Still uses sanitize_text_field() incorrectly

  • You marked this older topic as resolved, but the problem is present in the latest version (1.1.14).

    Your plugin is still passing POSTed data through sanitize_text_field(). The purpose of that function is to escape text for output within HTML, and has nothing to do with sanitising inputs. First, start with a clean copy of POST data like this:

    $post = stripslashes_deep($_POST);

    Then use values from that array. For credential inputs, the most you should do is trim(). Passwords are always best left as-is.

    Currently, a perfectly normal random password like 1Q,z<_%39P would be “sanitised” by your plugin to 1Q,z&lt;_P.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Noor Alam

    (@naa986)

    Hi, Thanks for the feedback. We have updated the plugin.

    Thread Starter Roy Orbitson

    (@lev0)

    I applaud your prompt response, but it’s still using sanitize_text_field() in several places it shouldn’t be, and using $_POST, directly, which should not be done in WordPress without stripping slashes.

    Thread Starter Roy Orbitson

    (@lev0)

    Don’t mark this as resolved if you have no intention of doing so. Users deserve to know what they’re getting. The code on SVN still uses raw $_POST everywhere, and sanitize_text_field() on fields that have nothing to do with HTML.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.