Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#55855 new enhancement

In wp-admin folder the ajax-actions.php file has some unsanitize data issue.

Reported by: smit08's profile smit08 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Administration Keywords: needs-patch close
Focuses: Cc:

Description

Path of file: wp-admin/includes/ajax-actions.php

In these files, there are some $_POST used without sanitizing by filter_input. I think this should be solved.

I am adding some code below for some reference.

$post_id = isset( $_POST['post_ID'] ) ? (int) $_POST['post_ID'] : 0;

Attachments (1)

55855.patch (573 bytes) - added by smit08 2 years ago.
I have solved the sanitize data in one place by using filter_input. Please review it and if its in proper way then i will change it for whole file.

Download all attachments as: .zip

Change History (3)

@smit08
2 years ago

I have solved the sanitize data in one place by using filter_input. Please review it and if its in proper way then i will change it for whole file.

#1 @sanzeeb3
2 years ago

I guess casting an integer to post ID does the sanitization itself.

#2 @SergeyBiryukov
2 years ago

  • Component changed from Users to Administration
  • Keywords close added

Hi there, welcome back to WordPress Trac! Thanks for the ticket.

I think comment:1 is correct, the (int) casting is enough for sanitization here.

Note: See TracTickets for help on using tickets.