[wp-trac] [WordPress Trac] #44988: The sanitize_html_class() is deceptive / "buggy"
WordPress Trac
noreply at wordpress.org
Mon Sep 24 23:09:22 UTC 2018
#44988: The sanitize_html_class() is deceptive / "buggy"
----------------------------+-----------------------------
Reporter: ChiefAlchemist | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.9.6
Severity: normal | Keywords:
Focuses: |
----------------------------+-----------------------------
Best I can tell, sanitize_html_class() will return a class name that
begins with an invalid character (e.g., an integer). AFAIK a class can't
begin with an integer ( as well as a handful of other special / odd
characters).
Mind you, I understand sanitation is not validation :) That said, the
function description says "If this results in an empty string, then the
function will return the alternative value supplied."
If you interpret that as "if your class is invalid..." (as I did), then at
the very least some level of validation is implied.
Long to short, if the function returns a useless class, there's (almost)
no point in having a special sanitizer. Sure, it might sanitize - I can
hear the sec team barking - but the result isn't any more useful than
using a "normal" sanitize function.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44988>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list