[wp-trac] [WordPress Trac] #21989: update_option() calls sanitize_option() twice when option does not exist

WordPress Trac noreply at wordpress.org
Tue May 21 02:32:33 UTC 2024 

#21989: update_option() calls sanitize_option() twice when option does not exist
-------------------------------------------------+-------------------------
 Reporter:  MikeSchinkel                         |       Owner:  pbearne
     Type:  defect (bug)                         |      Status:  accepted
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Options, Meta APIs                   |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  dev-feedback has-patch needs-        |     Focuses:
  testing                                        |  performance
-------------------------------------------------+-------------------------

Comment (by lev0):

 I disagree with [comment:20 dd32]'s assessment:
 > While this is a weird bug to run into, it's most definately not urgent
 based on the 5 years this ticket has existed without action & few reports.

 If someone analysed all plugins using (the widely-recommended)
 `register_setting()`, I'm sure they'd find a miniscule proportion
 anticipate that the `sanitize_callback` can be called twice. That's just
 one way to hit this bug.

 Developers probably have no idea their plugins are affected, because the
 issue disappears as soon as the option is created (even with an invalid
 value). I don't know about other devs, but usually when I create an
 option, it's assigned a value so I can test it, and it stays. I might
 change the value but I rarely delete it. I put more complex configs into
 single array options, and HTML form structures normally aren't 1:1 with
 the option structures, so unless I protect input from being parsed twice,
 it's guaranteed to get corrupted.

 In contrast, **every** new user of an affected plugin can hit this on the
 first install, where the option will not exist. This makes a crappy first
 impression, and unduly reflects poorly on the author. You install a
 plugin, go to its settings page, carefully complete the form, and whether
 it saves correctly or not is a gamble.

 Finally some interest and it's stalled again. 12 years is a long time.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/21989#comment:44>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list