mirror of
git://develop.git.wordpress.org/
synced 2025-03-18 02:50:08 +01:00
d3a851d0d1
This is a follow-up to [52292] which introduced `is_string()` to check the given key is a string to be sanitized, else the key is set to an empty string. `sanitize_key()` is clearly identified (in the documentation) to only work with ''string'' keys. However, it had a bug in it that allowed non-strings to pass through it: * A non-scalar "key" would throw a PHP Warning (which was resolved in [52292]. * A non-string scalar "key" was handled by the PHP native `strtolower()` which converted it into a string. While `is_string()` is valid, non-string scalar types passed as the key to be sanitized were being set to an empty string. Given that `strtolower()` handles these without error or deprecation as of PHP 8.1, `is_scalar()` protects the website from issues while retaining the past behavior of converting integer keys (for example) into a string. Changes include: * Using `is_scalar()` instead of `is_string()` * Refactor for readability and less code * More tests Please note, this does not change the behavior of the function, nor redefine it to now accept non-string scalars. References: * https://developer.wordpress.org/reference/functions/sanitize_key/ * https://www.php.net/manual/en/function.strtolower.php Follow-up [52292]. Props wppunk, hellofromTonya, costdev, jrf. Fixes #54160. git-svn-id: https://develop.svn.wordpress.org/trunk@52370 602fd350-edb4-49c9-b593-d223f7449a82