Make WordPress Core

Opened 4 years ago

Last modified 2 months ago

#16773 new defect (bug)

Unescaped preg_match breaks with PHP 5.3 Namespaced Widget Classes.

Reported by: 5ubliminal Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 3.1
Component: Widgets Keywords: has-patch
Focuses: Cc:


In file /wp-admin/includes/widgets.php at line 118 in function next_widget_id_number we have:

preg_match( '/' . $id_base . '-([0-9]+)$/', $widget_id, $matches )

It generates very ugly warnings for Namespaced Widget Classes as it should cuorrectly be:

preg_match( '/' . preg_quote($id_base, '/') . '-([0-9]+)$/', $widget_id, $matches )


PS: I think you should do a whole sanity check regarding use of Namespaces and Closures. I'm currently switching completely to PHP 5.3 style and I'll keep you updated if I find other... problems.

Attachments (1)

16773.diff (834 bytes) - added by solarissmoke 4 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 @5ubliminal4 years ago

Spoke too soon. This problem only occurs if you don't specify an id_base. But, if you do, it goes away.

If you don't... the problem starts in


where $this->id_base should be sanitized once more:

$this->id_base = trim(preg_replace('~[^a-z0-9-_]+~i', '-', $this->id_base), '-');

or one could just weed out / and \ characters.


comment:2 @5ubliminal4 years ago

  • Severity changed from major to minor

@solarissmoke4 years ago

comment:3 @solarissmoke4 years ago

  • Keywords has-patch added

We already have a function to do just that :)

comment:4 @tamlyn2 years ago

  • Cc tamlyn@… added

Patch looks good to me. Any reason this hasn't been accepted yet?

Note: See TracTickets for help on using tickets.