[wp-trac] [WordPress Trac] #56504: `sanitize_html_class()` is both too restrictive, and too permissive so it may return an invalid class name
WordPress Trac
noreply at wordpress.org
Mon Sep 5 01:58:43 UTC 2022
#56504: `sanitize_html_class()` is both too restrictive, and too permissive so it
may return an invalid class name
-------------------------------------------------+-------------------------
Reporter: anrghg | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: close changes-requested needs- | Focuses:
testing needs-dev-note needs-I18N-review |
-------------------------------------------------+-------------------------
Comment (by peterwilsoncc):
> Since page slugs are used as class names, all scripts should be equal:
Latin, Greek, Cyrillic, all 160 (number growing) Non-Latin scripts already
supported by Unicode.
I do agree that the function ought to be more permissive for valid
characters, there's an existing ticket for that #33924 which I've
commented on. There are some backward compatibility concerns that never
got resolved.
It's the validation side of this ticket that I wish to avoid. In part
because CSS is more permissive than it once was; in part because spec
changes could lead to further tickets like this in the future.
> we can even use all these symbols and punctuation provided they are
backslash-escaped. This too prevents malicious code from running.)
Are you happy to continue this discussion on #33924 and close this ticket
as a duplicate?
Raising the issue of non-latin alphabets is an excellent point. If you
post it to the original ticket, it will ensure you get props for
contributing to the discussion.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56504#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list