id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
13655	Login/Install/User Edit should stripslashes() $_POST data	dd32		"Following on from #13654 All Login/Registration/Install/User Edit functionality should stripslash $_POST data.

At present, it seems that we do not stripslash at all.

For existing user passwords, we should migrate passwords to their non-stripslashed versions:

 [5/31/10 6:34:11 AM] Mark Jaquith: We could migrate people.[[BR]]

 [5/31/10 6:34:13 AM] Dion (dd32): Perhaps oughta just add proper stripslashing in 3.1, and add back-compat to change password from non-stripslashed to stripslashed.. similar to the md5->phpass implementation..[[BR]]

 [5/31/10 6:35:13 AM] Mark Jaquith: Yep. If the PW doesn't match, addslashes() and compare again. If that matches, set the new PW hash. Right?[[BR]]

 [5/31/10 6:35:19 AM] Dion (dd32): yep

"	defect (bug)	new	normal	Future Release	Administration	3.0	normal		has-patch 3.2-early	johan.eenfeldt@…