Use stricter sanitization for meta query clause keys.

By forcing all clause keys to be strings, we make it possible to use strict comparison when validating values of 'orderby' as passed to `WP_Query`. This eliminates situations where the presence of numeric clause keys could result in an improperly validated 'orderby' value. Props nikolov.tmw. Fixes #32937. git-svn-id: https://develop.svn.wordpress.org/trunk@34090 602fd350-edb4-49c9-b593-d223f7449a82
2026-04-08 06:34:34 +00:00 · 2015-09-12 21:05:14 +00:00
parent dcbd8c6c3d
commit 4fdfdb6078
2 changed files with 3 additions and 3 deletions
--- a/src/wp-includes/query.php
+++ b/src/wp-includes/query.php
@@ -2280,7 +2280,7 @@ class WP_Query {
 			$allowed_keys   = array_merge( $allowed_keys, array_keys( $meta_clauses ) );
 		}

-		if ( ! in_array( $orderby, $allowed_keys ) ) {
+		if ( ! in_array( $orderby, $allowed_keys, true ) ) {
 			return false;
 		}