[wp-trac] [WordPress Trac] #21989: update_option() calls sanitize_option() twice when option does not exist
WordPress Trac
noreply at wordpress.org
Wed Nov 30 01:43:28 UTC 2022
#21989: update_option() calls sanitize_option() twice when option does not exist
-------------------------------------------------+-------------------------
Reporter: MikeSchinkel | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future
| Release
Component: Options, Meta APIs | Version:
Severity: normal | Resolution:
Keywords: dev-feedback has-patch needs- | Focuses:
testing | performance
-------------------------------------------------+-------------------------
Comment (by gregstorkan):
There's clearly something I don't understand about the intended use of the
`pre_update_option` and `pre_update_option_{$option}` filters, as it seems
to me that sanitization should always be the last thing to happen to the
value prior to it being saved... but I'll close my pull req and
regardless, perhaps fixing the inconsistency of the filters is step 1 here
anyway.
If the key is to come up with some way to be sure that the value passed to
`add_option()` came from `update_option()`, and thus has been sanitized,
then is there something `update_option()` could generate that
`add_option()` could securely verify? Perhaps some kind of nonce that
could be passed along with the value in an array?
Obviously I'm spitballing based on extremely limited knowledge but it does
feel like there's a creative solution here somewhere.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21989#comment:35>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list