[wp-trac] [WordPress Trac] #22400: Remove all, or at least most, uses of extract() within WordPress

WordPress Trac noreply at wordpress.org
Tue May 13 15:48:04 UTC 2014


#22400: Remove all, or at least most, uses of extract() within WordPress
-------------------------------------------------+-------------------------
 Reporter:  Viper007Bond                         |       Owner:
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
Component:  General                              |  Release
 Severity:  normal                               |     Version:  3.4.2
 Keywords:  westi-likes needs-testing has-patch  |  Resolution:
                                                 |     Focuses:
-------------------------------------------------+-------------------------

Comment (by jdgrimes):

 Replying to [comment:49 rzen]:
 > Replying to [comment:48 jmlapam]:
 > > To my knowledge extract() takes all params from array so it could be
 very bad to use it when datas come from user. The documentation says
 extract can take some additional args to avoid bad behavior e.g prefix.
 > >
 > > My question regards shortcodes. I use them all the time so do you
 recommend to remove extract from all our shortcode callbacks?
 >
 > Yes, you should absolutely remove uses of `extract()` for
 [http://josephscott.org/archives/2009/02/i-dont-like-phps-extract-
 function/ the same reasons highlighted at the start of the ticket]. That
 said, unless you're doing something really strange within your shortcode
 function that somehow makes use of ''all'' available variables, or you're
 using global variables which could be overridden, you need not be too
 concerned about users passing in something that will be extracted. Even
 so, you'll be happier without extract. :)

 Also, note that if you are using `shortcode_atts()` on the attributes
 before calling `extract()`, only the attributes you have specified will be
 returned and extracted into variables. So even if you are using
 `extract()`, someone wouldn't be able to override just any variable.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/22400#comment:51>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list