Guard URL field against non-scalar values#463
Merged
Conversation
validate_value() and format_value() in the URL field could receive a non-scalar value (e.g. an array) from a form submission and raised a TypeError from strpos()/esc_url(). Guard both so a non-string value is treated as invalid/empty rather than fatally erroring. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Cover validate_value() and format_value() receiving an array value, ensuring they return an invalid/empty result instead of a TypeError. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The URL field's
validate_value()andformat_value()methods can receive a non-scalar value (for example an array) from a form submission, since the submitted value is not guaranteed to be a string. When that happens:validate_value()callsstrpos( $value, '://' ), which raises aTypeErroron PHP 8 when$valueis an array.format_value()callsesc_url( $value )(which internally callsltrim()) whenescape_htmlis true, raising aTypeErroron an array.A non-scalar value is never a valid URL, so the field should treat it as invalid/empty rather than raising a fatal
TypeError. This PR adds a minimal type guard to both methods:validate_value(): a non-string value returns the existing "Value must be a valid URL" validation message.format_value(): a non-string value returns an empty string when escaping, matching how the field already treats an empty value.Behavior for normal string values is unchanged.
This file is derived from an upstream plugin; the same change applies upstream.
Verification
composer test:php— full suite green (2266 tests), including new regression teststest_validate_value_non_scalarandtest_format_value_non_scalar_escaped.composer test:phpstan— clean (no errors).vendor/bin/phpcson the changed field class and test file — clean (no new violations introduced).Use of AI Tools
This change was authored by Claude Code under human direction. The human author reviewed and takes responsibility for the change.
🤖 Generated with Claude Code