Make WordPress Core

Opened 2 years ago

Closed 23 months ago

Last modified 23 months ago

#56065 closed defect (bug) (invalid)

PHPCS issue in wp-load.php .

Reported by: hilayt24's profile hilayt24 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Bootstrap/Load Keywords: close
Focuses: coding-standards Cc:


$_SERVER data not unslashed before sanitization.

if ( false === strpos( $_SERVER['REQUEST_URI'], 'setup-config' ) ) {
		header( 'Location: ' . $path );

Change History (6)

#1 @hilayt24
2 years ago

Using wp_unslash() before sinitatization is recommended.

#2 @SergeyBiryukov
2 years ago

  • Component changed from General to Bootstrap/Load
  • Focuses coding-standards added
  • Keywords reporter-feedback added

Hi there, welcome back to WordPress Trac! Thanks for the ticket.

Do you get any PHPCS warnings from this file? When running WPCS checks for WordPress core with the default phpcs.xml.dist file, wp-load.php appears to pass all the checks successfully in my testing.

Since we're directly checking for setup-config appearing anywhere in $_SERVER['REQUEST_URI'], I think it would not matter here whether it's slashed or not.

#3 @azouamauriac
2 years ago

  • Keywords close added

Hello welcome to core trac! Thanks for the report,
I noticed the same thing with Sergey, I don't get any PHPCS warnings while running WPCS checks for WordPress core, but I get warning while running checks using phpcs rules.

Adding close keywords as this doesn't seem come from core phpcs rules.

Last edited 2 years ago by azouamauriac (previous) (diff)

#4 @hilayt24
23 months ago

  • Keywords reporter-feedback removed

I am closing this ticket now .

#5 @azouamauriac
23 months ago

  • Resolution set to invalid
  • Status changed from new to closed

#6 @SergeyBiryukov
23 months ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.