From b9a31d534313f873b19765321f9e311c72659bb2 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Wed, 15 Feb 2023 13:06:21 +0000 Subject: [PATCH] Docs: Improve code comments in some sanitizing functions. This aims to clarify a few inline comments related to removing percent-encoded characters and HTML entities. Affected functions: * `sanitize_user()` * `sanitize_title_with_dashes()` * `sanitize_html_class()` * `_sanitize_text_fields()` * `get_comments_number_text()` Follow-up to [465], [3454], [11433], [12503], [37987]. Props ace100, tanjimtc71, codemonksuvro, SergeyBiryukov. Fixes #57712. Built from https://develop.svn.wordpress.org/trunk@55346 git-svn-id: http://core.svn.wordpress.org/trunk@54879 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/canonical.php | 2 +- wp-includes/comment-template.php | 2 +- wp-includes/formatting.php | 29 ++++++++++++++++------------- wp-includes/version.php | 2 +- 4 files changed, 19 insertions(+), 16 deletions(-) diff --git a/wp-includes/canonical.php b/wp-includes/canonical.php index 5e8efb0bae..a02ab793ce 100644 --- a/wp-includes/canonical.php +++ b/wp-includes/canonical.php @@ -736,7 +736,7 @@ function redirect_canonical( $requested_url = null, $do_redirect = true ) { return; } - // Hex encoded octets are case-insensitive. + // Hex-encoded octets are case-insensitive. if ( false !== strpos( $requested_url, '%' ) ) { if ( ! function_exists( 'lowercase_octets' ) ) { /** diff --git a/wp-includes/comment-template.php b/wp-includes/comment-template.php index cc5b89262b..512d8f2f1d 100644 --- a/wp-includes/comment-template.php +++ b/wp-includes/comment-template.php @@ -944,7 +944,7 @@ function get_comments_number_text( $zero = false, $one = false, $more = false, $ */ if ( 'on' === _x( 'off', 'Comment number declension: on or off' ) ) { $text = preg_replace( '#.+?#', '', $more ); - $text = preg_replace( '/&.+?;/', '', $text ); // Kill entities. + $text = preg_replace( '/&.+?;/', '', $text ); // Remove HTML entities. $text = trim( strip_tags( $text ), '% ' ); // Replace '% Comments' with a proper plural form. diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index bb822b24b5..a17fc77931 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -2111,15 +2111,15 @@ function sanitize_file_name( $filename ) { /** * Sanitizes a username, stripping out unsafe characters. * - * Removes tags, octets, entities, and if strict is enabled, will only keep - * alphanumeric, _, space, ., -, @. After sanitizing, it passes the username, - * raw username (the username in the parameter), and the value of $strict as - * parameters for the {@see 'sanitize_user'} filter. + * Removes tags, percent-encoded characters, HTML entities, and if strict is enabled, + * will only keep alphanumeric, _, space, ., -, @. After sanitizing, it passes the username, + * raw username (the username in the parameter), and the value of $strict as parameters + * for the {@see 'sanitize_user'} filter. * * @since 2.0.0 * * @param string $username The username to be sanitized. - * @param bool $strict Optional. If set limits $username to specific characters. + * @param bool $strict Optional. If set to true, limits $username to specific characters. * Default false. * @return string The sanitized username, after passing through filters. */ @@ -2127,9 +2127,9 @@ function sanitize_user( $username, $strict = false ) { $raw_username = $username; $username = wp_strip_all_tags( $username ); $username = remove_accents( $username ); - // Kill octets. + // Remove percent-encoded characters. $username = preg_replace( '|%([a-fA-F0-9][a-fA-F0-9])|', '', $username ); - // Kill entities. + // Remove HTML entities. $username = preg_replace( '/&.+?;/', '', $username ); // If strict, reduce to ASCII for max portability. @@ -2364,7 +2364,7 @@ function sanitize_title_with_dashes( $title, $raw_title = '', $context = 'displa $title = str_replace( '%c3%97', 'x', $title ); } - // Kill entities. + // Remove HTML entities. $title = preg_replace( '/&.+?;/', '', $title ); $title = str_replace( '.', '-', $title ); @@ -2412,7 +2412,7 @@ function sanitize_sql_orderby( $orderby ) { * @return string The sanitized value. */ function sanitize_html_class( $classname, $fallback = '' ) { - // Strip out any %-encoded octets. + // Strip out any percent-encoded characters. $sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $classname ); // Limit to A-Z, a-z, 0-9, '_', '-'. @@ -5450,7 +5450,7 @@ function wp_strip_all_tags( $text, $remove_breaks = false ) { * - Converts single `<` characters to entities * - Strips all tags * - Removes line breaks, tabs, and extra whitespace - * - Strips octets + * - Strips percent-encoded characters * * @since 2.9.0 * @@ -5527,8 +5527,10 @@ function _sanitize_text_fields( $str, $keep_newlines = false ) { // This will strip extra whitespace for us. $filtered = wp_strip_all_tags( $filtered, false ); - // Use HTML entities in a special case to make sure no later - // newline stripping stage could lead to a functional tag. + /* + * Use HTML entities in a special case to make sure that + * later newline stripping stages cannot lead to a functional tag. + */ $filtered = str_replace( "<\n", "<\n", $filtered ); } @@ -5537,6 +5539,7 @@ function _sanitize_text_fields( $str, $keep_newlines = false ) { } $filtered = trim( $filtered ); + // Remove percent-encoded characters. $found = false; while ( preg_match( '/%[a-f0-9]{2}/i', $filtered, $match ) ) { $filtered = str_replace( $match[0], '', $filtered ); @@ -5544,7 +5547,7 @@ function _sanitize_text_fields( $str, $keep_newlines = false ) { } if ( $found ) { - // Strip out the whitespace that may now exist after removing the octets. + // Strip out the whitespace that may now exist after removing percent-encoded characters. $filtered = trim( preg_replace( '/ +/', ' ', $filtered ) ); } diff --git a/wp-includes/version.php b/wp-includes/version.php index ed80ac9942..d383b027d1 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.2-beta2-55345'; +$wp_version = '6.2-beta2-55346'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.