[wp-trac] [WordPress Trac] #60745: WP_Query::parse_query() does not handle invalid query arg values
WordPress Trac
noreply at wordpress.org
Thu Jul 18 01:09:44 UTC 2024
#60745: WP_Query::parse_query() does not handle invalid query arg values
--------------------------------------------+---------------------
Reporter: xknown | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.7
Component: Query | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests php80 | Focuses:
--------------------------------------------+---------------------
Changes (by dd32):
* milestone: Awaiting Review => 6.7
Comment:
I tend to agree that this "doesn't belong in WP_Query" but the only better
place is within the `WP` class before it passes parameters to `WP_Query`.
Due to the how `WP_Query` is used in the wild, often passing query
variables into it, it doesn't make sense to me to put it into `WP`.
There's a loooong history of requests to resolve these notices, then
warnings, and now fatals. #17737 is the primary one I can find.
Most of the scalar-only query_vars were handled in [53891], but that
hasn't added any "validate the array-only items are arrays". Some of the
arrays that only accept ID's are 'protected' via `wp_parse_id_list()`
deeper in.
That all being said; I feel like if the answer was "This shouldn't be
fixed in WP_Query" then `WP_Query` should return a `WP_Error` for invalid
inputs, but [53891] has already been merged which can be used as a good
reason to add array-validation here too.
Another one worth looking at for inspiration, is
[https://developer.wordpress.org/reference/classes/wp_tax_query/clean_query/
WP_Tax_Query::clean_query()].
I'm milestoning this for 6.7, because I'm not seeing a good reason not to
move forward with the PR in some form or another.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60745#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list