<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[38944] trunk: General: Add a `sanitize_textarea_field()` function.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/38944">38944</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/38944","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>pento</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2016-10-26 05:16:09 +0000 (Wed, 26 Oct 2016)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>General: Add a `sanitize_textarea_field()` function.
Like its predecessor (`sanitize_text_field()`), `sanitize_textarea_field()` is a helper function to sanitise user input. As the name suggests, this function is for sanitising input from `textarea` fields - it strips tags and invalid UTF-8 characters, like `sanitize_text_field()`, but retains newlines and extra inline whitespace.
Props ottok, nbachiyski, chriscct7, pento.
Fixes <a href="https://core.trac.wordpress.org/ticket/32257">#32257</a>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpincludesformattingphp">trunk/src/wp-includes/formatting.php</a></li>
<li><a href="#trunktestsphpunittestsformattingSanitizeTextFieldphp">trunk/tests/phpunit/tests/formatting/SanitizeTextField.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpincludesformattingphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/formatting.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/formatting.php 2016-10-26 03:38:48 UTC (rev 38943)
+++ trunk/src/wp-includes/formatting.php 2016-10-26 05:16:09 UTC (rev 38944)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -4653,6 +4653,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 2.9.0
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @see sanitize_textarea_field()
</ins><span class="cx" style="display: block; padding: 0 10px"> * @see wp_check_invalid_utf8()
</span><span class="cx" style="display: block; padding: 0 10px"> * @see wp_strip_all_tags()
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -4660,16 +4661,75 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @return string Sanitized string.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> function sanitize_text_field( $str ) {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $filtered = _sanitize_text_fields( $str, false );
+
+ /**
+ * Filters a sanitized text field string.
+ *
+ * @since 2.9.0
+ *
+ * @param string $filtered The sanitized string.
+ * @param string $str The string prior to being sanitized.
+ */
+ return apply_filters( 'sanitize_text_field', $filtered, $str );
+}
+
+/**
+ * Sanitizes a multiline string from user input or from the database.
+ *
+ * The function is like sanitize_text_field(), but preserves
+ * new lines (\n) and other whitespace, which are legitimate
+ * input in textarea elements.
+ *
+ * @see sanitize_text_field()
+ *
+ * @since 4.7.0
+ *
+ * @param string $str String to sanitize.
+ * @return string Sanitized string.
+ */
+function sanitize_textarea_field( $str ) {
+ $filtered = _sanitize_text_fields( $str, true );
+
+ /**
+ * Filters a sanitized textarea field string.
+ *
+ * @since 4.7.0
+ *
+ * @param string $filtered The sanitized string.
+ * @param string $str The string prior to being sanitized.
+ */
+ return apply_filters( 'sanitize_textarea_field', $filtered, $str );
+}
+
+/**
+ * Internal helper function to sanitize a string from user input or from the db
+ *
+ * @since 4.7.0
+ * @access private
+ *
+ * @param string $str String to sanitize.
+ * @param bool $keep_newlines optional Whether to keep newlines. Default: false.
+ * @return string Sanitized string.
+ */
+function _sanitize_text_fields( $str, $keep_newlines = false ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> $filtered = wp_check_invalid_utf8( $str );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( strpos($filtered, '<') !== false ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $filtered = wp_pre_kses_less_than( $filtered );
</span><span class="cx" style="display: block; padding: 0 10px"> // This will strip extra whitespace for us.
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $filtered = wp_strip_all_tags( $filtered, true );
- } else {
- $filtered = trim( preg_replace('/[\r\n\t ]+/', ' ', $filtered) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $filtered = wp_strip_all_tags( $filtered, false );
+
+ // Use html entities in a special case to make sure no later
+ // newline stripping stage could lead to a functional tag
+ $filtered = str_replace("<\n", "<\n", $filtered);
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! $keep_newlines ) {
+ $filtered = preg_replace( '/[\r\n\t ]+/', ' ', $filtered );
+ }
+ $filtered = trim( $filtered );
+
</ins><span class="cx" style="display: block; padding: 0 10px"> $found = false;
</span><span class="cx" style="display: block; padding: 0 10px"> while ( preg_match('/%[a-f0-9]{2}/i', $filtered, $match) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $filtered = str_replace($match[0], '', $filtered);
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -4681,15 +4741,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $filtered = trim( preg_replace('/ +/', ' ', $filtered) );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- /**
- * Filters a sanitized text field string.
- *
- * @since 2.9.0
- *
- * @param string $filtered The sanitized string.
- * @param string $str The string prior to being sanitized.
- */
- return apply_filters( 'sanitize_text_field', $filtered, $str );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ return $filtered;
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span></span></pre></div>
<a id="trunktestsphpunittestsformattingSanitizeTextFieldphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/formatting/SanitizeTextField.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/formatting/SanitizeTextField.php 2016-10-26 03:38:48 UTC (rev 38943)
+++ trunk/tests/phpunit/tests/formatting/SanitizeTextField.php 2016-10-26 05:16:09 UTC (rev 38944)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -4,44 +4,111 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @group formatting
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> class Tests_Formatting_SanitizeTextField extends WP_UnitTestCase {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // #11528
- function test_sanitize_text_field() {
- $inputs = array(
- 'оРангутанг', //Ensure UTF8 text is safe the Р is D0 A0 and A0 is the non-breaking space.
