[wp-trac] [WordPress Trac] #56504: `sanitize_html_class()` is both too restrictive, and too permissive so it may return an invalid class name
WordPress Trac
noreply at wordpress.org
Sun Sep 4 23:21:36 UTC 2022
#56504: `sanitize_html_class()` is both too restrictive, and too permissive so it
may return an invalid class name
--------------------------+------------------------------
Reporter: anrghg | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: close | Focuses:
--------------------------+------------------------------
Changes (by peterwilsoncc):
* keywords: => close
Comment:
The purpose of the sanitization and escaping functions in WordPress is to
make code safe rather than validate it. In this case,
`sanitize_html_class()`'s goal to to ensure the class name doesn't include
characters that will allow a maliciously crafted class name to run
JavaScript or alter the HTML:
{{{#!php
<?php
$class_name = '300"; onload="/* some JavaScript */';
?>
<div class="<?php echo sanitize_html_class( $class_name ); ?>"></div>
}}}
Without sanitization the above code would execute the malicious code, with
sanitization it is safe. See the example at https://3v4l.org/RRqr1
It is possible to use a number within CSS by properly escaping it, for
example `class="300"` can be styled by using `.\33 00 {}`.
As classes are case sensitive, it would be problematic to convert them to
lower case in this function. To cover the side note about title,
`sanitize_title()` is applied to slugs and converts characters to
lowercase:
{{{
wp> sanitize_title( 'This Is My Title Case Title' );
string(27) "this-is-my-title-case-title"
}}}
My inclination is to close this issue as `sanitize_html_class()` is
achieving it's goal of making the class names safe.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56504#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list