科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>wp query - sanitize_post() is not sanitizing Post Object

    wp query - sanitize_post() is not sanitizing Post Object

    programmeradmin1浏览0评论

    I wanted to sanitize a WP_Query post object without using foreach.

    I used this method:

    $args = array(
// ...
)
$data = array();

$the_query = new WP_Query($args);

$data["post"] = $the_query->posts;

array_map("sanitize_post", $data["post"]);

return rest_ensure_response($data);

    output:

    as you can see that filter is working and its turning to "Display" from "Raw".

    But the problem is: <script> tags still standing in post_title field.

    Whats the problem?

    I wanted to sanitize a WP_Query post object without using foreach.

    I used this method:

    $args = array(
// ...
)
$data = array();

$the_query = new WP_Query($args);

$data["post"] = $the_query->posts;

array_map("sanitize_post", $data["post"]);

return rest_ensure_response($data);

    output:

    as you can see that filter is working and its turning to "Display" from "Raw".

    But the problem is: <script> tags still standing in post_title field.

    Whats the problem?

    • wp-query
    • security
    • array
    Share Improve this question asked Feb 21, 2021 at 14:44 techn9netechn9ne 213 bronze badges 18
    • 1 I don't see anything in the docs that suggests that sanitize_post is supposed to remove script tags. – Jacob Peattie Commented Feb 21, 2021 at 14:47
    • Thank you for your fast response. Then why we have this function? Main reason behind sanitizing is XSS in my opinion. – techn9ne Commented Feb 21, 2021 at 14:51
    • I guess I figured it out. I'm editing my question. – techn9ne Commented Feb 21, 2021 at 14:54
    • Escaping is for preventing XSS. – Jacob Peattie Commented Feb 21, 2021 at 14:57
    • 1 You're meant to use the sanitisation argument for sanitising: developer.wordpress/rest-api/extending-the-rest-api/…, and you should use the official REST API endpoint that show_in_rest adds, and use pre_get_posts to make any adjustments to what it displays to the user. – Tom J Nowell Commented Feb 21, 2021 at 15:53
     |  Show 13 more comments

    1 Answer 1

    Reset to default 0

    Solution:

    sanitize_post is coming with "display" default filter option. And it does not sanitize tags.

    But if you tries a code like this:

     $sanitizer = function($post){
 return sanitize_post($post, "db"); // or "edit"
};

array_map($sanitizer, $data["post"]);

    Now it sanitizes fields against XSS!

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论
    ok 不同模板 switch ($forum['model']) { /*case '0': include _include(APP_PATH . 'view/htm/read.htm'); break;*/ default: include _include(theme_load('read', $fid)); break; } } break; case '10': // 主题外链 / thread external link http_location(htmlspecialchars_decode(trim($thread['description']))); break; case '11': // 单页 / single page $attachlist = array(); $imagelist = array(); $thread['filelist'] = array(); $threadlist = NULL; $thread['files'] > 0 and list($attachlist, $imagelist, $thread['filelist']) = well_attach_find_by_tid($tid); $data = data_read_cache($tid); empty($data) and message(-1, lang('data_malformation')); $tidlist = $forum['threads'] ? page_find_by_fid($fid, $page, $pagesize) : NULL; if ($tidlist) { $tidarr = arrlist_values($tidlist, 'tid'); $threadlist = well_thread_find($tidarr, $pagesize); // 按之前tidlist排序 $threadlist = array2_sort_key($threadlist, $tidlist, 'tid'); } $allowpost = forum_access_user($fid, $gid, 'allowpost'); $allowupdate = forum_access_mod($fid, $gid, 'allowupdate'); $allowdelete = forum_access_mod($fid, $gid, 'allowdelete'); $access = array('allowpost' => $allowpost, 'allowupdate' => $allowupdate, 'allowdelete' => $allowdelete); $header['title'] = $thread['subject']; $header['mobile_link'] = $thread['url']; $header['keywords'] = $thread['keyword'] ? $thread['keyword'] : $thread['subject']; $header['description'] = $thread['description'] ? $thread['description'] : $thread['brief']; $_SESSION['fid'] = $fid; if ($ajax) { empty($conf['api_on']) and message(0, lang('closed')); $apilist['header'] = $header; $apilist['extra'] = $extra; $apilist['access'] = $access; $apilist['thread'] = well_thread_safe_info($thread); $apilist['thread_data'] = $data; $apilist['forum'] = $forum; $apilist['imagelist'] = $imagelist; $apilist['filelist'] = $thread['filelist']; $apilist['threadlist'] = $threadlist; message(0, $apilist); } else { include _include(theme_load('single_page', $fid)); } break; default: message(-1, lang('data_malformation')); break; } ?>