Opened 7 years ago
Closed 6 years ago
#42461 closed defect (bug) (fixed)
Drop sanitize_text_field() for widget titles in forms
Reported by: | greenshady | Owned by: | pento |
---|---|---|---|
Milestone: | 5.1 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Widgets | Keywords: | has-patch |
Focuses: | administration | Cc: |
Description
In several widgets, the sanitize_text_field()
function is used to sanitize the widget title before it is output in the widget form()
method (note: not the update()
method). This is prior to the widget title being escaped via esc_attr()
in the text input field.
The handling of this is inconsistent between widgets (some do this, some don't).
I originally posted about this in #33235 when strip_tags()
was being used. I was working on a plugin to allow a limited subset of inline HTML within widget titles. Plugin for testing: https://github.com/justintadlock/widget-title-html
I erroneously thought the issue was corrected, but it wasn't. It looks like I didn't thoroughly test things.
While I'd like for my plugin to actually work across the board at some point and don't think sanitize_text_field()
is necessary in the form, at the very least, this should be handled consistently in the core widgets.
The following widgets seem to use both sanitize_text_field()
+ esc_attr()
:
- Archives
- Calendar
- Categories
- Meta
All other widgets do not.
@greenshady I think you're correct,
sanitize_text_field
doesn't need to be used when rendering the form initially. Its proper usage is when processing the input field. I've added a patch to remove and use onlyesc_html()
on the output.