Still uses sanitize_text_field() incorrectly

  • Resolved Roy Orbitson

    (@lev0)


    1 month, 1 week ago

    You marked this older topic as resolved, but the problem is present in the latest version (1.1.14).

    Your plugin is still passing POSTed data through sanitize_text_field(). The purpose of that function is to escape text for output within HTML, and has nothing to do with sanitising inputs. First, start with a clean copy of POST data like this:

    $post = stripslashes_deep($_POST);

    Then use values from that array. For credential inputs, the most you should do is trim(). Passwords are always best left as-is.

    Currently, a perfectly normal random password like 1Q,z<_%39P would be “sanitised” by your plugin to 1Q,z&lt;_P.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Noor Alam

    (@naa986)

    1 month ago

    Hi, Thanks for the feedback. We have updated the plugin.

    Thread Starter Roy Orbitson

    (@lev0)

    1 month ago

    I applaud your prompt response, but it’s still using sanitize_text_field() in several places it shouldn’t be, and using $_POST, directly, which should not be done in WordPress without stripping slashes.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.