[wp-trac] [WordPress Trac] #64489: Admin Ajax: Improve action input sanitization with sanitize_key()
WordPress Trac
noreply at wordpress.org
Sat Jan 10 21:45:27 UTC 2026
#64489: Admin Ajax: Improve action input sanitization with sanitize_key()
--------------------------+------------------------------
Reporter: mohammadzaid | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
--------------------------+------------------------------
Comment (by westonruter):
> Action names should only contain lowercase alphanumerics, underscores,
hyphens per WP standards.
This isn't necessarily the case. Dynamic hook names can have anything.
I've seen hooks with slashes and dots as well. Doing sanitization like
this will break such extensions.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64489#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list