[wp-trac] [WordPress Trac] #47867: wp_trim_excerpt and wp_trim_words don't validate the excerpt length (int)

WordPress Trac noreply at wordpress.org
Tue Aug 13 07:57:28 UTC 2019 

#47867: wp_trim_excerpt and wp_trim_words don't validate the excerpt length (int)
--------------------------+-----------------------------
 Reporter:  pikamander2   |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  5.2.2
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 We noticed that our error log was filled with messages like this:

 **PHP message: PHP Warning: A non-numeric value encountered in
 [...]/public_html/wp-includes/formatting.php on line 3770**

 The immediate culprit turned out to be Elementor Pro, which allows the
 user to input an excerpt length for its "Cards" element, but doesn't
 validate the value at all, so if the user's input is blank then it will
 set the excerpt length to a blank string value rather than 0. It does so
 via the `excerpt_length` filter.

 I've submitted the fix to their support, but shouldn't WordPress's core be
 validating that value as well? I can't think of any possible reason why
 you would want WordPress to attempt to use a non-numeric value in those
 functions.

 Here are the relevant lines in wp-includes\formatting.php that prompt the
 warning:

 {{{
 $excerpt_more = apply_filters( 'excerpt_more', ' ' . '[…]' );

 $text         = wp_trim_words( $text, $excerpt_length, $excerpt_more );

 //if...
 $words_array = array_slice( $words_array[0], 0, $num_words + 1 );

 //else...
 $words_array = preg_split( "/[\n\r\t ]+/", $text, $num_words + 1,
 PREG_SPLIT_NO_EMPTY );
 }}}

 Basically, the WordPress core sets the default excerpt length to 55, then
 applies the filters, then doesn't check the resulting value to make sure
 that it's valid.

 I think that the sanitization logic should look something like this:

  * If the resulting value is neither and integer nor a float, replace it
 with 0.
  * Else if the resulting value is a float, cast it to an integer
  * Else use the value without any modification (since it's an integer and
 therefore valid)

 Assuming that that all sounds good, I'm not sure whether it would be more
 appropriate to put the check at the end of `wp_trim_excerpt` or at the
 start of `wp_trim_words` (or both?).

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/47867>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list