Mustn’t call sanitize_text_field on $_GET as whole

  • Resolved isarisar

    (@isarisar)


    2 years, 7 months ago

    Throughout woocommerce-sea.php, sanitize_text_field is called on (the entirety of) $_GET. That is, repeated:

    sanitize_text_field($_GET)

    But $_GET is an array, and sanitize_text_field expects a string.

    Which causes that function to only return the empty string: See the first lines of the actual filter it calls, _sanitize_text_fields:

    if ( is_object( $str ) || is_array( $str ) ) {
    return '';
}

    Either $_GET needs to be accessed with a key (not suitable) or checked through other ways, like filter_var{_array} or array_map.

Viewing 1 replies (of 1 total)
  • Thread Starter isarisar

    (@isarisar)

    I forgot: Since it’s $_GET the right filter method would probably be filter_input{_array}, not filter_var{_array}.

    Anyway, as of now, the functions calling sanitize_text_field($_GET) are obviously broken.

Viewing 1 replies (of 1 total)
  • The topic ‘Mustn’t call sanitize_text_field on $_GET as whole’ is closed to new replies.