Opened 3 years ago
Closed 3 years ago
#54775 closed enhancement (wontfix)
Allow int/float for esc_ functions
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | close |
| Focuses: | coding-standards | Cc: |
Description
Currently e.g. esc_html only accepts strings.
Internally it casts any type to string (in wp_check_invalid_utf8)
Since phpcs WordPress is not a static analysis tool, it will report error for required use of esc_html on int/float too.
Putting esc_html for int/float then will cause errors with static analysis tools (psalm) however.
I think the sensible (and correct) solution would be, to change the param and return type for esc_html and esc_attr to string|int|float
I can provide the PR if needed.
Change History (5)
#2
@
3 years ago
- Keywords close added
- Version trunk deleted
I've also run into this with PHPStan scanning. I decided to use a mixture of casting to string and using more appropriate escaping functions such as intval(), absint(), and floatval(). I think widening the accepted types for the escaping functions papers over the real issue which is outputting values of an unknown type.
#3
@
3 years ago
@swissspidy because esc_html does exactly this already (converts to string, if it isn't).
I don't want a band-aid fix (in fact: instead of doing this, I just globally disable the error for esc_html because I know it will handle int just fine)
@johnbillion could just typecast it to (int), as intval's performance is much worse than just typecasting it again (even though it's already int)
I think widening the accepted types for the escaping functions papers over the real issue which is outputting values of an unknown type.
The type is not unknown, the type is int/float. In fact esc_html will convert those to string anyway.
#4
@
3 years ago
The type is not unknown, the type is int/float. In fact esc_html will convert those to string anyway.
If you know that something is int/float, why would you want to pass it through esc_html? Escaping int/float values does not make any sense.
#5
@
3 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
This conversation isn't really going anywhere so I'll close off this ticket. As mentioned a few times, if you know the type is an integer or float then it can be handled accordingly, no need to pass it through esc_html().
Cheers!
What's wrong with casting this yourself if you're dealing with ints and floats? e.g.
$num = 0; esc_html( (string) $num );?