Make WordPress Core

Opened 6 years ago

Last modified 3 months ago

#16773 new defect (bug)

Unescaped preg_match breaks with PHP 5.3 Namespaced Widget Classes.

Reported by: 5ubliminal Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 3.1
Component: Widgets Keywords: has-patch needs-unit-tests needs-testing
Focuses: Cc:


In file /wp-admin/includes/widgets.php at line 118 in function next_widget_id_number we have:

preg_match( '/' . $id_base . '-([0-9]+)$/', $widget_id, $matches )

It generates very ugly warnings for Namespaced Widget Classes as it should cuorrectly be:

preg_match( '/' . preg_quote($id_base, '/') . '-([0-9]+)$/', $widget_id, $matches )


PS: I think you should do a whole sanity check regarding use of Namespaces and Closures. I'm currently switching completely to PHP 5.3 style and I'll keep you updated if I find other... problems.

Attachments (3)

16773.diff (834 bytes) - added by solarissmoke 6 years ago.
widgets.txt (156.2 KB) - added by stevenkword 23 months ago.
Plugin classes that extend WP_Widget
16773.2.diff (884 bytes) - added by drebbits.web 16 months ago.

Download all attachments as: .zip

Change History (14)

#1 @5ubliminal
6 years ago

Spoke too soon. This problem only occurs if you don't specify an id_base. But, if you do, it goes away.

If you don't... the problem starts in


where $this->id_base should be sanitized once more:

$this->id_base = trim(preg_replace('~[^a-z0-9-_]+~i', '-', $this->id_base), '-');

or one could just weed out / and \ characters.


#2 @5ubliminal
6 years ago

  • Severity changed from major to minor

6 years ago

#3 @solarissmoke
6 years ago

  • Keywords has-patch added

We already have a function to do just that :)

#4 @tamlyn
4 years ago

  • Cc tamlyn@… added

Patch looks good to me. Any reason this hasn't been accepted yet?

#5 @jdgrimes
2 years ago

Related: #27770

#6 @jorbin
23 months ago

  • Keywords needs-unit-tests needs-testing added

I'd like to ensure that switching from strtolower to sanitize_key doesn't cause any breakage. @stevenkword is going to try and pull the classname of all the widgets currently in the plugin repo and make sure that none of the plugin classes are going to change from the switch.

I would also like to see some unit tests here.

23 months ago

Plugin classes that extend WP_Widget

#7 @stevenkword
23 months ago

I've attached widgets.txt which contains a list of all classes which extend WP_Widget from the plugin repository.

The list was created using Mark Jaquith's WordPress-Plugin-Directory-Slurper to obtain a directory of plugins.

Then I used the following command to create the file:
ack-grep --php "[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*. extends WP_Widget" ./plugins/ | cut -d' ' -f2 > ./widgets.txt

The pattern was taken from here: http://php.net/manual/en/functions.user-defined.php

Last edited 23 months ago by stevenkword (previous) (diff)

#8 @drebbits.web
16 months ago

Since the time the patch was added, widget class had been restructured to class-wp-widget.php. I applied the previous patch to the correct file.

#9 follow-up: @westonruter
16 months ago

Feedback on 16773.2.diff:

$this->id_base = empty($id_base) ? preg_replace( '/(wp_)?widget_/', '', sanitize_key( get_class( $this ) ) ) : sanitize_key( $id_base ); 

The use of strtolower() should be retained because PHP class names should be have capitalized words. So to ensure that WP_Widget_Foo becomes foo as the default $id_base, use strtolower().

if ( empty($id_base) ) {
    $this->id_base = preg_replace( '/(wp_)?widget_/', '', strtolower( sanitize_key( get_class( $this ) ) ) );
} else {
    $this->id_base = sanitize_key( get_class( $this ) );

This will also ensure back-compat, since strtolower() is currently used in Core.

#10 in reply to: ↑ 9 @SergeyBiryukov
3 months ago

Replying to westonruter:

The use of strtolower() should be retained because PHP class names should be have capitalized words. So to ensure that WP_Widget_Foo becomes foo as the default $id_base, use strtolower().

sanitize_key() already does that, adding a second call seems redundant.

#11 @westonruter
3 months ago

@SergeyBiryukov good point. Another consideration is perhaps it not a good idea to use the sanitize_key function at all because the return value is filtered so in reality we have no idea what it could actually return. As such, maybe it is better to copy the logic from sanitize_key to inline it?

Note: See TracTickets for help on using tickets.