Make WordPress Core

Changeset 57251


Ignore:
Timestamp:
01/08/2024 10:42:49 PM (3 months ago)
Author:
SergeyBiryukov
Message:

Taxonomy: Check for empty term after DB sanitization in wp_insert_term().

When inserting a new term in the database, wp_insert_term() will check if the term is empty and return a corresponding error.

Afterwards the term is sanitized and inserted in the database. However, there is a chance the term is empty after the DB sanitization.

This commit adds a check for an empty term name after the term is sanitized, returning an error in that case.

Follow-up to [5726], [8393].

Props fgiannar, kraftbj.
Fixes #59995.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/taxonomy.php

    r57239 r57251  
    24352435    $parent      = (int) $args['parent'];
    24362436
     2437    // Sanitization could clean the name to an empty string that must be checked again.
     2438    if ( '' === $name ) {
     2439        return new WP_Error( 'invalid_term_name', __( 'Invalid term name.' ) );
     2440    }
     2441
    24372442    $slug_provided = ! empty( $args['slug'] );
    24382443    if ( ! $slug_provided ) {
  • trunk/tests/phpunit/tests/term/wpInsertTerm.php

    r56548 r57251  
    896896    }
    897897
     898    /**
     899     * @ticket 59995
     900     */
     901    public function test_wp_insert_term_with_empty_name_after_db_sanitization() {
     902        $term = wp_insert_term(
     903            '<script>onclick=alert("hello")</script>',
     904            'post_tag'
     905        );
     906
     907        $this->assertWPError( $term );
     908        $this->assertSame( 'invalid_term_name', $term->get_error_code() );
     909    }
     910
    898911    /** Helpers */
    899912
Note: See TracChangeset for help on using the changeset viewer.