[wp-trac] [WordPress Trac] #44988: The sanitize_html_class() is deceptive / "buggy"

WordPress Trac noreply at wordpress.org
Mon Sep 24 23:09:22 UTC 2018


#44988: The sanitize_html_class() is deceptive / "buggy"
----------------------------+-----------------------------
 Reporter:  ChiefAlchemist  |      Owner:  (none)
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  General         |    Version:  4.9.6
 Severity:  normal          |   Keywords:
  Focuses:                  |
----------------------------+-----------------------------
 Best I can tell, sanitize_html_class() will return a class name that
 begins with an invalid character (e.g., an integer). AFAIK a class can't
 begin with an integer ( as well as a handful of other special / odd
 characters).

 Mind you, I understand sanitation is not validation :) That said, the
 function description says "If this results in an empty string, then the
 function will return the alternative value supplied."

 If you interpret that as "if your class is invalid..." (as I did), then at
 the very least some level of validation is implied.

 Long to short, if the function returns a useless class, there's (almost)
 no point in having a special sanitizer. Sure, it might sanitize - I can
 hear the sec team barking - but the result isn't any more useful than
 using a "normal" sanitize function.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44988>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list