WordPress.org

Make WordPress Core

Opened 12 years ago

Closed 12 years ago

#12181 closed defect (bug) (invalid)

Sanitizing text input fields before rendering but not before storing their content

Reported by: hargatheterrible Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.9.1
Component: General Keywords: reporter-feedback
Focuses: Cc:

Description

In WPMU 2.8.5.2 and WP 2.9.1 filters are used to sanitize the content of text input fields in the admin area.

However, the filters are applied only before rendering the content, but not before transmitting and storing this content in the database.

For example, I can type in something like:

key1="value string with multiple words" AND key2="another value string"

and store it correctly in the database. When I "echo" this string into its text input field again to show that it has been correctly stored, it is rendered as

key1=\

The problem is that if a user does not pay attention and clicks on "update settings" again, the wrong string is stored in the database because the wrongly rendered string is transmitted.

I checked the multitude of filters that WP applies but could not find out how to adjust the filtering/sanitizing of input for this specific text input field. Even calling "remove_all_filters()" shows no effect.

I think that sanitizing is a good idea but it needs to become more consistent and adjustable in WP. I would like to sanitize everything that's between the quotes, not eliminate everything following the first quote.

Thanks a lot in advance for all hints and pointers!

A.

Change History (2)

#1 @dd32
12 years ago

  • Keywords reporter-feedback added; sanitize filter removed

Can you post some code to highlight the bug you're seeing?

Also, verify that YOU are escaping the data before echoing it into a attribute using a function such as esc_attr()

#2 @nacin
12 years ago

  • Milestone Unassigned deleted
  • Resolution set to invalid
  • Status changed from new to closed

Re-open with steps to reproduce.

Note: See TracTickets for help on using tickets.