Opened 8 years ago
Last modified 9 months ago
#31777 new defect (bug)
sanitize_text_field() stripping instances "%ca"
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.1.1 |
| Component: | General | Keywords: | |
| Focuses: | Cc: |
Description
Forgive me if this isn't a bug, however I believe it is. But when you try to sanitize the string "%category%" with the WordPress native function sanitize_text_field() it will strip the "%ca" leaving the string "tegory%". Maybe this is a security precaution but it seems like something that should be fixed.
I found this while trying to simulate the custom permalink options in my own custom option and noticed anything containing "%ca" is removed.
Thanks for your time.
Change History (3)
#3
@
9 months ago
Hi there, welcome to WordPress Trac! Thanks for the ticket, sorry it took so long for someone to get back to you.
Just noting that the function also appears to strip %de from %description%, per #56430.
I think comment:1 is accurate and this has to do with URL encoding, so there might be other character sequences in the form of %aa to %ff that would also be stripped.
Related: #53019
This probably has to do with %CA being URL encoding for Ê
I came across the same issue in phpList