[wp-trac] [WordPress Trac] #21989: update_option() calls sanitize_option() twice when option does not exist
WordPress Trac
noreply at wordpress.org
Tue Nov 29 03:48:46 UTC 2022
#21989: update_option() calls sanitize_option() twice when option does not exist
-------------------------------------------------+-------------------------
Reporter: MikeSchinkel | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future
| Release
Component: Options, Meta APIs | Version:
Severity: normal | Resolution:
Keywords: dev-feedback has-patch needs- | Focuses:
testing | performance
-------------------------------------------------+-------------------------
Comment (by costdev):
Unfortunately, after further investigation and writing some PHPUnit tests,
relying on a check to see if a filter has run isn't safe.
Why?
- Anyone can run `sanitize_option()` or `apply_filters(
"sanitize_option_{$option}" )` before accidentally passing an unsanitized
value to `add_option()/update_option()`. If sanitization in `add_option()`
were to rely on whether `"sanitize_option_{$option}"` ran, it would
proceed to add the unsafe value to the database.
- The same applies to any filter/action hook in `update_option()` as well.
- In short, it's possible to accidentally skip sanitizing if relying on
whether a filter has run.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21989#comment:34>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list