WordPress.org

Make WordPress Core

Opened 8 months ago

Last modified 8 months ago

#46329 new enhancement

sanitize_text_field after 5.1 update should account for __toString() methods

Reported by: fclaussen Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.1
Component: Formatting Keywords:
Focuses: Cc:
PR Number:

Description

Since 5.1 the sanitize_text_field changed to check if the parameter is an object or array.
That broken one of my codes and possibly for other people too because I was passing a SimpleXMLElement Object. It has a magic __toString() method that gets called when you do that type conversion.

As @iCaleb suggested in #41450, we may want to add another check.

<?php
if ( ( is_object( $str ) && ! method_exists( $str, '__toString' ) ) || is_array( $str ) ) {
  return '';
}

Attachments (1)

46329.diff (523 bytes) - added by fclaussen 8 months ago.
Suggested enhancement to the _sanitize_text_fields function

Download all attachments as: .zip

Change History (2)

@fclaussen
8 months ago

Suggested enhancement to the _sanitize_text_fields function

#1 @pento
8 months ago

  • Version set to 5.1

Thank you for the bug report, @fclaussen!

This is a bit of a tricky problem. sanitize_text_field() usually has user input passed directly to it, which makes it a target for security issues. In particular, an attacker will try to instantiate a class that implements __toString(), but the content of that string isn't intended for the end user.

I'd love to hear more thoughts on whether we can make this check a little less restrictive in a safe manner.

Note: See TracTickets for help on using tickets.