Make WordPress Core

Opened 18 months ago

Closed 16 months ago

Last modified 16 months ago

#56065 closed defect (bug) (invalid)

PHPCS issue in wp-load.php .

Reported by: hilayt24's profile hilayt24 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Bootstrap/Load Keywords: close
Focuses: coding-standards Cc:


$_SERVER data not unslashed before sanitization.

if ( false === strpos( $_SERVER['REQUEST_URI'], 'setup-config' ) ) {
		header( 'Location: ' . $path );

Change History (6)

#1 @hilayt24
18 months ago

Using wp_unslash() before sinitatization is recommended.

#2 @SergeyBiryukov
18 months ago

  • Component changed from General to Bootstrap/Load
  • Focuses coding-standards added
  • Keywords reporter-feedback added

Hi there, welcome back to WordPress Trac! Thanks for the ticket.

Do you get any PHPCS warnings from this file? When running WPCS checks for WordPress core with the default phpcs.xml.dist file, wp-load.php appears to pass all the checks successfully in my testing.

Since we're directly checking for setup-config appearing anywhere in $_SERVER['REQUEST_URI'], I think it would not matter here whether it's slashed or not.

#3 @azouamauriac
18 months ago

  • Keywords close added

Hello welcome to core trac! Thanks for the report,
I noticed the same thing with Sergey, I don't get any PHPCS warnings while running WPCS checks for WordPress core, but I get warning while running checks using phpcs rules.

Adding close keywords as this doesn't seem come from core phpcs rules.

Last edited 18 months ago by azouamauriac (previous) (diff)

#4 @hilayt24
16 months ago

  • Keywords reporter-feedback removed

I am closing this ticket now .

#5 @azouamauriac
16 months ago

  • Resolution set to invalid
  • Status changed from new to closed

#6 @SergeyBiryukov
16 months ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.