[wp-trac] [WordPress Trac] #46536: wp_create_user_request should sanitize the action_name using _wp_privacy_action_request_types
WordPress Trac
noreply at wordpress.org
Wed Oct 28 21:09:42 UTC 2020
#46536: wp_create_user_request should sanitize the action_name using
_wp_privacy_action_request_types
-------------------------------------------------+-------------------------
Reporter: garrett-eclipse | Owner: garrett-
| eclipse
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: 5.6
Component: Privacy | Version: 4.9.6
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests needs- | Focuses:
testing |
-------------------------------------------------+-------------------------
Changes (by garrett-eclipse):
* keywords: has-patch has-unit-tests needs-refresh => has-patch has-unit-
tests needs-testing
Comment:
Thanks for the review @helen, having some more time I delved back on this
and agree option 1A is the way to go here, with the exception of keeping
the unit test.
In [https://core.trac.wordpress.org/attachment/ticket/46536/46536.4.diff
46536.4.diff] I've refreshed the patch to drop the original `if ( !
$action_name )` that presided prior to this ticket leaving the new `if ( !
in_array( $action_name, _wp_privacy_action_request_types(), true ) )`
conditional. Along with updating the unit test to use the correct
`invalid_action` test result.
I preserved the unit test as this ticket seeks to change the existing
behaviour that just checked if the action name is missing to also now
check if there is a action name is it invalid. As these are two unique
conditions we're satisfying with the single check in `user.php` I feel in
our unit testing we should cover both these cases.
Let me know what you think?
Thanks
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46536#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list