[wp-trac] [WordPress Trac] #26759: New Generic Sanitize Functions for Core

WordPress Trac noreply at wordpress.org
Thu Jan 2 17:54:49 UTC 2014 

#26759: New Generic Sanitize Functions for Core
-----------------------------+-----------------------------
 Reporter:  georgestephanis  |      Owner:
     Type:  defect (bug)     |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  General          |    Version:
 Severity:  normal           |   Keywords:
-----------------------------+-----------------------------
 Core currently supplies a number of sanitize functions:

 {{{
 sanitize_email()
 sanitize_file_name()
 sanitize_html_class()
 sanitize_key()
 sanitize_meta()
 sanitize_mime_type()
 sanitize_option()
 sanitize_sql_orderby()
 sanitize_post_field()
 sanitize_text_field()
 sanitize_title()
 sanitize_title_for_query()
 sanitize_title_with_dashes()
 sanitize_user()
 }}}

 They all sanitize by usage, not by data type.

 As such, I (and I suspect others) wind up using these to escape things
 they weren't initially meant for -- for the sake of brevity, and it's just
 quicker and leads to tidier code.

 I believe it could result in better and simpler sanitizing if we were to
 include sanitize-by-format functions in core.  For example,

 {{{
 wp_sanitize_numeric( $raw ); // [\d]
 wp_sanitize_numeric_float( $raw ); // [\d\.,] allowing both commas and
 periods as decimal indicator and thousands seperator
 wp_sanitize_hex( $raw ); // [\da-f] case-insensitive
 wp_sanitize_alphanumeric( $raw ); // [\da-z] case-insensitive
 wp_sanitize_letters( $raw ); // [a-z] case-insensitive
 wp_sanitize( $raw, $regex ); // uses passed in regex to determine what to
 strip.
 }}}

 The specific functions to use are up for discussion.  I'm just hoping to
 make it simpler for users to sanitize data by expected type.

 As a side note, this will let folks use `wp_sanitize_numeric()` to
 sanitize integers larger than `PHP_INT_MAX` -- which tumblr and twitter
 IDs often happen to be for imports and feeds and the like (as casting to
 `(int)` isn't a good idea).

--
Ticket URL: <http://core.trac.wordpress.org/ticket/26759>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list