Incorrect Flagging for Sanitization of Arrays | WordPress.org

Resolved Sayontan Sinha
(@sayontan)

1 year, 6 months ago
When run with the “Plugin Repo” checks, the code throws an incorrect report of WordPress.Security.ValidatedSanitizedInput.InputNotSanitized if the variable is an array that is sanitized via an array_walk in the next step.

Here is some illustrative code:
```
$post_ids = $_POST['selected_posts']; // Should not sanitize this since it is an array. Will sanitize each of its components in the array_walk.
array_walk($post_ids, 'sanitize_text_field');
```
A use-case for the above is, if you are doing a search and replace of certain text across selected posts via the WP_List_Table object, you would want to sanitize the individual post ids rather than the array object. To wit, it is incorrect to call sanitize_text_field on an array object.

Is there a way to indicate that this is an array, hence the check should not be done here?

Viewing 1 replies (of 1 total)

Plugin Author David Perez
(@davidperez)

1 year, 6 months ago

Hello, yes it’s a false positive, and It has to be solved in WordPress Coding Standards. We are going to work on that.

We have seen with other user in this issue.

https://github.com/WordPress/plugin-check/issues/697

By the way, I’d recommend array_map( ‘intval’, $post_ids ); Intval is a sanitizing function as well 😉

Viewing 1 replies (of 1 total)

The topic ‘Incorrect Flagging for Sanitization of Arrays’ is closed to new replies.

1 reply
2 participants
Last reply from: David Perez
Last activity: 1 year, 6 months ago
Status: resolved