[wp-trac] [WordPress Trac] #56434: Check that the input is a string in wp_strip_all_tags()
WordPress Trac
noreply at wordpress.org
Sun Aug 28 23:33:16 UTC 2022
#56434: Check that the input is a string in wp_strip_all_tags()
-------------------------------------------------+-------------------------
Reporter: chocofc1 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.1
Component: Formatting | Version: 2.9
Severity: minor | Resolution:
Keywords: has-patch has-unit-tests php81 2nd- | Focuses:
opinion |
-------------------------------------------------+-------------------------
Comment (by peterwilsoncc):
`$_POST` and `$_GET` can be either a string or an array and it's beyond
the control of the developer. As a visitor I can change `?t=thing` to
?t[]=thing` and the type will be an array.
I am not saying WPCS is the right tool for determining type. I am saying
WordPress is the right tool to make sanitization of user data as simple as
possible for extenders in order to encourage them to use it.
As WPCS encourages users to make sure the data is set, WordPress should
make things as easy as possible to do the right thing from there. Calling
sanitization functions is, unambiguously, the right thing to do so telling
developers they are doing the wrong thing does not help.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56434#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list