[wp-trac] [WordPress Trac] #46329: sanitize_text_field after 5.1 update should account for __toString() methods
WordPress Trac
noreply at wordpress.org
Sun Feb 24 22:54:46 UTC 2019
#46329: sanitize_text_field after 5.1 update should account for __toString()
methods
-------------------------+------------------------------
Reporter: fclaussen | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Formatting | Version: 5.1
Severity: normal | Resolution:
Keywords: | Focuses:
-------------------------+------------------------------
Changes (by pento):
* version: => 5.1
Comment:
Thank you for the bug report, @fclaussen!
This is a bit of a tricky problem. `sanitize_text_field()` usually has
user input passed directly to it, which makes it a target for security
issues. In particular, an attacker will try to instantiate a class that
implements `__toString()`, but the content of that string isn't intended
for the end user.
I'd love to hear more thoughts on whether we can make this check a little
less restrictive in a safe manner.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46329#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list