[wp-trac] [WordPress Trac] #23416: Form handlers assume $_POST elements will be strings
WordPress Trac
noreply at wordpress.org
Sat Nov 22 16:23:06 UTC 2014
#23416: Form handlers assume $_POST elements will be strings
--------------------------------------+-----------------------------
Reporter: tabacco | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future Release
Component: Comments | Version: 3.5.1
Severity: normal | Resolution:
Keywords: good-first-bug has-patch | Focuses:
--------------------------------------+-----------------------------
Comment (by cisco87):
What about a function like this which allows you to sanitise an array
recursively and to apply filters to each of the keys to strip_tags or
whatever?
Whether its an array or a value it just iterate and recurse allowing you
to create filter for all the values in an array like for authors[] or the
key author just hooking "filter_array_authors" or "filter_array_author"
{{{
function recur_trim($vars, $pkey = null) {
$filter = "filter_array";
if(is_array($vars)) {
foreach($vars as $key => $var) {
$m_filter = $filter;
if(!empty($pkey)) {
$m_filter .= "_{$pkey}";
}
else if(!is_numeric($key) && !empty($key)) {
$m_filter .= "_{$key}";
}
if(is_array($var)) {
$arg = "";
if(!is_numeric($key) && !empty($key)) {
$arg = $key;
}
else if(!empty($pkey)) {
$arg = $pkey;
}
$vars[$key] = recur_trim($vars[$key],
$arg);
}
else {
$vars[$key] = apply_filters($m_filter,
$var);
}
}
}
else {
if(!empty($filter)) {
$filter .= "_{$pkey}";
}
$vars = apply_filters($filter, $vars);
}
return $vars;
}
}}}
Replying to [ticket:23416 tabacco]:
> I'm running Wordpress 3.5.1 on PHP 5.3.
>
> This example is from lines 50-53 of wp-comments-post.php:
>
> {{{
> $comment_author = ( isset($_POST['author']) ) ?
trim(strip_tags($_POST['author'])) : null;
> $comment_author_email = ( isset($_POST['email']) ) ?
trim($_POST['email']) : null;
> $comment_author_url = ( isset($_POST['url']) ) ?
trim($_POST['url']) : null;
> $comment_content = ( isset($_POST['comment']) ) ?
trim($_POST['comment']) : null;
> }}}
>
> The issue is that If your post data contains something like:
> {{{
> author[]=foo&author[]=bar
> }}}
> or
> {{{
> comment[]=foo
> }}}
> Then the corresponding values in $_POST will be arrays, not strings,
causing an E_WARNING.
>
> There seem to be a number of other places where $_POST data is passed
directly to PHP string functions as well, causing potential warnings.
These should be handled gracefully by checking the type of the element
being grabbed from $_POST first:
>
> {{{
> $comment_author = ( isset($_POST['author']) &&
is_string($_POST['author']) ) ? trim(strip_tags($_POST['author'])) :
null;
> $comment_author_email = ( isset($_POST['email']) &&
is_string($_POST['email']) ) ? trim($_POST['email']) : null;
> $comment_author_url = ( isset($_POST['url']) &&
is_string($_POST['url']) ) ? trim($_POST['url']) : null;
> $comment_content = ( isset($_POST['comment']) &&
is_string($_POST['comment']) ) ? trim($_POST['comment']) : null;
> }}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/23416#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list