Make WordPress Core

Opened 11 months ago

Last modified 8 months ago

#41450 reviewing defect (bug)

sanitize_text_field() assumes the field is a string

Reported by: johnbillion Owned by: johnbillion
Milestone: 5.0 Priority: low
Severity: normal Version: 2.9
Component: Formatting Keywords: has-patch dev-feedback
Focuses: Cc:


The sanitize_text_field() sanitisation function is used to sanitize text input, but the function actually assumes the field is a string. If an array is passed in, for example, then it'll raise PHP errors.

This function should gracefully handle not string data, probably by returning an empty string.

Attachments (1)

41450.diff (972 bytes) - added by Mte90 8 months ago.
patch with unit test

Download all attachments as: .zip

Change History (4)

#1 @NathanAtmoz
10 months ago

sanitize_textarea_field has the same issue. Should both functions check whether the input is a string independently, or should _sanitize_text_fields do it?

8 months ago

patch with unit test

#2 @Mte90
8 months ago

  • Keywords has-patch dev-feedback added; needs-patch 2nd-opinion removed

This patch contain a check with is_string with unit test for a string that is not a string.

#3 @johnbillion
8 months ago

  • Milestone changed from Awaiting Review to 5.0
  • Owner set to johnbillion
  • Status changed from new to reviewing
Note: See TracTickets for help on using tickets.