WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#15198 closed defect (bug) (fixed)

Inconsistencies in sanitize_user and sanitize_key

Reported by: duck_ Owned by: ryan
Milestone: 3.1 Priority: normal
Severity: normal Version: 3.0
Component: Formatting Keywords: has-patch 2nd-opinion
Focuses: Cc:

Description

It seems to me that sanitize_user can perform inconsistently by returning a different string compared to the input when passed a previously sanitized string. This occurs when the first round returns a string ending in a space, then in the second round when wp_strip_all_tags trims the string it changes the previously sanitized input. The only workaround I could think of for now was to always trim the output of sanitize_user.

Also, sanitize_key does not behave as described by the docs (I guess the docs could be wrong instead of the code then, but I'm not sure). That is "They should be lowercase ASCII. Dashes and underscores are allowed." seems to be incorrect. The regex allows ., space, @ and has the ignore case modifier.

Example:

$test = sanitize_user( 'test ***', true );
var_dump( $test );
var_dump( sanitize_user( $test, true ) );

var_dump( sanitize_key( 'UPPER   C@SE.', true ) );

Expected: the first two to be exactly the same and the last to output "uppercse"

Actual:

string(5) "test "
string(4) "test"
string(11) "UPPER C@SE."

Patch attached. Though this is the kind of change that I can foresee potentially creating problems, i.e. lookup a string which previously returned a different result when passing through either function.

Attachments (1)

15198.diff (1.9 KB) - added by duck_ 6 years ago.

Download all attachments as: .zip

Change History (3)

@duck_
6 years ago

#1 @nacin
6 years ago

  • Milestone changed from Awaiting Review to 3.1
  • Owner set to ryan
  • Status changed from new to assigned

#2 @ryan
6 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.