Opened 4 years ago
Last modified 4 years ago
#54182 new enhancement
Use wp_unslash() for $_REQUEST Parameter in wp-admin/admin-post.php file
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 5.8.1 |
| Component: | General | Keywords: | reporter-feedback has-patch |
| Focuses: | administration, coding-standards | Cc: |
Description (last modified by )
Need to use the wp_unslash() for $_REQUEST['action'], you can see screenshot.
Attachments (3)
Change History (6)
#1
follow-up:
↓ 2
@
4 years ago
- Description modified (diff)
- Keywords reporter-feedback added
Hi there, welcome back to WordPress Trac! Thanks for the report.
Could you provide some more details about why wp_unslash() is needed here? What would be the steps to reproduce the issue on a clean install?
#2
in reply to:
↑ 1
@
4 years ago
Here wp_unslash() needed to remove slashes, we are using $_REQUEST to get parameters, so we need to remove slashes from parameters as per coding standards. And it will also help as per security point of view. Hope now it will be more clear to you.
Hi there, welcome back to WordPress Trac! Thanks for the report.
Could you provide some more details about why
wp_unslash()is needed here? What would be the steps to reproduce the issue on a clean install?
#3
@
4 years ago
- Keywords has-patch added
14 other files in the wp-admin directory also use $_REQUEST['action'] without wp_unslash. If the change is necessary in admin-post.php, those may need the same.
Since changeset:41205, the two files with $_REQUEST['action'] in wp-includes both use the function (class-wp-customize-manager.php and theme.php).
Git Diff File