Make WordPress Core

Opened 4 years ago

Last modified 4 years ago

#50877 assigned defect (bug)

Always sanitize post types' and taxonomies' rewrite arguments

Reported by: flixos90's profile flixos90 Owned by: flixos90's profile flixos90
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords: has-patch
Focuses: Cc:


When registering a post type or taxonomy, currently the $rewrite argument / property is only sanitized if pretty permalinks are enabled.

While this condition makes sense for whether to add the actual rewrite rules, sanitization itself should not depend on this external factor. Right now, effectively the $rewrite property will be invalid for post types and taxonomies when pretty permalinks are not enabled. When changing the permalink structure during a request (e.g. relevant in tests), this may result in PHP warnings, since the $rewrite property is expected to be an array, but due to lack of sanitization could still be e.g. a boolean true.

Sanitization of rewrite arguments should always happen for post types and taxonomies to ensure integrity of the property.

Change History (3)

This ticket was mentioned in PR #458 on WordPress/wordpress-develop by felixarntz.

4 years ago

  • Keywords has-patch added; needs-patch removed

#2 follow-up: @jnylen0
4 years ago

Some popular plugins are using 'rewrite' => true:

How would this patch change the behavior of these plugins?

#3 in reply to: ↑ 2 @jnylen0
4 years ago

Replying to jnylen0:

In case this search is deleted from 'rewrite'\s*=> [^a\[f]

Note: See TracTickets for help on using tickets.