[wp-trac] [WordPress Trac] #47867: wp_trim_excerpt and wp_trim_words don't validate the excerpt length (int)
WordPress Trac
noreply at wordpress.org
Tue Aug 13 07:57:28 UTC 2019
#47867: wp_trim_excerpt and wp_trim_words don't validate the excerpt length (int)
--------------------------+-----------------------------
Reporter: pikamander2 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 5.2.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
We noticed that our error log was filled with messages like this:
**PHP message: PHP Warning: A non-numeric value encountered in
[...]/public_html/wp-includes/formatting.php on line 3770**
The immediate culprit turned out to be Elementor Pro, which allows the
user to input an excerpt length for its "Cards" element, but doesn't
validate the value at all, so if the user's input is blank then it will
set the excerpt length to a blank string value rather than 0. It does so
via the `excerpt_length` filter.
I've submitted the fix to their support, but shouldn't WordPress's core be
validating that value as well? I can't think of any possible reason why
you would want WordPress to attempt to use a non-numeric value in those
functions.
Here are the relevant lines in wp-includes\formatting.php that prompt the
warning:
{{{
$excerpt_more = apply_filters( 'excerpt_more', ' ' . '[…]' );
$text = wp_trim_words( $text, $excerpt_length, $excerpt_more );
//if...
$words_array = array_slice( $words_array[0], 0, $num_words + 1 );
//else...
$words_array = preg_split( "/[\n\r\t ]+/", $text, $num_words + 1,
PREG_SPLIT_NO_EMPTY );
}}}
Basically, the WordPress core sets the default excerpt length to 55, then
applies the filters, then doesn't check the resulting value to make sure
that it's valid.
I think that the sanitization logic should look something like this:
* If the resulting value is neither and integer nor a float, replace it
with 0.
* Else if the resulting value is a float, cast it to an integer
* Else use the value without any modification (since it's an integer and
therefore valid)
Assuming that that all sounds good, I'm not sure whether it would be more
appropriate to put the check at the end of `wp_trim_excerpt` or at the
start of `wp_trim_words` (or both?).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47867>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list