Still uses sanitize_text_field() incorrectly
-
You marked this older topic as resolved, but the problem is present in the latest version (1.1.14).
Your plugin is still passing POSTed data through
sanitize_text_field()
. The purpose of that function is to escape text for output within HTML, and has nothing to do with sanitising inputs. First, start with a clean copy of POST data like this:$post = stripslashes_deep($_POST);
Then use values from that array. For credential inputs, the most you should do is
trim()
. Passwords are always best left as-is.Currently, a perfectly normal random password like
1Q,z<_%39P
would be “sanitised” by your plugin to1Q,z<_P
.
Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
- You must be logged in to reply to this topic.