Opened 6 years ago
Last modified 6 years ago
#46329 new enhancement
sanitize_text_field after 5.1 update should account for __toString() methods
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 5.1 |
| Component: | Formatting | Keywords: | |
| Focuses: | Cc: |
Description
Since 5.1 the sanitize_text_field changed to check if the parameter is an object or array.
That broken one of my codes and possibly for other people too because I was passing a SimpleXMLElement Object. It has a magic __toString() method that gets called when you do that type conversion.
As @iCaleb suggested in #41450, we may want to add another check.
<?php if ( ( is_object( $str ) && ! method_exists( $str, '__toString' ) ) || is_array( $str ) ) { return ''; }
Attachments (1)
Change History (2)
#1
@
6 years ago
- Version set to 5.1
Thank you for the bug report, @fclaussen!
This is a bit of a tricky problem. sanitize_text_field() usually has user input passed directly to it, which makes it a target for security issues. In particular, an attacker will try to instantiate a class that implements __toString(), but the content of that string isn't intended for the end user.
I'd love to hear more thoughts on whether we can make this check a little less restrictive in a safe manner.
Suggested enhancement to the _sanitize_text_fields function