Make WordPress Core

Opened 4 years ago

Closed 3 years ago

#42461 closed defect (bug) (fixed)

Drop sanitize_text_field() for widget titles in forms

Reported by: greenshady Owned by: pento
Milestone: 5.1 Priority: normal
Severity: normal Version:
Component: Widgets Keywords: has-patch
Focuses: administration Cc:


In several widgets, the sanitize_text_field() function is used to sanitize the widget title before it is output in the widget form() method (note: not the update() method). This is prior to the widget title being escaped via esc_attr() in the text input field.

The handling of this is inconsistent between widgets (some do this, some don't).

I originally posted about this in #33235 when strip_tags() was being used. I was working on a plugin to allow a limited subset of inline HTML within widget titles. Plugin for testing: https://github.com/justintadlock/widget-title-html

I erroneously thought the issue was corrected, but it wasn't. It looks like I didn't thoroughly test things.

While I'd like for my plugin to actually work across the board at some point and don't think sanitize_text_field() is necessary in the form, at the very least, this should be handled consistently in the core widgets.

The following widgets seem to use both sanitize_text_field() + esc_attr():

  • Archives
  • Calendar
  • Categories
  • Meta

All other widgets do not.

Attachments (1)

42461.diff (5.0 KB) - added by welcher 4 years ago.
Removing unneeded sanitize_text_field calls

Download all attachments as: .zip

Change History (5)

#1 @welcher
4 years ago

  • Focuses administration added
  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 5.0

@greenshady I think you're correct, sanitize_text_field doesn't need to be used when rendering the form initially. Its proper usage is when processing the input field. I've added a patch to remove and use only esc_html() on the output.

4 years ago

Removing unneeded sanitize_text_field calls

#2 @johnbillion
3 years ago

  • Milestone changed from 5.0 to 5.1

#3 @pento
3 years ago

  • Owner set to pento
  • Status changed from new to assigned

#4 @pento
3 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 44589:

Widgets: Remove unnecessary sanitize_text_field() calls in core widget ::form() methods.

This sanitisation only needs to be run in ::update() to correctly clean up the input.

Props welcher, greenshady.
Fixes #42461.

Note: See TracTickets for help on using tickets.