#10452 closed defect (bug) (wontfix)
Wordpress pollutes POST data
Reported by: | bilge | Owned by: | |
---|---|---|---|
Milestone: | Priority: | high | |
Severity: | critical | Version: | 2.8.2 |
Component: | General | Keywords: | post data pollution |
Focuses: | Cc: |
Description
Form data containing quotes is escaped. For example, if a user submits an input field with the name "test" and the value "'", after the form is submitted: $_POSTtest? == "\'".
This is essentially magic_quotes_gpc emulation which is so cancerous that the PHP developers had the good sense to not only deprecate but also remove from the newest versions of PHP, and yet Wordpress sees fit to spread the tumour around some more. All of that is irrelevant, however, when considering that there is no earthly reason to permit any application permission to augment the values of any PHP superglobals and that certainly extends to the POST data collection.
Whether or not I agree that code is poetry is a moot point considering that whoever is responsible for coding this abomination hasn't seen poetic code in their entire lifetime.
Change History (17)
#1
@
15 years ago
- Milestone 2.8.3 deleted
- Resolution set to wontfix
- Status changed from new to closed
#2
@
15 years ago
- Resolution wontfix deleted
- Status changed from closed to reopened
It breaks FORWARD compatibility. The form values on my website are now displayed as "How
\'re Wordpress developers so ignorant?" after a few postbacks.
I don't know what backward compatibility you think you're protecting. Wordpress is still infantile and anyone who isn't prepared to update their plug-ins to support this change hasn't written a plug-in anyone is going to miss.
#3
follow-up:
↓ 4
@
15 years ago
I don't know what backward compatibility you think you're protecting.
Probably the few thousand plugins which expect slashed data.
#4
in reply to:
↑ 3
@
15 years ago
Replying to dd32:
I don't know what backward compatibility you think you're protecting.
Probably the few thousand plugins which expect slashed data.
Your conjecture is noted, however irrelevant.
#5
@
15 years ago
bilge, sorry that WordPress and the thousands of plugins developed for it don't meet your expectations currently. While your point is indeed valid, your attitude toward contributors is not welcome. If would like to continue helping improve WordPress, please be more respectful of others. If not, then thank you for considering WordPress.
#6
@
15 years ago
Wordpress contributors have not earned any respect. Do you honestly expect to get away with such gut wrenchingly awful code, and not only that, but after having your attention raised to the most dire of problems stemming from your collective incompetence, close the only ticket that could actually be the first step towards salvaging this mess with the resolution "won't fix"? Were you expecting to be commended for that?
I got into Wordpress for how it looked on the surface. I should have been mindful that beauty is so often only ever skin deep. Since installing it, it has been nothing but a world of pain because of issues exactly like this (and others, such as polluting the global namespace) which if not rectified will force me to move to another platform.
You may think that my attitude is foul, but if you remove me, the stench won't go away. The stench is here because I'm doing the dirty work of unearthing some of the fundamental flaws in your software and you're getting offended because you can't stand to see the sight of them. It's about time someone corrected this mess and I don't mind if it starts with me. If you actually have the first clue about how your own code works then prove it and start fixing some of the things that are fundamentally wrong with it, starting with this ticket.
There are many ways to address issues of backwards compatibility. Add an option for new plug-ins to subscribe to the raw POST data and provide escaped output to the old plug-ins if that's what it takes. It shouldn't be up to me to make suggestions on how to implement fixes: my responsibility ends with reporting bugs and providing feedback to clarify said reports. The onus is now on yourselves to come up with the best solution for this fine mess you've gotten yourselves into, and not to sweep it back under the rug.
#7
@
15 years ago
- Resolution set to wontfix
- Status changed from reopened to closed
Editorialize on the hackers list, which is the venue for this.
#9
@
15 years ago
- Resolution set to wontfix
- Status changed from reopened to closed
bilge, please don't reopen this ticket.
#10
@
15 years ago
bilge, I'm glad you think WP is beautiful on the surface, but seriously, you need to build a reputation in the project before you can cop such an attitude. And even then it's uglier than you claim our code is.
#12
@
15 years ago
Oh, I apologise, I didn't realise my kudos wasn't high enough for you to start fixing critical bugs raised by myself.
#13
follow-up:
↓ 14
@
15 years ago
Its not that its because you've raised it, Its because we all know about it, And we all know that too many amature plugin developers -rely- on it (unfortunately). I could've reported this and it'd be closed the same, or if a Core Dev did.. well.. it wouldnt get fixed, but it'd probably sit around open for a few years without anyone touching it..
Yes, Its going to be "fixed" in the future. But really, not anytime soon. I'd like to see it change when the move to PHP5-only support is added really.
#14
in reply to:
↑ 13
@
15 years ago
Replying to dd32:
if a Core Dev did.. [...] it'd probably sit around open
So by your own admission, if someone else opened this ticket it wouldn't have been closed, even though that's contrary to the point you were trying to make.
#15
@
15 years ago
So by your own admission, if someone else opened this ticket it wouldn't have been closed, even though that's contrary to the point you were trying to make.
Yes, In my opinion, If a core Developer (Who i am not, Nor who can i speak on behalf of) opened it, then It'd have been left up to that developer as to close it, or to leave it open if they were to change it in the near future. Given Ryan closed it however.. Probably wouldn't've matered since he's the lead.
My points still stand.
#16
@
15 years ago
If he is the lead then this project really has lost all hope. At least something useful has come from this in that I learn this is not an application one should be deploying for clients to use, but I suppose you get what you pay for.
#17
@
15 years ago
Not that all hope is lost, Mearly that sanity prevails. People whinge when you break backwards compatility, people complain when you dont, Its easier for the millions of end users to break a lot of back-compat at once, rather than cause an ongoing pain.
/me is going to stop replying to this ticket for everyones sake
No one likes it, but changing will break backward compatibility so it is here to stay for awhile longer.