[wp-trac] [WordPress Trac] #32257: Patch: add support for multi-line textarea sanitization
WordPress Trac
noreply at wordpress.org
Tue Jun 28 13:16:42 UTC 2016
#32257: Patch: add support for multi-line textarea sanitization
--------------------------------------+------------------------------
Reporter: ottok | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+------------------------------
Changes (by ottok):
* keywords: has-patch => has-patch has-unit-tests
* version: => trunk
Comment:
Can you please already accept this patch? It has got plenty of review and
was basically rewritten when '''reviewed in-person with @nbachiyski to be
perfect''', with unit tests and all.
I stuble across all the time live sites where people skip sanitization
because they don't like the multi-line form data becomes a one-line data
via the usual sanitize_text_field() function.
I'd hate to publish a plugin merely to get a sensible and easy to use
sanitize_textarea_field() function out there. This really belongs to the
core.
The function wp_filter_nohtml_kses() suggested above is not an equivalent
to sanitize_text_field in either function nor name (think developer
usability). We don't want to strip away HTML here, but rather convert tags
into entities that are more secure to transport and display.
Come on, this is a '''really minor change and almost impossible to have
regressions''' but with the potential to stop HTML/octet etc injections in
an easy whay that developers are much more likely to use. ''We need to
help developers make secure code, and we help them by providing ready-made
and well reviewed sanitization functions for all common scenarios.'' And
using textarea instead of just one-line "input type=text" is a scenario
that is very common, but which WordPress does not yet have covered.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32257#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list