From dfef2c917f567b90cccbe929beac7f527df39671 Mon Sep 17 00:00:00 2001
From: hellofromTonya <hellofromTonya@git.wordpress.org>
Date: Tue, 14 Dec 2021 15:01:03 +0000
Subject: [PATCH] Formatting: Use `is_scalar()` in `sanitize_key()`.

This is a follow-up to [52292] which introduced `is_string()` to check the given key is a string to be sanitized, else the key is set to an empty string.

`sanitize_key()` is clearly identified (in the documentation) to only work with ''string'' keys. However, it had a bug in it that allowed non-strings to pass through it:
* A non-scalar "key" would throw a PHP Warning (which was resolved in [52292].
* A non-string scalar "key" was handled by the PHP native `strtolower()` which converted it into a string.

While `is_string()` is valid, non-string scalar types passed as the key to be sanitized were being set to an empty string. Given that `strtolower()` handles these without error or deprecation as of PHP 8.1, `is_scalar()` protects the website from issues while retaining the past behavior of converting integer keys (for example) into a string.

Changes include:
* Using `is_scalar()` instead of `is_string()`
* Refactor for readability and less code
* More tests

Please note, this does not change the behavior of the function, nor redefine it to now accept non-string scalars.

References:
* https://developer.wordpress.org/reference/functions/sanitize_key/
* https://www.php.net/manual/en/function.strtolower.php

Follow-up [52292].

Props wppunk, hellofromTonya, costdev, jrf.
Fixes #54160.
Built from https://develop.svn.wordpress.org/trunk@52370


git-svn-id: http://core.svn.wordpress.org/trunk@51962 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/formatting.php | 22 +++++++++-------------
 wp-includes/version.php    |  2 +-
 2 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php
index 9c49b97b56..905b07b598 100644
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@@ -2132,19 +2132,15 @@ function sanitize_user( $username, $strict = false ) {
  *
  * @since 3.0.0
  *
- * @param string $key String key
- * @return string Sanitized key
+ * @param string $key String key.
+ * @return string Sanitized key.
  */
 function sanitize_key( $key ) {
-	$raw_key = $key;
+	$sanitized_key = '';
 
-	if ( ! is_string( $key ) ) {
-		$key = '';
-	}
-
-	if ( '' !== $key ) {
-		$key = strtolower( $key );
-		$key = preg_replace( '/[^a-z0-9_\-]/', '', $key );
+	if ( is_scalar( $key ) ) {
+		$sanitized_key = strtolower( $key );
+		$sanitized_key = preg_replace( '/[^a-z0-9_\-]/', '', $sanitized_key );
 	}
 
 	/**
@@ -2152,10 +2148,10 @@ function sanitize_key( $key ) {
 	 *
 	 * @since 3.0.0
 	 *
-	 * @param string $key     Sanitized key.
-	 * @param string $raw_key The key prior to sanitization.
+	 * @param string $sanitized_key Sanitized key.
+	 * @param string $key           The key prior to sanitization.
 	 */
-	return apply_filters( 'sanitize_key', $key, $raw_key );
+	return apply_filters( 'sanitize_key', $sanitized_key, $key );
 }
 
 /**
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 65c5c4c81c..cf5fb84914 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.9-beta2-52369';
+$wp_version = '5.9-beta2-52370';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.