[wp-trac] Re: [WordPress Trac] #7423: in WP_Query, sanitization breaks usage of multiple post_status values

WordPress Trac wp-trac at lists.automattic.com
Mon Jul 28 21:50:34 GMT 2008 

#7423: in WP_Query, sanitization breaks usage of multiple post_status values
-------------------------+--------------------------------------------------
 Reporter:  markjaquith  |        Owner:  anonymous
     Type:  defect       |       Status:  new      
 Priority:  high         |    Milestone:  2.7      
Component:  General      |      Version:  2.6      
 Severity:  normal       |   Resolution:           
 Keywords:               |  
-------------------------+--------------------------------------------------
Changes (by markjaquith):

  * summary:  in WP_Query, sanitization breaks usage of multiple post_type
              or post_status values => in WP_Query,
              sanitization breaks usage of multiple
              post_status values

Old description:

> I was trying to get WP_Query to give me all draft OR future posts by
> other authors, but found that it would not accept comma-separated
> post_status values.  Turns out we're using {{{sanitize_user()}}} on the
> query values of post_type and post_status which breaks that
> functionality.  We need to allow commas so that WP_Query can process
> {{{post_status=draft,future}}}
>
> Switching that {{{sanitize_user()}}} line to a {{{[^a-z0-9,_-]
> preg_replace()}}} sanitization line allowed my WP_Query call to work as
> intended.

New description:

 I was trying to get WP_Query to give me all draft OR future posts by other
 authors, but found that it would not accept comma-separated post_status
 values.  Turns out we're using {{{sanitize_user()}}} on the query values
 of post_status which breaks that functionality.  We need to allow commas
 so that WP_Query can process {{{post_status=draft,future}}}

 Switching that {{{sanitize_user()}}} line to a {{{[^a-z0-9,_-]
 preg_replace()}}} sanitization line allowed my WP_Query call to work as
 intended.

 We're also doing that sanitization on post_type, but it doesn't look like
 the functionality to accept multiple post_type values is there (and it's
 certainly less useful than accepting multiple post_statuses).

-- 
Ticket URL: <http://trac.wordpress.org/ticket/7423#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list