[wp-trac] [WordPress Trac] #30967: $fallback in sanitize_html_class() is not sanitized

Fri Jan 9 14:15:49 UTC 2015

#30967: $fallback in sanitize_html_class() is not sanitized
-------------------------------+-----------------------------
 Reporter:  mighty_mt          |      Owner:
     Type:  defect (bug)       |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  Posts, Post Types  |    Version:  trunk
 Severity:  normal             |   Keywords:
  Focuses:                     |
-------------------------------+-----------------------------
 When looking at the source for the {{{sanitize_html_class()}}} function I
 just noticed that the $fallback variable is not being sanitized. Here's an
 example:

 {{{sanitize_html_class( "*!?", "This can't be valid!?" );}}}

 In this example the $class variable will be empty after sanitizing and the
 $fallback variable will be returned '''as is'''. So {{{This can't be
 valid!?}}} would be returned which is definitely not a valid CSS class.

 ----

 I think that (if needed) the $fallback variable should equally be
 sanitized by either '''repeating''' the {{{preg_replace}}} calls or by
 '''recursively''' calling {{{sanitize_html_class()}}} passing $fallback as
 $class and leaving $fallback empty (while of course making sure to prevent
 infinite loops).
 For performance reasons the first option might be better because any
 functions hooked to the {{{sanitize_html_class}}} filter would always be
 run only once.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/30967>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform