Opened 3 years ago
Closed 3 years ago
#55216 closed defect (bug) (duplicate)
CPT slug value conflicts with wp-admin
Reported by: | drzraf | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 5.9 |
Component: | Query | Keywords: | |
Focuses: | administration | Cc: |
Description
There is no such thing as a custom-post-type slug blacklist: WordPress assumes any slug is ok, but this is not the case.
A badly chosen slug can result into strange behaviors and hard-to-spot issues
I'm reporting about the _"action"_ slug: Defining such a CPT results in a non-working admin-search (no results or inadequate results).
The chain of events is the following: When using admin-side search, this kind of URL is generated and routed by WP:
wp-admin/edit.php?s=foobar&post_status=all&post_type=page&action=-1&m=0&paged=1&action2=-1
Inside Wp::parse_request()
there is a loop (l. 300) going over public_query_vars
(which includes every slug, every permastruct + built-in query parameters)
If this parameter is set (eg: action=-1
while an _"action"_ CPT is defined), then $this->query_vars['name']
is set to the value.
The resulting SQL request is
SELECT wp_posts.ID, wp_posts.post_parent FROM wp_posts WHERE 1=1 AND wp_posts.post_name = '1' AND (((wp_posts.post_title LIKE '%foobar%') OR (wp_posts.post_excerpt LIKE '%foobar%') OR (wp_posts.post_content LIKE '%foobar%'))) AND wp_posts.post_type = 'page' ORDER BY wp_posts.menu_order ASC, wp_posts.post_title ASC
This part wp_posts.post_name = '1'
(where "1" is the transformation of "-1") keeps corrects records from being retrieved.
I see two options:
- One is documenting an official keyword list of the forbidden slug (could even be hardcoded and trigger an error)
- Another is fixing the router so that built-in parameters do not collide with slug-derived one. admin-side search is one such place where this collision exists but others _may_ exist
Hi there, thanks for the ticket!
There is an official list of keywords that should not be used as post type or taxonomy slugs: Reserved Terms.
That said,
register_post_type()
indeed does not trigger a warning if any of the reserved terms is used as a slug. This was previously suggested in #31154, let's continue the discussion there.Also related/duplicate: #33125.