2116 * raw username (the username in the parameter), and the value of $strict as parameters
     2117 * for the {@see 'sanitize_user'} filter.
    21182118 *
    21192119 * @since 2.0.0
    21202120 *
    21212121 * @param string $username The username to be sanitized.
    2122  * @param bool   $strict   Optional. If set limits $username to specific characters.
     2122 * @param bool   $strict   Optional. If set to true, limits $username to specific characters.
    21232123 *                         Default false.
    21242124 * @return string The sanitized username, after passing through filters.
     
    21282128    $username     = wp_strip_all_tags( $username );
    21292129    $username     = remove_accents( $username );
    2130     // Kill octets.
     2130    // Remove percent-encoded characters.
    21312131    $username = preg_replace( '|%([a-fA-F0-9][a-fA-F0-9])|', '', $username );
    2132     // Kill entities.
     2132    // Remove HTML entities.
    21332133    $username = preg_replace( '/&.+?;/', '', $username );
    21342134
     
    23652365    }
    23662366
    2367     // Kill entities.
     2367    // Remove HTML entities.
    23682368    $title = preg_replace( '/&.+?;/', '', $title );
    23692369    $title = str_replace( '.', '-', $title );
     
    24132413 */
    24142414function sanitize_html_class( $classname, $fallback = '' ) {
    2415     // Strip out any %-encoded octets.
     2415    // Strip out any percent-encoded characters.
    24162416    $sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $classname );
    24172417
     
    54515451 * - Strips all tags
    54525452 * - Removes line breaks, tabs, and extra whitespace
    5453  * - Strips octets
     5453 * - Strips percent-encoded characters
    54545454 *
    54555455 * @since 2.9.0
     
    55285528        $filtered = wp_strip_all_tags( $filtered, false );
    55295529
    5530         // Use HTML entities in a special case to make sure no later
    5531         // newline stripping stage could lead to a functional tag.
     5530        /*
     5531         * Use HTML entities in a special case to make sure that
     5532         * later newline stripping stages cannot lead to a functional tag.
     5533         */
    55325534        $filtered = str_replace( "<\n", "&lt;\n", $filtered );
    55335535    }
     
    55385540    $filtered = trim( $filtered );
    55395541
     5542    // Remove percent-encoded characters.
    55405543    $found = false;
    55415544    while ( preg_match( '/%[a-f0-9]{2}/i', $filtered, $match ) ) {
     
    55455548
    55465549    if ( $found ) {
    5547         // Strip out the whitespace that may now exist after removing the octets.
     5550        // Strip out the whitespace that may now exist after removing percent-encoded characters.
    55485551        $filtered = trim( preg_replace( '/ +/', ' ', $filtered ) );
    55495552    }
Note: See TracChangeset for help on using the changeset viewer.