Make WordPress Core

Opened 4 years ago

Last modified 2 months ago

#16101 new defect (bug)

Numeric term fields are strings

Reported by: foofy Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Taxonomy Keywords: needs-patch needs-unit-tests
Focuses: Cc:


The numeric fields (term_id, parent, etc.) on term objects are strings. I only noticed this because term_exists() uses is_int() to determine if the $term value is an ID or slug.

Only ticket I could find about this is #5381.

sanitize_term() should fix this, but it bails early in the "raw" context. sanitize_term_field() sanitizes the numeric fields in every context. I don't see a reason for sanitize_term() to bail early so I made a patch that takes that out. The patch also adds some missing fields to the list of those to be sanitized and changes term_exists() to use is_numeric() (which will correctly identify strings containing only numbers) instead of is_int().

Attachments (1)

sanitize-numeric-term-fields.patch (1.4 KB) - added by foofy 4 years ago.

Download all attachments as: .zip

Change History (10)

comment:1 @scribu4 years ago

From the PHP manual on is_numeric():

Finds whether the given variable is numeric. Numeric strings consist of optional sign, any number of digits, optional decimal part and optional exponential part. Thus +0123.45e6 is a valid numeric value. Hexadecimal notation (0xFF) is allowed too but only without sign, decimal and exponential part.

This could cause subtle bugs.

comment:2 @foofy4 years ago

  • Cc foofy@… added

I think it would be fine to leave that as is_int() since the problem goes away if the term objects are properly sanitized.

comment:3 follow-up: @mdawaffe4 years ago

  • Keywords dev-feedback added
  • Milestone changed from Awaiting Review to Future Release

Can use ctype_digit( $term ) without making changes to sanitize_term*().

Casting everything to (int) could change the output of XML-RPC requests which can break clients, so we need to be super careful there.

comment:4 in reply to: ↑ 3 @mdawaffe4 years ago

Replying to mdawaffe:

Can use ctype_digit( $term ) without making changes to sanitize_term*().

Nacin tells me some hosts disable Ctype, which is ridiculous (on the hosts' parts, not on Nacin's).

comment:5 @iandunn2 years ago

  • Cc ian_dunn@… added
  • Keywords changed from has-patch dev-feedback to has-patch dev-feedback

This just bit me in the ass, because I took the term_id from get_terms() and passed it to get_term_link() as $term. get_term_link() assumed that $term was a slug because it failed is_int(), and since there's no term named "237", it returned a WP_Error().

It seems to me like casting the values to int in get_term*() is the proper fix, even if it requires patching/testing XML-RPC code. If there's a consensus behind that approach, I'll try to find time to write and test a new patch over the next couple weeks.

Last edited 2 years ago by iandunn (previous) (diff)

comment:7 @wonderboymusic20 months ago

  • Keywords needs-patch added; has-patch dev-feedback removed

comment:8 @SergeyBiryukov6 months ago

#29756 was marked as a duplicate.

comment:9 @boonebgorges2 months ago

  • Keywords needs-unit-tests added
Note: See TracTickets for help on using tickets.