Opened 5 weeks ago
Last modified 5 weeks ago
#49277 new enhancement
Implement email sanitize in REST API
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 4.4 |
| Component: | REST API | Keywords: | has-patch 2nd-opinion has-unit-tests |
| Focuses: | Cc: |
Description
Implement email sanitize in REST API over just using sanitize_text_field
Attachments (1)
Change History (6)
#2
@
5 weeks ago
filter_var is used elsewhere in core.
sanitize_text_field is applied to emails first then filter_var is run. The idea is to just remove character that are not valid in an email. It doesn't do a lot of validation that is_email, checking domain length etc.
#4
@
5 weeks ago
Does that line actually get executed? It looks like it prefers regex which I think needs to be available to run WP?
The idea is to just remove character that are not valid in an email.
Right, what I'm trying to figure out, is if there is a case where the sanitization would not allow an email that would have previously been allowed by is_email(). I understand filter_var doesn't do the complex checking is_email does. But I'm wondering if any of the characters it strips would've been allowed by is_email.
Is this stricter than
sanitize_text_field? If so, I think we'd want to make sure it isn't stricter thanis_emailwould allow, right?Separately, as I understand it,
filter_varhistorically hasn't been used in WordPress since I think it can be disabled and we don't list it as a required extension.Cc: @SergeyBiryukov, @jrf.