Opened 8 months ago

Closed 8 months ago

#21892 closed defect (bug) (fixed)

sanitize_option() adds and strip slashes to use the wrong kses functions

Reported by: nacin Owned by: nacin
Priority: normal Milestone: 3.5
Component: Formatting Version:
Severity: normal Keywords:
Cc:

Description

sanitize_option() does this:

$value = addslashes($value);
$value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
$value = stripslashes($value);

When it should instead do this:

$value = wp_kses_post( $value );

Likewise for wp_filter_kses() versus wp_kses_data().

Change History (1)

comment:1   nacin8 months ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [21850]:

Use the non-slashing variants of kses functions in sanitize_option() to avoid slash ping pong. fixes #21892.

Note: See TracTickets for help on using tickets.