Open
Description
Bug Description
WordPress.Security.ValidatedSanitizedInput.MissingUnslash and WordPress.Security.ValidatedSanitizedInput.InputNotSanitized are triggered on this type of code:
if ( isset( $_POST[ 'thing'] ) // here the flag is not triggered
&& $_POST[ 'thing'] // here the flags are triggered
) {
Note that $_POST['thing'] is never actually used - only checked upon. No matter what is passed in the super global, sanitizing or unlashing it wont change the result of this check, or in other words, allow an attack or else issue.
Minimal Code Snippet
if ( isset( $_POST[ 'thing'] ) // here the flag is not triggered
&& $_POST[ 'thing'] // here the flag is triggered
) {
do whatever else NOT using $_POST
}
- The slashes do not affect the boolean value. "a \"quoted\" value" is still true.
- We’re just checking presence and truthiness. We are never actually using the value.
Can this be remedied?
Metadata
Metadata
Assignees
Labels
No labels