Docs: Provide best practice guidance for achieving parity between `$menu_slug` values supplied when adding menu and submenu pages, and later trying to compare those initial values against sanitized screen IDs derived from `$menu_slug`.

At the heart of the matter, the `$menu_slug` parameter in `add_menu_page()` and `add_submenu_page()` is not sanitized with `sanitize_key()`. When the screen object is later built for the admin page, the screen ID is derived from that `$menu_slug` value, though passed through `sanitize_key()`, which can produce unexpected results in comparison check. Changing the sanitization code to provide actual parity is out of the question at this juncture, so updating the docs to describe how to avoid this edge case is the next best option. Props GregRoss. Fixes #35305. Built from https://develop.svn.wordpress.org/trunk@40967 git-svn-id: http://core.svn.wordpress.org/trunk@40817 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-06-30 04:18:43 +00:00 · 2017-06-30 04:18:43 +00:00 · d829ec4cf2
parent af5b2ca7f5
commit d829ec4cf2
3 changed files with 20 additions and 7 deletions
--- a/wp-admin/includes/plugin.php
+++ b/wp-admin/includes/plugin.php
@ -1060,7 +1060,9 @@ function uninstall_plugin($plugin) {
 * @param string   $page_title The text to be displayed in the title tags of the page when the menu is selected.
 * @param string   $menu_title The text to be used for the menu.
 * @param string   $capability The capability required for this menu to be displayed to the user.
- * @param string   $menu_slug  The slug name to refer to this menu by (should be unique for this menu).
+ * @param string   $menu_slug  The slug name to refer to this menu by. Should be unique for this menu page and only
 *                             include lowercase alphanumeric, dashes, and underscores characters to be compatible
 *                             with sanitize_key().
 * @param callable $function   The function to be called to output the content for this page.
 * @param string   $icon_url   The URL to the icon to be used for this menu.
 *                             * Pass a base64-encoded SVG using a data URI, which will be colored to match
@ -1126,11 +1128,15 @@ function add_menu_page( $page_title, $menu_title, $capability, $menu_slug, $func
 * @global array $_registered_pages
 * @global array $_parent_pages
 *
- * @param string   $parent_slug The slug name for the parent menu (or the file name of a standard WordPress admin page).
+ * @param string   $parent_slug The slug name for the parent menu (or the file name of a standard
- * @param string   $page_title  The text to be displayed in the title tags of the page when the menu is selected.
+ *                              WordPress admin page).
 * @param string   $page_title  The text to be displayed in the title tags of the page when the menu
 *                              is selected.
 * @param string   $menu_title  The text to be used for the menu.
 * @param string   $capability  The capability required for this menu to be displayed to the user.
- * @param string   $menu_slug   The slug name to refer to this menu by (should be unique for this menu).
+ * @param string   $menu_slug   The slug name to refer to this menu by. Should be unique for this menu
 *                              and only include lowercase alphanumeric, dashes, and underscores characters
 *                              to be compatible with sanitize_key().
 * @param callable $function    The function to be called to output the content for this page.
 * @return false|string The resulting page's hook_suffix, or false if the user does not have the capability required.
 */
--- a/wp-admin/includes/template.php
+++ b/wp-admin/includes/template.php
@ -892,7 +892,10 @@ function wp_import_upload_form( $action ) {
 * @param string|array|WP_Screen $screen        Optional. The screen or screens on which to show the box
 *                                              (such as a post type, 'link', or 'comment'). Accepts a single
 *                                              screen ID, WP_Screen object, or array of screen IDs. Default
- *                                              is the current screen.
+ *                                              is the current screen.  If you have used add_menu_page() or 
 *                                              add_submenu_page() to create a new screen (and hence screen_id),
 *                                              make sure your menu slug conforms to the limits of sanitize_key()
 *                                              otherwise the 'screen' menu may not correctly render on your page.
 * @param string                 $context       Optional. The context within the screen where the boxes
 *                                              should display. Available contexts vary from screen to
 *                                              screen. Post edit screen contexts include 'normal', 'side',
@ -987,7 +990,11 @@ function add_meta_box( $id, $title, $callback, $screen = null, $context = 'advan
 * @global array $wp_meta_boxes
 *
 * @staticvar bool $already_sorted
- * @param string|WP_Screen $screen  Screen identifier
+ *
 * @param string|WP_Screen $screen  Screen identifier. If you have used add_menu_page() or
 *                                  add_submenu_page() to create a new screen (and hence screen_id)
 *                                  make sure your menu slug conforms to the limits of sanitize_key()
 *                                  otherwise the 'screen' menu may not correctly render on your page.
 * @param string           $context box context
 * @param mixed            $object  gets passed to the box callback function as first parameter
 * @return int number of meta_boxes
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '4.9-alpha-40966';
+$wp_version = '4.9-alpha-40967';
 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.