FILTER_SANITIZE_STRING is deprecated in PHP 8.1

[gbeezus]

Deprecated: Constant FILTER_SANITIZE_STRING is deprecated in /var/www/html/web/wp-content/plugins/wp-cfm/wp-cfm.php on line 121 after installing WP-CFM with PHP 8.1.

Also occurs on line 129 and 254 in wp-cfm.php.

[timnolte]

@tropicandid FYI, as we are working to start rolling out PHP 8.1 upgrade we need to get this fixed. I'm going to get WP-CFM back on my priority list and work on getting this mitigates as soon as possible.

[timnolte]

PHP 8.1 upgrade visibility: https://forumone.atlassian.net/wiki/spaces/support/pages/3596943507/PHP+8.0+to+8.1+Compatibility#WP-CFM

[timnolte]

Looks like another related item when doing a wp config pull all:

Deprecated: trim(): Passing null to parameter #1 ($string) of type string is deprecated in /var/www/html/web/wp-content/plugins/wp-cfm/vendor/symfony/yaml/Inline.php on line 86

[timnolte]

For the original issue there is a "polyfill" function that can be used:

function filter_string_polyfill(string $string): string
{
    $str = preg_replace('/\x00|<[^>]*>?/', '', $string);
    return str_replace(["'", '"'], ['&#39;', '&#34;'], $str);
}

[gbeezus]

@timnolte Willing to talk it out. I'm not convinced that the precise polyfill you provided is enough to replicate what was done previously with FILTER_SANITIZE_STRING which also encoded a fair amount. Are we considering whether we need the same functionality for comparing input to environment variable strings? Maybe I am misunderstanding something here.

[timnolte]

@gbeezus there is a goods rundown of why the polyfill function would be a direct drop-in replacement: https://stackoverflow.com/a/69207369

[timnolte]

@gbeezus actually, looking at the code that was written I did discover that it is wrong as the original got was looking at INPUT_GET & INPUT_POST. The code that was implemented incorrectly use $_GET twice.

[timnolte]

@gbeezus just to be clear I wasn't "blindly" copying anything.