Make WordPress Core

Opened 3 months ago

Last modified 4 weeks ago

#60650 new defect (bug)

sanitize_locale_name() should reject non-strings

Reported by: dd32's profile dd32 Owned by:
Milestone: Awaiting Review Priority: lowest
Severity: trivial Version: 6.2.1
Component: I18N Keywords: close
Focuses: Cc:


While debugging some locale-related oddities, I ran into sanitize_locale_name() happily accepting arrays.

wp> sanitize_locale_name( [ 'test@test' => 'test@test' ] );

array(1) {
  'test@test' =>
  string(8) "testtest"

This is not uncommon for WordPress functions that rely upon preg_replace() and a number of other sanitize functions behave similarly.

I would expect an array input to return either '' as array( .. ) is not a valid string.

Change History (3)

#1 @swissspidy
3 months ago

Returning an empty string if the input is not a string souvds reasonable. However, note that the docblock says the function expects a string.

#2 in reply to: ↑ description @ocean90
3 months ago

Replying to dd32:

and a number of other sanitize functions behave similarly.

It seems like only sanitize_key() has a check for is_scalar()? I guess if sanitize_locale_name() needs to be updated we should make all sanitize functions consistent in this way.

#3 @swissspidy
4 weeks ago

  • Keywords close added

Revisiting this, I don't see a need to change just this function specifically.

Note: See TracTickets for help on using tickets.