sanitize_user_object() throws fatal error on user property objects
|Reported by:||filosofo||Owned by:||ryan|
Suppose a plugin has serialized an object and saved it as user-meta data. (I'm not saying this is a good idea, but other people are doing it).
get_user_to_edit() gets the user data as an object with that now-unserialized-object as a property of the user object. Then it passes the user object to sanitize_user_object().
sanitize_user_object() currently loops through each property of the user object and if the property is not an array, it attempts to sanitize it. When the property is an object, you get a fatal error trying to cast the object to a string.
My patch, rather than excluding arrays, only attempts to sanitize things that are strings or numbers.
You're probably thinking, "if checking for objects is the problem, why not just call is_object()?" The problem is that if the serialized object is of an object type that is no longer defined, is_object() returns false. This could happen in the case in which a plugin saves the serialized object as user meta data, and then the plugin is deactivated. Then you end up with something that's a __PHP_Incomplete_Class, a non-object object.