[wp-trac] [WordPress Trac] #42461: Drop sanitize_text_field() for widget titles in forms
WordPress Trac
noreply at wordpress.org
Tue Nov 7 18:41:46 UTC 2017
#42461: Drop sanitize_text_field() for widget titles in forms
--------------------------+-----------------------------
Reporter: greenshady | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Widgets | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
In several widgets, the `sanitize_text_field()` function is used to
sanitize the widget title before it is output in the widget `form()`
method (note: not the `update()` method). This is prior to the widget
title being escaped via `esc_attr()` in the text input field.
The handling of this is inconsistent between widgets (some do this, some
don't).
I originally posted about this in #33235 when `strip_tags()` was being
used. I was working on a plugin to allow a limited subset of inline HTML
within widget titles. Plugin for testing:
https://github.com/justintadlock/widget-title-html
I erroneously thought the issue was corrected, but it wasn't. It looks
like I didn't thoroughly test things.
While I'd like for my plugin to actually work across the board at some
point and don't think `sanitize_text_field()` is necessary in the form, at
the very least, this should be handled consistently in the core widgets.
The following widgets seem to use both `sanitize_text_field()` +
`esc_attr()`:
* Archives
* Calendar
* Categories
* Meta
All other widgets do not.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42461>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list