[wp-trac] [WordPress Trac] #55838: Warning: strip_tags() expects parameter 1 to be string, array given in wp-includes/formatting.php:2246

WordPress Trac noreply at wordpress.org
Thu May 26 07:36:13 UTC 2022 

#55838: Warning: strip_tags() expects parameter 1 to be string, array given in wp-
includes/formatting.php:2246
-------------------------------+-----------------------------
 Reporter:  dd32               |      Owner:  (none)
     Type:  defect (bug)       |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  Posts, Post Types  |    Version:
 Severity:  normal             |   Keywords:  has-patch
  Focuses:  rest-api           |
-------------------------------+-----------------------------
 {{{
 E_WARNING: strip_tags() expects parameter 1 to be string, array given in
 wp-includes/formatting.php:2246
 }}}

 This is a slightly funky one, and is triggered by a request similar to:
 {{{
 https://example.org/wp-json/wp/v2/posts?slug[0][1]=2
 https://example.org/wp-json/wp/v2/posts?status[0][1]=2
 }}}

 The Posts endpoint allows for status/slug to be either an array, or a
 string (optionally comma separated).

 https://core.trac.wordpress.org/browser/trunk/src/wp-includes/rest-
 api/endpoints/class-wp-rest-posts-
 controller.php?marks=2849-2853,2859-2864#L2842

 Unfortunately it does't enforce that to be an array of strings, allowing
 an array of arrays to pass through.

 It seems that the best place to fix this is in `wp_parse_slug_list()`,
 although perhaps an argument could be made for altering `wp_parse_list()`
 too.

 `wp_parse_list()` simply leaves arrays as they are, not caring about the
 contents of the array.. It seems that leaving that as-is is okay.

 Simply updating `wp_parse_slug_list()` to also filter for scalars results
 in the same outcome, and is much safer from a back-compat perspective.

 {{{#!diff
 Index: functions.php
 ===================================================================
 --- src/wp-includes/functions.php       (revision 53035)
 +++ src/wp-includes/functions.php       (working copy)
 @@ -4845,6 +4845,7 @@
   */
  function wp_parse_slug_list( $list ) {
         $list = wp_parse_list( $list );
 +       $list = array_filter( $list, 'is_scalar' );

         return array_unique( array_map( 'sanitize_title', $list ) );
  }
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/55838>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list