Skip to content

fix: use wp_strip_all_tags for token/password sanitization #187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
GaryJones merged 1 commit into from
Jan 4, 2026
Merged

fix: use wp_strip_all_tags for token/password sanitization #187

GaryJones merged 1 commit into from
Jan 4, 2026

Conversation

@GaryJones
Copy link
Contributor

@GaryJones GaryJones commented Jan 4, 2026

Summary

  • Replaces sanitize_text_field() with wp_strip_all_tags() for token and password fields
  • Prevents encoded octets (e.g., %B2) from being stripped from OAuth tokens and passwords

Problem

sanitize_text_field() converts encoded octets, which breaks OAuth tokens and passwords containing special characters in encoded form.

Solution

Use wp_strip_all_tags() instead, which removes HTML tags but preserves encoded octets.

Additional improvements:

  • Added wp_unslash() for proper magic quotes handling
  • Added isset() checks for POST variables
  • Used esc_url_raw() for URL fields

Test plan

  • PHP syntax validated
  • All 70 unit tests pass
  • Manual testing with tokens containing special characters like %B2

Fixes #114

🤖 Generated with Claude Code

@GaryJones @claude
fix: use wp_strip_all_tags for token/password sanitization
e4d8324 
The sanitize_text_field() function converts encoded octets (e.g., %B2)
which can break OAuth tokens and passwords that contain special
characters in encoded form.

This change replaces sanitize_text_field() with wp_strip_all_tags() for
token and password fields. wp_strip_all_tags() removes HTML tags but
does not modify encoded octets, making it safe for credential fields.

Additional improvements:
- Added wp_unslash() for proper magic quotes handling
- Added isset() checks for POST variables
- Used esc_url_raw() for URL fields
- Improved code formatting and inline documentation

Fixes #114

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@GaryJones GaryJones requested a review from a team as a code owner January 4, 2026 15:21
@GaryJones GaryJones self-assigned this Jan 4, 2026
@GaryJones GaryJones added the type: bug Something isn't working label Jan 4, 2026
@GaryJones GaryJones added this to the 2.2.0 milestone Jan 4, 2026
@GaryJones GaryJones merged commit ce03869 into develop Jan 4, 2026
8 checks passed
@GaryJones GaryJones deleted the fix/114-token-sanitization branch January 4, 2026 15:26
@GaryJones GaryJones mentioned this pull request Jan 4, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@GaryJones GaryJones

Labels

type: bug Something isn't working

Projects

None yet

Milestone

2.2.0

Development

Successfully merging this pull request may close these issues.

Using sanitize_text_field can break site_token

2 participants

@GaryJones