Make WordPress Core

Opened 9 years ago

Last modified 2 years ago

#31777 new defect (bug)

sanitize_text_field() stripping instances "%ca"

Reported by: lieutenantdan's profile lieutenantdan Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.1.1
Component: General Keywords:
Focuses: Cc:


Forgive me if this isn't a bug, however I believe it is. But when you try to sanitize the string "%category%" with the WordPress native function sanitize_text_field() it will strip the "%ca" leaving the string "tegory%". Maybe this is a security precaution but it seems like something that should be fixed.

I found this while trying to simulate the custom permalink options in my own custom option and noticed anything containing "%ca" is removed.

Thanks for your time.

Change History (3)

#1 @playen
9 years ago

This probably has to do with %CA being URL encoding for Ê
I came across the same issue in phpList

#2 @SergeyBiryukov
2 years ago

#56430 was marked as a duplicate.

#3 @SergeyBiryukov
2 years ago

Hi there, welcome to WordPress Trac! Thanks for the ticket, sorry it took so long for someone to get back to you.

Just noting that the function also appears to strip %de from %description%, per #56430.

I think comment:1 is accurate and this has to do with URL encoding, so there might be other character sequences in the form of %aa to %ff that would also be stripped.

Related: #53019

Note: See TracTickets for help on using tickets.