id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
13655,Login/Install/User Edit should stripslashes() $_POST data,dd32,,"Following on from #13654 All Login/Registration/Install/User Edit functionality should stripslash $_POST data.

At present, it seems that we do not stripslash at all.

For existing user passwords, we should migrate passwords to their non-stripslashed versions:

 [5/31/10 6:34:11 AM] Mark Jaquith: We could migrate people.[[BR]]

 [5/31/10 6:34:13 AM] Dion (dd32): Perhaps oughta just add proper stripslashing in 3.1, and add back-compat to change password from non-stripslashed to stripslashed.. similar to the md5->phpass implementation..[[BR]]

 [5/31/10 6:35:13 AM] Mark Jaquith: Yep. If the PW doesn't match, addslashes() and compare again. If that matches, set the new PW hash. Right?[[BR]]

 [5/31/10 6:35:19 AM] Dion (dd32): yep

",defect (bug),new,normal,Future Release,Administration,3.0,normal,,has-patch 3.2-early,johan.eenfeldt@…