A new function to sanitize an array

[davidperez]

In the Plugins Team, when we review plugins, there is a custom function that many authors use in their development called recursively_sanitize. It iterates through each value, detects the data type, and executes the sanitization function that best fits the data.

If we could have such a function officially, it would cover all sanitization needs for developers. It would also reduce our review workload, as we wouldn’t need to raise issues related to sanitization, since the function would rely on core sanitization methods.

This PR adds function that recursively sanitizes data structures, allowing for comprehensive sanitization of arrays and objects based on specified contexts.

I like the idea. I'm just eyeballing the code, so no testing or deep thought, but I think we need some phpunit tests here for this to be considered for merge.

[mindctrl]

This weekend I was thinking about how often I write custom functions to sanitize an array of data. Something like this could be useful.

I took a quick look at the PR. It need some phpunit tests. I'm also requesting a 2nd opinion from some core devs about interest in taking this on.

[jorbin]

Thanks for starting this discussion @davidperez.

Moving into the security component since this is about sanitation functions.

I'm not sure if this is a good idea since a function that attempts to automagically detect how an input is meant to be used is going to provide a lower amount of safety vs a developer making an active decision based on how the input is actually used.

[davidperez]

Thanks!
We have a reference of wc_clean in WooCommerce that it's been used widely. It does not detect the type of the variable. It could be something in the middle.

[jorbin]

I took a look at ​wc_clean, and it is seems to just be calling sanitize_text_field on all scalar variables or itself on arrays. How is this "the sanitization function that best fits the data"?

[SirLouen]

Replying to davidperez:

In the Plugins Team, when we review plugins, there is a custom function that many authors use in their development called recursively_sanitize. It iterates through each value, detects the data type, and executes the sanitization function that best fits the data.

You probably know the best, but I wonder if other types, apart from arrays, are also being recursively sanitized on those functions.

Replying to jorbin:

I took a look at ​wc_clean, and it is seems to just be calling sanitize_text_field on all scalar variables or itself on arrays. How is this "the sanitization function that best fits the data"?

It appears that checking for scalar is just the weird way they choose for sanitizing strings. But I also think that the idea itself is decent, just with some little added tweaks to broaden the scope.

[davidperez]

Yes, it's a start point for sanitizing.

Tests: Add unit tests for recursively_sanitize function

Adds comprehensive test coverage for the new recursively_sanitize function including:

• Basic sanitization of strings, arrays, and objects
• Nested data structure handling
• Context-specific sanitization (text vs textarea)
• Recursion protection for deeply nested structures
• Filter hook testing

See: trac ticket #63727

I have added unit tests for the proposed function here: ​https://github.com/WordPress/wordpress-develop/pull/9314
Feel free to pull it in or merge if useful