[wp-trac] [WordPress Trac] #64489: Admin Ajax: Improve action input sanitization with sanitize_key()
WordPress Trac
noreply at wordpress.org
Sun Jan 11 05:35:02 UTC 2026
#64489: Admin Ajax: Improve action input sanitization with sanitize_key()
--------------------------+------------------------------
Reporter: mohammadzaid | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
--------------------------+------------------------------
Comment (by mohammadzaid):
Thank you for the feedback, @westonruter. You're absolutely right. I
hadn't accounted for dynamic hook names using special characters like
slashes or dots.
My goal was to add a layer of sanitization to the action input. Given that
sanitize_key() is too restrictive, would sanitize_text_field() or a custom
regex allowing "/" and "." be a better approach here, or should we avoid
restricting the action string entirely to maintain backward compatibility?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64489#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list