- 'САПР', //Ensure UTF8 text is safe the Р is D0 A0 and A0 is the non-breaking space.
- 'one is < two',
- 'tags <span>are</span> <em>not allowed</em> here',
- ' we should trim leading and trailing whitespace ',
- 'we also trim extra internal whitespace',
- 'tabs get removed too',
- 'newlines are not welcome
- here',
- 'We also %AB remove %ab octets',
- 'We don\'t need to wory about %A
- B removing %a
- b octets even when %a B they are obscured by whitespace',
- '%AB%BC%DE', //Just octets
- 'Invalid octects remain %II',
- 'Nested octects %%%ABABAB %A%A%ABBB',
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ function data_sanitize_text_field() {
+ return array(
+ array(
+ 'оРангутанг', //Ensure UTF8 text is safe the Р is D0 A0 and A0 is the non-breaking space.
+ 'оРангутанг',
+ ),
+ array(
+ 'САПР', //Ensure UTF8 text is safe the Р is D0 A0 and A0 is the non-breaking space.
+ 'САПР',
+ ),
+ array(
+ 'one is < two',
+ 'one is < two',
+ ),
+ array(
+ "one is <\n two",
+ array(
+ 'oneline' => 'one is < two',
+ 'multiline' => "one is <\n two",
+ ),
+ ),
+ array(
+ "foo <div\n> bar",
+ array(
+ 'oneline' => 'foo bar',
+ 'multiline' => "foo bar",
+ ),
+ ),
+ array(
+ "foo <\ndiv\n> bar",
+ array(
+ 'oneline' => 'foo < div > bar',
+ 'multiline' => "foo <\ndiv\n> bar",
+ ),
+ ),
+ array(
+ 'tags <span>are</span> <em>not allowed</em> here',
+ 'tags are not allowed here',
+ ),
+ array(
+ ' we should trim leading and trailing whitespace ',
+ 'we should trim leading and trailing whitespace',
+ ),
+ array(
+ 'we trim extra internal whitespace only in single line texts',
+ array(
+ 'oneline' => 'we trim extra internal whitespace only in single line texts',
+ 'multiline' => 'we trim extra internal whitespace only in single line texts',
+ ),
+ ),
+ array(
+ "tabs \tget removed in single line texts",
+ array(
+ 'oneline' => 'tabs get removed in single line texts',
+ 'multiline' => "tabs \tget removed in single line texts",
+ ),
+ ),
+ array(
+ "newlines are allowed only\n in multiline texts",
+ array(
+ 'oneline' => 'newlines are allowed only in multiline texts',
+ 'multiline' => "newlines are allowed only\n in multiline texts",
+ ),
+ ),
+ array(
+ 'We also %AB remove %ab octets',
+ 'We also remove octets',
+ ),
+ array(
+ 'We don\'t need to wory about %A
+ B removing %a
+ b octets even when %a B they are obscured by whitespace',
+ array (
+ 'oneline' => 'We don\'t need to wory about %A B removing %a b octets even when %a B they are obscured by whitespace',
+ 'multiline' => "We don't need to wory about %A\n B removing %a\n b octets even when %a B they are obscured by whitespace",
+ ),
+ ),
+ array(
+ '%AB%BC%DE', //Just octets
+ '', //Emtpy as we strip all the octets out
+ ),
+ array(
+ 'Invalid octects remain %II',
+ 'Invalid octects remain %II',
+ ),
+ array(
+ 'Nested octects %%%ABABAB %A%A%ABBB',
+ 'Nested octects',
+ ),
</ins><span class="cx" style="display: block; padding: 0 10px"> );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $expected = array(
- 'оРангутанг',
- 'САПР',
- 'one is < two',
- 'tags are not allowed here',
- 'we should trim leading and trailing whitespace',
- 'we also trim extra internal whitespace',
- 'tabs get removed too',
- 'newlines are not welcome here',
- 'We also remove octets',
- 'We don\'t need to wory about %A B removing %a b octets even when %a B they are obscured by whitespace',
- '', //Emtpy as we strip all the octets out
- 'Invalid octects remain %II',
- 'Nested octects',
- );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- foreach ($inputs as $key => $input) {
- $this->assertEquals($expected[$key], sanitize_text_field($input));
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ /**
+ * @ticket 32257
+ * @dataProvider data_sanitize_text_field
+ */
+ function test_sanitize_text_field( $string, $expected ) {
+ if ( is_array( $expected ) ) {
+ $expected_oneline = $expected['oneline'];
+ $expected_multiline = $expected['multiline'];
+ } else {
+ $expected_oneline = $expected_multiline = $expected;
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertEquals( $expected_oneline, sanitize_text_field( $string ) );
+ $this->assertEquals( $expected_multiline, sanitize_textarea_field( $string ) );
+
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre>
</div>
</div>
</body>
</html>