[wp-trac] [WordPress Trac] #43208: Separate setting validation from sanitization
WordPress Trac
noreply at wordpress.org
Thu Feb 1 23:45:14 UTC 2018
#43208: Separate setting validation from sanitization
--------------------------------+-------------------------------------
Reporter: flixos90 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Options, Meta APIs | Version:
Severity: normal | Keywords: needs-patch 2nd-opinion
Focuses: |
--------------------------------+-------------------------------------
As widely known, validation is different from sanitization. A value should
first be validated and then be sanitized. Historically, WordPress has been
mixing these two responsibilities in the `sanitize_option()` function,
however it is easily possible to add an extra layer on top of that which
maintains full backward-compatibility.
Newer parts of core, such as the Customizer and the REST API, have been
dealing with this in a better way, keeping the two separate. We can
achieve the same for options themselves too.
I suggest introducing a `validate_option_{$option}` filter that works
somewhat similar like the `customize_validate_{$setting_id}` filter used
in the Customizer. It passes an empty `WP_Error` object that can be added
to. In addition to allow separate validation from sanitization, it also
makes handling of validation easier, since it can then automatically set
the value to the previous value and call `add_settings_error()`, passing
any error messages set, which matches current core behavior.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43208>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list