Directory

Still uses sanitize_text_field() incorrectly | WordPress.org

Roy Orbitson
(@lev0)

2 weeks, 5 days ago
You marked this older topic as resolved, but the problem is present in the latest version (1.1.14).

Your plugin is still passing POSTed data through sanitize_text_field(). The purpose of that function is to escape text for output within HTML, and has nothing to do with sanitising inputs. First, start with a clean copy of POST data like this:
```
$post = stripslashes_deep($_POST);
```
Then use values from that array. For credential inputs, the most you should do is trim(). Passwords are always best left as-is.

Currently, a perfectly normal random password like 1Q,z<_%39P would be “sanitised” by your plugin to 1Q,z<_P.

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author Noor Alam
(@naa986)

2 weeks, 2 days ago

Hi, Thanks for the feedback. We have updated the plugin.

Thread Starter Roy Orbitson
(@lev0)

1 week, 6 days ago

I applaud your prompt response, but it’s still using sanitize_text_field() in several places it shouldn’t be, and using $_POST, directly, which should not be done in WordPress without stripping slashes.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

In: Plugins
2 replies
2 participants
Last reply from: Roy Orbitson
Last activity: 1 week, 6 days ago
Status: not resolved