[wp-trac] [WordPress Trac] #46536: wp_create_user_request should sanitize the action_name using _wp_privacy_action_request_types
WordPress Trac
noreply at wordpress.org
Mon Oct 26 17:50:33 UTC 2020
#46536: wp_create_user_request should sanitize the action_name using
_wp_privacy_action_request_types
-------------------------------------------------+-------------------------
Reporter: garrett-eclipse | Owner: garrett-
| eclipse
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: 5.6
Component: Privacy | Version: 4.9.6
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests needs- | Focuses:
refresh |
-------------------------------------------------+-------------------------
Changes (by helen):
* keywords: has-patch has-unit-tests commit => has-patch has-unit-tests
needs-refresh
Comment:
I have some tweaks I'd like to see here before commit, they are actually
two different paths to take so open to any discussion.
Option 1 (my preference): we remove the `if ( ! $action_name )` check
entirely and just let empty-ish action names be considered invalid instead
of differentiating as empty, and then also remove the corresponding
missing test from the patch.
Option 2: change `if ( ! $action_name )` to `if ( empty( $action_name ) )`
because the default value is an empty string, not a bool. Outcome is
approximately the same, but seems more readable and precise to me. I'd
love to hear more about how somebody would end up in a situation where
they really need to differentiate between `missing_action` and
`invalid_action`, and in that case, perhaps the display strings need to be
more specific about what action because it's pretty generic but means
different things in different contexts.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46536#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list