Changeset 38944

Timestamp:

10/26/2016 05:16:09 AM (8 years ago)

Author:

pento

Message:

General: Add a sanitize_textarea_field() function.

Like its predecessor (sanitize_text_field()), sanitize_textarea_field() is a helper function to sanitise user input. As the name suggests, this function is for sanitising input from textarea fields - it strips tags and invalid UTF-8 characters, like sanitize_text_field(), but retains newlines and extra inline whitespace.

Props ottok, nbachiyski, chriscct7, pento.
Fixes #32257.

Location:

trunk

Files:

• src/wp-includes/formatting.php (modified) (4 diffs)
• tests/phpunit/tests/formatting/SanitizeTextField.php (modified) (1 diff)

trunk/src/wp-includes/formatting.php

@@ -4654 +4654 @@
  * @since 2.9.0
  *
+
  * @see wp_check_invalid_utf8()
  * @see wp_strip_all_tags()
@@ -4661 +4662 @@
  */
 function sanitize_text_field( $str ) {
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
     $filtered = wp_check_invalid_utf8( $str );
 
@@ -4666 +4719 @@
         $filtered = wp_pre_kses_less_than( $filtered );
         // This will strip extra whitespace for us.
-        $filtered = wp_strip_all_tags( $filtered, true );
-    } else {
-        $filtered = trim( preg_replace('/[\r\n\t ]+/', ' ', $filtered) );
-    }
+        $filtered = wp_strip_all_tags( $filtered, false );
+
+        // Use html entities in a special case to make sure no later
+        // newline stripping stage could lead to a functional tag
+        $filtered = str_replace("<\n", "&lt;\n", $filtered);
+    }
+
+    if ( ! $keep_newlines ) {
+        $filtered = preg_replace( '/[\r\n\t ]+/', ' ', $filtered );
+    }
+    $filtered = trim( $filtered );
 
     $found = false;
@@ -4682 +4742 @@
     }
 
-    /**
-     * Filters a sanitized text field string.
-     *
-     * @since 2.9.0
-     *
-     * @param string $filtered The sanitized string.
-     * @param string $str      The string prior to being sanitized.
-     */
-    return apply_filters( 'sanitize_text_field', $filtered, $str );
+    return $filtered;
 }
 

trunk/tests/phpunit/tests/formatting/SanitizeTextField.php

@@ -5 +5 @@
  */
 class Tests_Formatting_SanitizeTextField extends WP_UnitTestCase {
-    // #11528
-    function test_sanitize_text_field() {
-        $inputs = array(
-            'оРангутанг', //Ensure UTF8 text is safe the Р is D0 A0 and A0 is the non-breaking space.
-            'САПР', //Ensure UTF8 text is safe the Р is D0 A0 and A0 is the non-breaking space.
-            'one is < two',
-            'tags <span>are</span> <em>not allowed</em> here',
-            ' we should trim leading and trailing whitespace ',
-            'we  also  trim  extra  internal  whitespace',
-            'tabs   get removed too',
-            'newlines are not welcome
-            here',
-            'We also %AB remove %ab octets',
-            'We don\'t need to wory about %A
-            B removing %a
-            b octets even when %a   B they are obscured by whitespace',
-            '%AB%BC%DE', //Just octets
-            'Invalid octects remain %II',
-            'Nested octects %%%ABABAB %A%A%ABBB',
+    function data_sanitize_text_field() {
+        return array(
+            array(
+                'оРангутанг', //Ensure UTF8 text is safe the Р is D0 A0 and A0 is the non-breaking space.
+                'оРангутанг',
+            ),
+            array(
+                'САПР', //Ensure UTF8 text is safe the Р is D0 A0 and A0 is the non-breaking space.
+                'САПР',
+            ),
+            array(
+                'one is < two',
+                'one is &lt; two',
+            ),
+            array(
+                "one is <\n two",
+                array(
+                    'oneline' => 'one is &lt; two',
+                    'multiline' => "one is &lt;\n two",
+                ),
+            ),
+            array(
+                "foo <div\n> bar",
+                array(
+                    'oneline' => 'foo bar',
+                    'multiline' => "foo  bar",
+                ),
+            ),
+            array(
+                "foo <\ndiv\n> bar",
+                array(
+                    'oneline' => 'foo &lt; div > bar',
+                    'multiline' => "foo &lt;\ndiv\n> bar",
+                ),
+            ),
+            array(
+                'tags <span>are</span> <em>not allowed</em> here',
+                'tags are not allowed here',
+            ),
+            array(
+                ' we should trim leading and trailing whitespace ',
+                'we should trim leading and trailing whitespace',
+            ),
+            array(
+                'we  trim  extra  internal  whitespace  only  in  single  line  texts',
+                array(
+                    'oneline' => 'we trim extra internal whitespace only in single line texts',
+                    'multiline' => 'we  trim  extra  internal  whitespace  only  in  single  line  texts',
+                ),
+            ),
+            array(
+                "tabs \tget removed in single line texts",
+                array(
+                    'oneline' => 'tabs get removed in single line texts',
+                    'multiline' => "tabs \tget removed in single line texts",
+                ),
+            ),
+            array(
+                "newlines are allowed only\n in multiline texts",
+                array(
+                    'oneline' => 'newlines are allowed only in multiline texts',
+                    'multiline' => "newlines are allowed only\n in multiline texts",
+                ),
+            ),
+            array(
+                'We also %AB remove %ab octets',
+                'We also remove octets',
+            ),
+            array(
+                'We don\'t need to wory about %A
+                B removing %a
+                b octets even when %a   B they are obscured by whitespace',
+                array (
+                    'oneline' => 'We don\'t need to wory about %A B removing %a b octets even when %a B they are obscured by whitespace',
+                    'multiline' => "We don't need to wory about %A\n                B removing %a\n             b octets even when %a   B they are obscured by whitespace",
+                ),
+            ),
+            array(
+                '%AB%BC%DE', //Just octets
+                '', //Emtpy as we strip all the octets out
+            ),
+            array(
+                'Invalid octects remain %II',
+                'Invalid octects remain %II',
+            ),
+            array(
+                'Nested octects %%%ABABAB %A%A%ABBB',
+                'Nested octects',
+            ),
         );
-        $expected = array(
-            'оРангутанг',
-            'САПР',
-            'one is &lt; two',
-            'tags are not allowed here',
-            'we should trim leading and trailing whitespace',
-            'we also trim extra internal whitespace',
-            'tabs get removed too',
-            'newlines are not welcome here',
-            'We also remove octets',
-            'We don\'t need to wory about %A B removing %a b octets even when %a B they are obscured by whitespace',
-            '', //Emtpy as we strip all the octets out
-            'Invalid octects remain %II',
-            'Nested octects',
-        );
+    }
 
-        foreach ($inputs as $key => $input) {
-            $this->assertEquals($expected[$key], sanitize_text_field($input));
+    /**
+     * @ticket 32257
+     * @dataProvider data_sanitize_text_field
+     */
+    function test_sanitize_text_field( $string, $expected ) {
+        if ( is_array( $expected ) ) {
+            $expected_oneline = $expected['oneline'];
+            $expected_multiline = $expected['multiline'];
+        } else {
+            $expected_oneline = $expected_multiline = $expected;
         }
+
+
+
     }
 }