WordPress.org

Make WordPress Core

Opened 2 months ago

Last modified 6 weeks ago

#42461 new defect (bug)

Drop sanitize_text_field() for widget titles in forms

Reported by: greenshady Owned by:
Milestone: 5.0 Priority: normal
Severity: normal Version:
Component: Widgets Keywords: has-patch
Focuses: administration Cc:

Description

In several widgets, the sanitize_text_field() function is used to sanitize the widget title before it is output in the widget form() method (note: not the update() method). This is prior to the widget title being escaped via esc_attr() in the text input field.

The handling of this is inconsistent between widgets (some do this, some don't).

I originally posted about this in #33235 when strip_tags() was being used. I was working on a plugin to allow a limited subset of inline HTML within widget titles. Plugin for testing: https://github.com/justintadlock/widget-title-html

I erroneously thought the issue was corrected, but it wasn't. It looks like I didn't thoroughly test things.

While I'd like for my plugin to actually work across the board at some point and don't think sanitize_text_field() is necessary in the form, at the very least, this should be handled consistently in the core widgets.

The following widgets seem to use both sanitize_text_field() + esc_attr():

  • Archives
  • Calendar
  • Categories
  • Meta

All other widgets do not.

Attachments (1)

42461.diff (5.0 KB) - added by welcher 6 weeks ago.
Removing unneeded sanitize_text_field calls

Download all attachments as: .zip

Change History (2)

#1 @welcher
6 weeks ago

  • Focuses administration added
  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 5.0

@greenshady I think you're correct, sanitize_text_field doesn't need to be used when rendering the form initially. Its proper usage is when processing the input field. I've added a patch to remove and use only esc_html() on the output.

@welcher
6 weeks ago

Removing unneeded sanitize_text_field calls

Note: See TracTickets for help on using tickets.