[wp-trac] [WordPress Trac] #56434: Check that the input is a string in wp_strip_all_tags()

WordPress Trac noreply at wordpress.org
Mon Aug 29 02:29:25 UTC 2022 

#56434: Check that the input is a string in wp_strip_all_tags()
-------------------------------------------------+-------------------------
 Reporter:  chocofc1                             |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  6.1
Component:  Formatting                           |     Version:  2.9
 Severity:  minor                                |  Resolution:
 Keywords:  has-patch has-unit-tests php81 2nd-  |     Focuses:
  opinion                                        |
-------------------------------------------------+-------------------------

Comment (by dd32):

 I would hesitant to suggest that a `_doing_it_wrong()` is an appropriate
 notice for passing unexpected data-types. If a sanitization function only
 operates on scalar, and a non-scalar is provided, either the function
 should handle it (ie. array) or return false IMHO. I would note that
 `wp_strip_all_tags()` is not a sanitization function IMHO though..

 That seems especially true to me for functions which are intended to run
 on user-provided data via POST/GET/etc, due to the significant number of
 plugins (and Core!) which simply do not validate whether a parameter is
 the expected data-type.

 I would argue that type-checking of the data is best left to the point
 it's accessed, and in the case of POST/GET would probably be benefited
 through a solution to #22325 at some point.

 However, to step back from my point of view, the modern PHP way of doing
 things is to throw a `TypeError` fatal when strict types are used, or when
 a parameter data type is specified.. so in that sense, `_doing_it_wrong()`
 is kind of the PHP way of thinking, although a lot less quiet than PHPs
 fatal errors.

 I guess to me, `_doing_it_wrong()` is appropriate when a developer will
 ''actually see'' the warning during development, and can act appropriately
 to change how they're calling something, but if it's just passing junk to
 a function and not handling the PHP Notice / Warning / Fatal / Invalid
 return value, the `_doing_it_wrong()` notice wouldn't have actually helped
 them in the first place.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56434#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list