WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #48955, comment 2


Ignore:
Timestamp:
12/12/2019 11:56:39 PM (2 months ago)
Author:
iCaleb
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #48955, comment 2

    initial v1  
    22
    33It does highlight incorrect usage and potential assumptions that lead to security issues, but I'd argue this sort of change would better be made with advanced notice. Or potentially even deprecation notices followed by strict type checking later on.
     4
     5----
     6Also noting that this affects the larger family of `wp_kses*` functions, not just wp_kses_post. And also that previously, arrays were actually escaped, at least somewhat:
     7
     8{{{#!php
     9<?php
     10$test = ['text', '<script>alert("hi")</script>'];
     11
     12wp_kses_post($test);
     13array(2) {
     14  [0] => string(4) "text"
     15  [1] => string(11) "alert("hi")"
     16}
     17}}}
     18
     19At the end of the day, it just needs to be decided one way or the other regarding array support, whether permanent or even temporary while being phased out.
     20
     21As-is, it just broke with this new filter as a side affect of how it does it's business in the loop. Which is suboptimal.