#63320 closed enhancement (fixed)
Sanitize key parameter in activation flow to enhance security
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 6.9 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Networks and Sites | Keywords: | has-patch |
| Focuses: | multisite | Cc: |
Description
Currently, the key parameter received via $_GET or $_POST is used directly without sanitization in the activation flow. This patch introduces the use of sanitize_text_field() when retrieving the key from user input to ensure the data is cleaned before further processing.
Changes made:
Added sanitize_text_field() for both $_GETkey? and $_POSTkey? when assigning the $key variable.
This ensures that any potentially unsafe characters are stripped out, reducing the risk of unexpected behavior or misuse.
Attachments (2)
Change History (11)
#1
follow-up:
↓ 2
@
3 weeks ago
Welcome to the core trac @khushipatel15
The PR looks good to me but we should add space after opening ( and closing of ) as per PHPCS coding standards so
sanitize_text_field($_GET['key'])
Should be
sanitize_text_field( $_GET['key'] )
#4
@
3 weeks ago
- Focuses performance privacy coding-standards php-compatibility removed
- Milestone changed from Awaiting Review to 6.9
- Owner set to flixos90
- Status changed from new to reviewing
Thanks @khushipatel15 for reporting this!
It surely looks worth doing, but some of the focus areas here are not really relevant, so I'm going to remove them.
This ticket was mentioned in PR #8753 on WordPress/wordpress-develop by @flixos90.
2 weeks ago
#6
This simply ports over https://core.trac.wordpress.org/attachment/ticket/63320/63320.2.patch.
Trac ticket: https://core.trac.wordpress.org/ticket/63320
This Patch file shows enhancement and use of sanitize key and meets coding standards of wordpress.