XML-RPC WordPress api setOption double escapes args
|Reported by:||jachzen||Owned by:|
Description (last modified by SergeyBiryukov)
Parts of the xml-rpc wordpress api are not usable, as they doublequote strings. e.g. Munich's becomes Munich\\'s.
wp.setOptions($args) escpapes all args and calls update_option() which is then calling mysql_real_escape_string(), leading to a double escaping. To solve this options should not be escaped in wp-setOptions() function.
Here the callStack showing the 2nd escaping:
wp-includes/wp-db.php.wpdb->_real_escape:884 wp-includes/wp-db.php.wpdb->escape_by_ref:950 wp-includes/wp-db.php.array_walk:0 wp-includes/wp-db.php.wpdb->prepare:1003 wp-includes/wp-db.php.wpdb->update:1365 wp-includes/option.php.update_option:258
Change History (2)
comment:1 SergeyBiryukov — 12 months ago
- Description modified (diff)
- Severity changed from blocker to major
- Summary changed from XML-RPC Wordpress api setOption double escapes args to XML-RPC WordPress api setOption double escapes args