Skip to content

SanitizationHelperTrait: stop requiring unslash for functions that strip slashes#2740

Open
rodrigoprimo wants to merge 1 commit into
developfrom
fix/2516-unslashing-sanitizing-functions
Open

SanitizationHelperTrait: stop requiring unslash for functions that strip slashes#2740
rodrigoprimo wants to merge 1 commit into
developfrom
fix/2516-unslashing-sanitizing-functions

Conversation

@rodrigoprimo

@rodrigoprimo rodrigoprimo commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Description

As discussed in #2516, the WordPress.Security.ValidatedSanitizedInput sniff incorrectly reported a MissingUnslash error when one of the following functions was used directly on superglobal data without first calling wp_unslash() (or a similar unslashing function):

All of these implicitly strip backslashes from their output, so requiring a separate unslashing call before them is a false positive as far as I can see. This moves them from $sanitizingFunctions to $unslashingSanitizingFunctions in SanitizationHelperTrait.

This change only affects the WordPress.Security.ValidatedSanitizedInput sniff.

To verify that the functions above indeed strip slashes, I used wp shell to call them with strings containing slashes and checked that the slashes were removed from the returned value.

Fixes #2516.

Suggested changelog entry

WordPress.Security.ValidatedSanitizedInput: false positive MissingUnslash for esc_url_raw(), sanitize_email(), sanitize_file_name(), sanitize_hex_color(), sanitize_hex_color_no_hash(), sanitize_html_class(), sanitize_mime_type(), sanitize_sql_orderby(), sanitize_title(), sanitize_title_for_query(), sanitize_title_with_dashes(), sanitize_url() and wp_sanitize_redirect(), which implicitly strip slashes and therefore do not require unslashing.

…rip slashes

The following functions implicitly strip backslashes from their input, so a
preceding call to `wp_unslash()` (or a similar unslashing function) is not
needed for the value to be safe: `esc_url_raw()`, `sanitize_email()`,
`sanitize_file_name()`, `sanitize_hex_color()`, `sanitize_hex_color_no_hash()`,
`sanitize_html_class()`, `sanitize_mime_type()`, `sanitize_sql_orderby()`,
`sanitize_title()`, `sanitize_title_for_query()`, `sanitize_title_with_dashes()`,
`sanitize_url()` and `wp_sanitize_redirect()`.

They were previously listed in `$sanitizingFunctions`, which made the
`WordPress.Security.ValidatedSanitizedInput` sniff incorrectly report a
`MissingUnslash` error when one of them was used directly on superglobal data
without unslashing it first. Moving them to `$unslashingSanitizingFunctions` fixes this
false positive.

Fixes 2516.
@rodrigoprimo rodrigoprimo force-pushed the fix/2516-unslashing-sanitizing-functions branch from 739cc26 to 1822bbb Compare June 15, 2026 13:18
@rodrigoprimo

Copy link
Copy Markdown
Contributor Author

Rebased and force-pushed without changes to make the Codecov GH action pass.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

False positive: sanitize_html_class() incorrectly flagged for missing unslash

1 participant