Make WordPress Core

Opened 3 years ago

Last modified 2 years ago

#23423 new defect (bug)

sanitize_title() in dynamic_sidebar() restricts the use of specific characters for sidebar IDs

Reported by: paulvandermeijs Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 2.2
Component: Widgets Keywords: has-patch
Focuses: Cc:


In the dynamic_sidebar() function in wp-includes/widgets.php uses sanitize_title() on the given index when it looks for a sidebar with a name that matches the index. After that it leaves the index value sanitized making it impossible to use characters not allowed by sanitize_title() in a sidebar ID.

By not overwriting the given index value with the sanitized version it would still be possible to use any character for the ID. To achieve this, lines 847-853

$index = sanitize_title($index);
foreach ( (array) $wp_registered_sidebars as $key => $value ) {
	if ( sanitize_title($value['name']) == $index ) {
		$index = $key;

should be replaced with

$sanitized_index = sanitize_title($index);
foreach ( (array) $wp_registered_sidebars as $key => $value ) {
	if ( sanitize_title($value['name']) == $sanitized_index ) {
		$index = $key;

Attachments (1)

23423.diff (627 bytes) - added by fjarrett 2 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 @SergeyBiryukov3 years ago

  • Version changed from 3.5.1 to 2.2

Related: [5473] (for #4258).

comment:2 @fjarrett2 years ago

  • Cc fjarrett@… added
  • Keywords has-patch added; needs-patch removed

Patch allowing unsanitized $index

@fjarrett2 years ago

Note: See TracTickets for help on using tickets.