#9705 closed defect (bug) (invalid)
There should be no strip_slashes() in WP_Widget::update() - or should it?
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Widgets | Version: | 2.8 |
| Severity: | normal | Keywords: | needs-patch 2nd-opinion dev-feedback |
| Cc: |
Description
The update function seem to require concrete widget implementations to stripslashes to only create the value for the new instance even so it is documented that the function is there to check for validity not to filter input from uncertain sources.
the need to stripslash here looks bad to me. instead, the values used for calling should already be propper sanitized and the server/php configuration should not be taken into account any longer here.
keep in mind that this is not a function in the global namespace but a class.
Change History (11)
- Component changed from General to Widgets
- Milestone 2.8 deleted
- Resolution set to invalid
- Status changed from new to closed
Yes this line has been in the update_callback for a few weeks.
- Resolution invalid deleted
- Status changed from closed to reopened
invalidity needs to be argumented. i do not see that this is solved. developer statement needed wether or not widget function gets raw or stripslashed values.
I'd personally expect stripslashed data. But good point in asking.
- Summary changed from There should no be no need to strip_slashes() in WP_Widget::update() to There should be no strip_slashes() in WP_Widget::update() - or should it?
- Resolution set to invalid
- Status changed from reopened to closed
$new_instance apparently contains stripslashed data.
see #9727. dev statement avail here. further digging needed i tend to say.
comment:11
hakre — 4 years ago
Suggestion: Expect Slashed Data. As in the title in the Search Widget (one of the latest widget updates afaik). $newinstance must be stripslashed before title can be used.
already fixed?
/wp-includes/widgets.php ~ line 222
looks like this is already fixed. please clarify.