Opened 12 months ago
Last modified 7 weeks ago
#49277 new enhancement
Implement email sanitize in REST API
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 4.4 |
Component: | REST API | Keywords: | has-patch 2nd-opinion has-unit-tests |
Focuses: | Cc: |
Description
Implement email sanitize in REST API over just using sanitize_text_field
Attachments (1)
Change History (9)
#2
@
12 months ago
filter_var
is used elsewhere in core.
sanitize_text_field
is applied to emails first then filter_var
is run. The idea is to just remove character that are not valid in an email. It doesn't do a lot of validation that is_email
, checking domain length etc.
#4
@
12 months ago
Does that line actually get executed? It looks like it prefers regex which I think needs to be available to run WP?
The idea is to just remove character that are not valid in an email.
Right, what I'm trying to figure out, is if there is a case where the sanitization would not allow an email that would have previously been allowed by is_email()
. I understand filter_var
doesn't do the complex checking is_email
does. But I'm wondering if any of the characters it strips would've been allowed by is_email
.
This ticket was mentioned in Slack in #core-restapi by spacedmonkey. View the logs.
9 months ago
#7
@
9 months ago
@SergeyBiryukov After discussion in the REST API weekly meeting we'd love to get your eyes on this briefly, it'd make us more confidant in the solution
This ticket was mentioned in PR #786 on WordPress/wordpress-develop by lukaspawlik.
7 weeks ago
Trac ticket: https://core.trac.wordpress.org/ticket/49277
@TimothyBJacobs @spacedmonkey this is the refreshed work of patch attached into Trac ticket. Based on your discussion I've ported behaviour of filter_var
into PHP code. Additionally I've added an extra check to avoid sanitization of email when is_email
function returns true what is most likely an indicator that value is recognized correctly and doesn't need to be sanitized.
Please let me know if you have any questions.
Is this stricter than
sanitize_text_field
? If so, I think we'd want to make sure it isn't stricter thanis_email
would allow, right?Separately, as I understand it,
filter_var
historically hasn't been used in WordPress since I think it can be disabled and we don't list it as a required extension.Cc: @SergeyBiryukov, @jrf.