ValidatedSanitizedInput: allow use of array_keys() without sanitization/unslashing ?

[jrfnl]

Open question: should using array_keys() on superglobals be allowed without sanitization ?

I'm pretty sure we shouldn't demand unslashing when that function is used as WP doesn't actually slash the array keys, but the sniff currently throws both a "missing unslash" as well as a "missing sanitization" error.

Refs:

• https://developer.wordpress.org/reference/functions/add_magic_quotes/
• https://www.php.net/manual/en/function.array-keys.php

Opinions ?

[GaryJones]

I'd say to let it through.

[kkmuffme]

Unslashing is fine, but sanitizing is not. Since array keys can be arbitrary strings, therefore aren't safe.

However array_keys shouldn't report an error when it's sanitized right away, e.g.
array_map( 'sanitize_text_field', wp_unslash( array_keys( $_POST['foo'] ) ) )