id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
12416	*_option() and *_transient() functions should expect unslashed data.	Denis-de-Bernardy	ryan	"Following up on:

http://core.trac.wordpress.org/ticket/9015#comment:136

It's totally irresponsible to expect plugin authors to escape whatever they send into get_option(). As things stand:

 - get_option(), delete_option(), get_site_option() assume it's slashed
 - add_option(), update_option(), add_site_option() seem to assume it's unslashed, as does __get_option()
 - *_transient() seem to expect unslashed input.
 - delete_site_option() is very special: it expects slashed input if you're not on using multisite, but unslashed if you are
 - update_site_option() is equallty special: it needs slashed input if the option is not loaded already, and unslashed input if it is

the list goes on, and on... these inconsistencies, which come on top of the *_meta() functions, which expect slashed data.

it's totally nuts, insecure, and irresponsible. especially considering calls in WP such as:

 - get_option(""{$size}_crop"");

or functions such as:

{{{
function form_option( $option ) {
	echo esc_attr( get_option( $option ) );
}

function get_settings_errors( $setting = '', $sanitize = FALSE ) {
	global $wp_settings_errors;
	//... isn't it ironic that using sanitize here makes it LESS secure?
	if ( $sanitize )
		sanitize_option( $setting, get_option($setting));
	// ...
}}}

we're asking for trouble here..."	defect (bug)	closed	high	3.0	Security	3.0	critical	fixed	needs-patch	nbachiyski