Problem with capitalization

  • Resolved princeofabyss

    (@princeofabyss)


    11 months, 2 weeks ago

    I was struggling to read a postmeta of some orders to use in an if condition… The condition wasn’t firing even though the postmeta was there… Finally, I ended up going into PHPMyAdmin to see what’s going on, and the meta_key in the DB had different capitalization than the one shown in the plugin’s metabox…

    https://prnt.sc/C6pJJbo4d7cd <- postmeta as shown in wp-admin

    https://prnt.sc/VjIXgwVrUeH0 <- postmeta as shown in the DB

    • This topic was modified 11 months, 2 weeks ago by princeofabyss.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author JS Morisset

    (@jsmoriss)

    11 months, 2 weeks ago

    Input/output for plugins must be sanitized/escaped, so JSM Show Post Metadata uses https://developer.wordpress.org/reference/functions/sanitize_key/ to sanitize the post metadata key before using it. That function does not allow uppercase characters, which makes me wonder if the “WooShop” plugin is sanitizing their metadata keys (which are generally passed forms, etc., which is why they need to be sanitized). Which plugin creates the “_WooShop” metadata? I would offer NOT to sanitize metadata keys in JSM Show Post Metadata, but I don’t think that’s a good idea…

    js.

    • This reply was modified 11 months, 2 weeks ago by JS Morisset.
    Thread Starter princeofabyss

    (@princeofabyss)

    11 months, 2 weeks ago

    I understand your security concerns, but you should at least denote somehow there are differences in the capitalization between the original key and the sanitized one that you display in your plugin, so that the dev can seek the actual key name in PMA. I mean, the plugin has a very specific purpose, that is to inform the admin about custom postmeta. If that purpose isn’t fulfilled, and instead greater confusion is caused to the dev that relies on the plugin, then you understand that this is a problem, right?

    Plugin Author JS Morisset

    (@jsmoriss)

    11 months, 2 weeks ago

    The metadata key should not differ, as metadata keys should always be sanitized. Sanitizing input and escaping output is standard coding practice and plugins that fail to do this are rejected by the wordpress.org plugin repository. Can I assume that the “WooShop” plugin that you are using is not from the wordpress.org repository? If it’s not, then that would explain why this situation happened – plugins that are hosted on wordpress.org are checked for security issues before being accepted into the repository. Plugins hosted elsewhere are generally not checked as thoroughly by those hosts, or more commonly, not checked at all.

    If you would like to allow uppercase characters in your metadata keys, then you would have to hook the WordPress ‘sanitize_key’ filter hook and sanitize the key value to allow for upper case characters. See https://core.trac.wordpress.org/browser/tags/6.3/src/wp-includes/formatting.php#L2178 for more info.

    js.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Problem with capitalization’ is closed to new replies.