WordPress.org

Make WordPress Core

Changeset 39662


Ignore:
Timestamp:
01/02/2017 07:38:07 PM (17 months ago)
Author:
boonebgorges
Message:

Don't double-escape terms payload in WP_Tax_Query::transform_query().

terms values are passed through sanitize_term_field() with the 'db'
flag, which add slashes. Because terms are subsequently run through
esc_sql(), these slashes must be removed. See [36348], which added
a similar step to sanitization in get_terms().

Props bcworkz.
Fixes #39315.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-tax-query.php

    r38768 r39662  
    624624                     * context is 'db'.
    625625                     */
    626                     $term = "'" . esc_sql( sanitize_term_field( $query['field'], $term, 0, $query['taxonomy'], 'db' ) ) . "'";
     626                    $clean_term = sanitize_term_field( $query['field'], $term, 0, $query['taxonomy'], 'db' );
     627
     628                    // Match sanitization in wp_insert_term().
     629                    $clean_term = wp_unslash( $clean_term );
     630
     631                    $term = "'" . esc_sql( $clean_term ) . "'";
    627632                }
    628633
  • trunk/tests/phpunit/tests/query/taxQuery.php

    r37184 r39662  
    13811381        _unregister_taxonomy( 'foo' );
    13821382    }
     1383
     1384    /**
     1385     * @ticket 39315
     1386     */
     1387    public function test_tax_terms_should_not_be_double_escaped() {
     1388        $name = "Don't worry be happy";
     1389
     1390        register_taxonomy( 'wptests_tax', 'post' );
     1391        $t = self::factory()->term->create( array(
     1392            'taxonomy' => 'wptests_tax',
     1393            'name' => $name,
     1394        ) );
     1395
     1396        $p = self::factory()->post->create();
     1397        wp_set_object_terms( $p, array( $t ), 'wptests_tax' );
     1398
     1399        $q = new WP_Query( array(
     1400            'fields' => 'ids',
     1401            'tax_query' => array(
     1402                array(
     1403                    'taxonomy' => 'wptests_tax',
     1404                    'field' => 'name',
     1405                    'terms' => $name,
     1406                ),
     1407            ),
     1408        ) );
     1409
     1410        $this->assertEqualSets( array( $p ), $q->posts );
     1411    }
    13831412}
Note: See TracChangeset for help on using the changeset viewer.