[wp-trac] [WordPress Trac] #56311: Week query variable is not being sanitized correctly
WordPress Trac
noreply at wordpress.org
Thu Jan 5 00:26:22 UTC 2023
#56311: Week query variable is not being sanitized correctly
-------------------------------------+-----------------------
Reporter: domainsupport | Owner: audrasjb
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 6.2
Component: Query | Version:
Severity: normal | Resolution:
Keywords: has-patch needs-testing | Focuses:
-------------------------------------+-----------------------
Comment (by peterwilsoncc):
Yes, that's what I am thinking.
The `WP` class is used to validate user input (in this case via the URL).
An example of this is ensuring post type queries are public.
[https://github.com/WordPress/wordpress-
develop/blob/3977b6b06d1efd3f6cadb8b31bc8ba55e09486d5/src/wp-includes
/class-wp.php#L358-L368 see source code]
The `WP` class would then drop or modify any invalid date queries before
they are passed to `WP_Query` which in turn would prevent them from being
passed to `WP_Date_Query`.
My thought been that if a developer writes the code `WP_Query( ['monthnum'
=> 36, /* etc */ ] )` then the notices ought to be thrown. If a visitor
enters the URL `/2023/36/15` then the `WP` class should handle the invalid
data gracefully.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56311#comment:19>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list