[wp-trac] [WordPress Trac] #32257: Patch: add support for multi-line textarea sanitization

WordPress Trac noreply at wordpress.org
Tue Jun 28 13:16:42 UTC 2016 

#32257: Patch: add support for multi-line textarea sanitization
--------------------------------------+------------------------------
 Reporter:  ottok                     |       Owner:
     Type:  enhancement               |      Status:  new
 Priority:  normal                    |   Milestone:  Awaiting Review
Component:  Security                  |     Version:  trunk
 Severity:  normal                    |  Resolution:
 Keywords:  has-patch has-unit-tests  |     Focuses:
--------------------------------------+------------------------------
Changes (by ottok):

 * keywords:  has-patch => has-patch has-unit-tests
 * version:   => trunk


Comment:

 Can you please already accept this patch? It has got plenty of review and
 was basically rewritten when '''reviewed in-person with @nbachiyski to be
 perfect''', with unit tests and all.

 I stuble across all the time live sites where people skip sanitization
 because they don't like the multi-line form data becomes a one-line data
 via the usual sanitize_text_field() function.

 I'd hate to publish a plugin merely to get a sensible and easy to use
 sanitize_textarea_field() function out there. This really belongs to the
 core.

 The function wp_filter_nohtml_kses() suggested above is not an equivalent
 to sanitize_text_field in either function nor name (think developer
 usability). We don't want to strip away HTML here, but rather convert tags
 into entities that are more secure to transport and display.

 Come on, this is a '''really minor change and almost impossible to have
 regressions''' but with the potential to stop HTML/octet etc injections in
 an easy whay that developers are much more likely to use. ''We need to
 help developers make secure code, and we help them by providing ready-made
 and well reviewed sanitization functions for all common scenarios.'' And
 using textarea instead of just one-line "input type=text" is a scenario
 that is very common, but which WordPress does not yet have covered.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32257#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list