Opened 8 years ago
Closed 6 years ago
#914 closed defect (bug) (fixed)
wrong search string escaping/slashes
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | 2.1 |
| Component: | Template | Version: | 2.0.7 |
| Severity: | minor | Keywords: | has-patch commit |
| Cc: | daniel@… |
Description
Search for ' and
\' will appear in the input field.
" ->
\
& -> &
Attachments (2)
Change History (21)
comment:1
nbachiyski
— 8 years ago
- Patch set to No
comment:2
nbachiyski
— 8 years ago
comment:4
ryan
— 8 years ago
- Owner changed from anonymous to rboren
- Status changed from new to assigned
comment:5
ryan
— 8 years ago
Even if we get rid of the extra addslashes, searches will still show a single set of slashes. \' instead of
\'. We can either add stripslashes to Kubrick's templates, or not addslashes by default when processing GPC in the blog header. Not adding slashes by default and instead relying on those functions that query the DB to addslashes as appropriate seems to be the cleanest way to do this, but that should wait until after 1.5.1.
comment:6
nbachiyski
— 8 years ago
I also prefer not adding slashes by default and escape strings only for DB operations.
Now, as I understand, the choice is between leaving the bug in 1.5.1 or applying the dirty "stripslashes in Kubrick" hack before reorganizing all that code. My choice was the second.
Which is the less evil of the two?
nbachiyski
— 8 years ago
comment:8
mdawaffe
— 7 years ago
- Keywords has-patch commit added
- Milestone set to 2.1
914.diff
- create wp_search_query() template tag which echos the query.
comment:9
ryan
— 7 years ago
Whatcha think, wp_search_query() or the_search_query()? Or maybe just the_search()? These are important questions. :-)
comment:10
markjaquith
— 7 years ago
the_search_query() or search_query()
the wp_blah() ones usually accept a query string with a bunch of parameters.
comment:11
mdawaffe
— 7 years ago
I like the_search_query(), but search_query() is a much better band name.
comment:12
ryan
— 7 years ago
- Resolution set to fixed
- Status changed from assigned to closed
comment:13
thenlich
— 6 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
- Version changed from 1.5 to 2.0.7
Found the same problem in 2.0.7
' (single quote) becomes
\' with magic_quotes_gpc on (7 backslashes, then single quote),
or
\' (magic_quotes_gpc=off) (3 backslashes, quote)
comment:14
ryan
— 6 years ago
With one of the default themes? If you're having problems with a third party theme, that theme needs to be changed.
comment:15
thenlich
— 6 years ago
Yes, with theme: WordPress Default 1.6
comment:16
foolswisdom
— 6 years ago
- Milestone changed from 2.1 to 2.1.1
comment:17
markjaquith
— 6 years ago
- Resolution set to worksforme
- Status changed from reopened to closed
thenlich, please upgrade to the most recent version of the theme (the one in 2.0.7). Re-open with a URL demonstrating the issue, if it persists.
comment:18
foolswisdom
— 6 years ago
- Milestone changed from 2.1.1 to 2.1
- Resolution worksforme deleted
- Status changed from closed to reopened
Changing back to previous fixed state.
comment:19
foolswisdom
— 6 years ago
- Resolution set to fixed
- Status changed from reopened to closed
In classes.php $qs? is added slashes again, despite the fact that is has passed through add_magic_quotes function before.
For database use the search string needs slashes, but when writing it to the templates is does not. I have added striptags calls in the template pages.