[wp-trac] [WordPress Trac] #44988: The sanitize_html_class() is deceptive / "buggy"

WordPress Trac noreply at wordpress.org
Fri Sep 11 10:12:33 UTC 2020

#44988: The sanitize_html_class() is deceptive / "buggy"
 Reporter:  ChiefAlchemist  |       Owner:  (none)
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  Awaiting Review
Component:  Formatting      |     Version:  4.9.6
 Severity:  normal          |  Resolution:
 Keywords:                  |     Focuses:

Comment (by ChiefAlchemist):

 Replying to [comment:4 lgedeon]:
 > If a significant number of plugins or themes outside core are relying on
 sanitize_html_class() being wrong, however, then we might just have to
 leave this alone.

 Can you give an example of this? Ultimately, the issue here is, that a
 class is passing "validation" that is not valid. How would someone go
 about using something that's "against the law"? And if so, is that a good

 That said, an arg  (bool?) could be added to the function such that the
 default is the current but the opposite would be able to actually do what
 they function says it does.

 Now we have:

 sanitize_html_class( $my_string)

 Next, we could have:

 sanitize_html_class( $my_string, true)

 Where true is the new & improved full-powered function, and the default of
 false bypasses the new fix. This should maintain backward compatibility
 and also allow the function to do what it promised to do. The extra arg is
 friction but it's better than such an obvious bug remaining in core.

Ticket URL: <https://core.trac.wordpress.org/ticket/44988#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list