Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#12623 closed defect (bug) (worksforme)

Unchecked Input Condition in Widgets

Reported by: hakre Owned by: azaozz
Milestone: Priority: normal
Severity: normal Version: 3.0
Component: Widgets Keywords:
Focuses: Cc:


In WP_Widget::__construct() - according to the documented specs - first parameter $id_base has to be unique.

Next to the fact that is not properly documented to what domain the uniqueness has to pay to, the input is not verified at all for uniqueness leaving the specification useless as well as leaving Wordpress open to a malfunction on the underlying data structures and models.

Change History (5)

#1 @hakre
8 years ago

  • Component changed from General to Widgets
  • Owner set to azaozz

#2 @hakre
8 years ago

  • Version set to 3.0

#3 follow-up: @nacin
8 years ago

  • Milestone changed from Unassigned to 3.0

So we just need some docs?

#4 in reply to: ↑ 3 @azaozz
8 years ago

Replying to nacin:

So we just need some docs?

The uniqueness requirement is the same as for plugin and theme function names and since widgets are only added by plugins and themes, it seems pretty clear. It is well explained in the codex (prefixing a function name with unique string) and has been working well for years.

Perhaps we could add something to that effect to the phpdoc to remove any doubts.

#5 @nacin
8 years ago

  • Milestone 3.0 deleted
  • Resolution set to worksforme
  • Status changed from new to closed

I honestly can't see how we can make the inline docs more clear without being just redundant.

Note: See TracTickets for help on using tickets.