Incorrect Flagging for Sanitization of Arrays

  • Resolved Sayontan Sinha

    (@sayontan)


    1 month, 3 weeks ago

    When run with the “Plugin Repo” checks, the code throws an incorrect report of WordPress.Security.ValidatedSanitizedInput.InputNotSanitized if the variable is an array that is sanitized via an array_walk in the next step.

    Here is some illustrative code:

    $post_ids = $_POST['selected_posts']; // Should not sanitize this since it is an array. Will sanitize each of its components in the array_walk.
    array_walk($post_ids, 'sanitize_text_field');

    A use-case for the above is, if you are doing a search and replace of certain text across selected posts via the WP_List_Table object, you would want to sanitize the individual post ids rather than the array object. To wit, it is incorrect to call sanitize_text_field on an array object.

    Is there a way to indicate that this is an array, hence the check should not be done here?

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.