Opened 15 years ago
Closed 15 years ago
#12181 closed defect (bug) (invalid)
Sanitizing text input fields before rendering but not before storing their content
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 2.9.1 |
| Component: | General | Keywords: | reporter-feedback |
| Focuses: | Cc: |
Description
In WPMU 2.8.5.2 and WP 2.9.1 filters are used to sanitize the content of text input fields in the admin area.
However, the filters are applied only before rendering the content, but not before transmitting and storing this content in the database.
For example, I can type in something like:
key1="value string with multiple words" AND key2="another value string"
and store it correctly in the database. When I "echo" this string into its text input field again to show that it has been correctly stored, it is rendered as
key1=\
The problem is that if a user does not pay attention and clicks on "update settings" again, the wrong string is stored in the database because the wrongly rendered string is transmitted.
I checked the multitude of filters that WP applies but could not find out how to adjust the filtering/sanitizing of input for this specific text input field. Even calling "remove_all_filters()" shows no effect.
I think that sanitizing is a good idea but it needs to become more consistent and adjustable in WP. I would like to sanitize everything that's between the quotes, not eliminate everything following the first quote.
Thanks a lot in advance for all hints and pointers!
A.
Can you post some code to highlight the bug you're seeing?
Also, verify that YOU are escaping the data before echoing it into a attribute using a function such as
esc_attr()