You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 24, 2018. It is now read-only.
We should match WordPress Core's sanitization function when adding/updating the title of a Post. WordPress Core uses wp_filter_kses() but we use wp_filter_post_kses().
The text was updated successfully, but these errors were encountered:
The core function seems to assumes pre-slashed data but in my experience even with slashing it can be lossy. And since $request isn't pre-slashed, I think instead of calling wp_filter_kses() I suggest calling the the underlying code without the slashing:
May fix#2788
This PR switches from using `wp_filter_post_kses()` for `post_title`
sanitization to calling `wp_kses` directly: #2788 describes that the
core behavior is to call `wp_filter_kses()`, but @westonruter notes
in that thread that the slash handling in `wp_filter_kses` is lossy so
using the underlying implementation of `wp_filter_kses` without the
de-slashing and re-slashing should provide adequate sanitization without
compromising the integrity of the content.
Review requested especially from @rachelbaker or @westonruter
In progress in #2840 but backslashes are still being removed after the proposed change. We need to dig deeper into how core is sanitizing these fields so we can better replicate that behavior.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
We should match WordPress Core's sanitization function when adding/updating the title of a Post. WordPress Core uses
wp_filter_kses()
but we usewp_filter_post_kses()
.The text was updated successfully, but these errors were encountered: