WordPress.org

Make WordPress Core

Changeset 39662


Ignore:
Timestamp:
01/02/17 19:38:07 (6 months ago)
Author:
boonebgorges
Message:

Don't double-escape terms payload in WP_Tax_Query::transform_query().

terms values are passed through sanitize_term_field() with the 'db'
flag, which add slashes. Because terms are subsequently run through
esc_sql(), these slashes must be removed. See [36348], which added
a similar step to sanitization in get_terms().

Props bcworkz.
Fixes #39315.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-tax-query.php

    r38768 r39662  
    624624                     * context is 'db'. 
    625625                     */ 
    626                     $term = "'" . esc_sql( sanitize_term_field( $query['field'], $term, 0, $query['taxonomy'], 'db' ) ) . "'"; 
     626                    $clean_term = sanitize_term_field( $query['field'], $term, 0, $query['taxonomy'], 'db' ); 
     627 
     628                    // Match sanitization in wp_insert_term(). 
     629                    $clean_term = wp_unslash( $clean_term ); 
     630 
     631                    $term = "'" . esc_sql( $clean_term ) . "'"; 
    627632                } 
    628633 
  • trunk/tests/phpunit/tests/query/taxQuery.php

    r37184 r39662  
    13811381        _unregister_taxonomy( 'foo' ); 
    13821382    } 
     1383 
     1384    /** 
     1385     * @ticket 39315 
     1386     */ 
     1387    public function test_tax_terms_should_not_be_double_escaped() { 
     1388        $name = "Don't worry be happy"; 
     1389 
     1390        register_taxonomy( 'wptests_tax', 'post' ); 
     1391        $t = self::factory()->term->create( array( 
     1392            'taxonomy' => 'wptests_tax', 
     1393            'name' => $name, 
     1394        ) ); 
     1395 
     1396        $p = self::factory()->post->create(); 
     1397        wp_set_object_terms( $p, array( $t ), 'wptests_tax' ); 
     1398 
     1399        $q = new WP_Query( array( 
     1400            'fields' => 'ids', 
     1401            'tax_query' => array( 
     1402                array( 
     1403                    'taxonomy' => 'wptests_tax', 
     1404                    'field' => 'name', 
     1405                    'terms' => $name, 
     1406                ), 
     1407            ), 
     1408        ) ); 
     1409 
     1410        $this->assertEqualSets( array( $p ), $q->posts ); 
     1411    } 
    13831412} 
Note: See TracChangeset for help on using the changeset viewer.