[wp-trac] [WordPress Trac] #12181: Sanitizing text input fields before rendering but not before storing their content
WordPress Trac
wp-trac at lists.automattic.com
Tue Feb 9 09:52:29 UTC 2010
#12181: Sanitizing text input fields before rendering but not before storing their
content
------------------------------+---------------------------------------------
Reporter: hargatheterrible | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Unassigned
Component: General | Version: 2.9.1
Severity: normal | Keywords: sanitize filter
------------------------------+---------------------------------------------
In WPMU 2.8.5.2 and WP 2.9.1 filters are used to sanitize the content of
text input fields in the admin area.
However, the filters are applied only before rendering the content, but
not before transmitting and storing this content in the database.
For example, I can type in something like:
key1="value string with multiple words" AND key2="another value string"
and store it correctly in the database. When I "echo" this string into its
text input field again to show that it has been correctly stored, it is
rendered as
key1=\
The problem is that if a user does not pay attention and clicks on "update
settings" again, the wrong string is stored in the database because the
wrongly rendered string is transmitted.
I checked the multitude of filters that WP applies but could not find out
how to adjust the filtering/sanitizing of input for this specific text
input field. Even calling "remove_all_filters()" shows no effect.
I think that sanitizing is a good idea but it needs to become more
consistent and adjustable in WP. I would like to sanitize everything
that's between the quotes, not eliminate everything following the first
quote.
Thanks a lot in advance for all hints and pointers!
A.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12181>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list