WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#10452 closed defect (bug) (wontfix)

Wordpress pollutes POST data

Reported by: bilge Owned by:
Milestone: Priority: high
Severity: critical Version: 2.8.2
Component: General Keywords: post data pollution
Focuses: Cc:

Description

Form data containing quotes is escaped. For example, if a user submits an input field with the name "test" and the value "'", after the form is submitted: $_POSTtest? == "\'".

This is essentially magic_quotes_gpc emulation which is so cancerous that the PHP developers had the good sense to not only deprecate but also remove from the newest versions of PHP, and yet Wordpress sees fit to spread the tumour around some more. All of that is irrelevant, however, when considering that there is no earthly reason to permit any application permission to augment the values of any PHP superglobals and that certainly extends to the POST data collection.

Whether or not I agree that code is poetry is a moot point considering that whoever is responsible for coding this abomination hasn't seen poetic code in their entire lifetime.

Change History (17)

comment:1 ryan5 years ago

  • Milestone 2.8.3 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

No one likes it, but changing will break backward compatibility so it is here to stay for awhile longer.

comment:2 bilge5 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened

It breaks FORWARD compatibility. The form values on my website are now displayed as "How







\'re Wordpress developers so ignorant?" after a few postbacks.

I don't know what backward compatibility you think you're protecting. Wordpress is still infantile and anyone who isn't prepared to update their plug-ins to support this change hasn't written a plug-in anyone is going to miss.

comment:3 follow-up: dd325 years ago

I don't know what backward compatibility you think you're protecting.

Probably the few thousand plugins which expect slashed data.

comment:4 in reply to: ↑ 3 bilge5 years ago

Replying to dd32:

I don't know what backward compatibility you think you're protecting.

Probably the few thousand plugins which expect slashed data.

Your conjecture is noted, however irrelevant.

comment:5 johnbillion5 years ago

bilge, sorry that WordPress and the thousands of plugins developed for it don't meet your expectations currently. While your point is indeed valid, your attitude toward contributors is not welcome. If would like to continue helping improve WordPress, please be more respectful of others. If not, then thank you for considering WordPress.

comment:6 bilge5 years ago

Wordpress contributors have not earned any respect. Do you honestly expect to get away with such gut wrenchingly awful code, and not only that, but after having your attention raised to the most dire of problems stemming from your collective incompetence, close the only ticket that could actually be the first step towards salvaging this mess with the resolution "won't fix"? Were you expecting to be commended for that?

I got into Wordpress for how it looked on the surface. I should have been mindful that beauty is so often only ever skin deep. Since installing it, it has been nothing but a world of pain because of issues exactly like this (and others, such as polluting the global namespace) which if not rectified will force me to move to another platform.

You may think that my attitude is foul, but if you remove me, the stench won't go away. The stench is here because I'm doing the dirty work of unearthing some of the fundamental flaws in your software and you're getting offended because you can't stand to see the sight of them. It's about time someone corrected this mess and I don't mind if it starts with me. If you actually have the first clue about how your own code works then prove it and start fixing some of the things that are fundamentally wrong with it, starting with this ticket.

There are many ways to address issues of backwards compatibility. Add an option for new plug-ins to subscribe to the raw POST data and provide escaped output to the old plug-ins if that's what it takes. It shouldn't be up to me to make suggestions on how to implement fixes: my responsibility ends with reporting bugs and providing feedback to clarify said reports. The onus is now on yourselves to come up with the best solution for this fine mess you've gotten yourselves into, and not to sweep it back under the rug.

comment:7 ryan5 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

Editorialize on the hackers list, which is the venue for this.

comment:8 bilge5 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened

Wrong answer.

comment:9 lloydbudd5 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

bilge, please don't reopen this ticket.

comment:10 janeforshort5 years ago

bilge, I'm glad you think WP is beautiful on the surface, but seriously, you need to build a reputation in the project before you can cop such an attitude. And even then it's uglier than you claim our code is.

comment:11 janeforshort5 years ago

  • Keywords cancer abomination removed

comment:12 bilge5 years ago

Oh, I apologise, I didn't realise my kudos wasn't high enough for you to start fixing critical bugs raised by myself.

comment:13 follow-up: dd325 years ago

Its not that its because you've raised it, Its because we all know about it, And we all know that too many amature plugin developers -rely- on it (unfortunately). I could've reported this and it'd be closed the same, or if a Core Dev did.. well.. it wouldnt get fixed, but it'd probably sit around open for a few years without anyone touching it..

Yes, Its going to be "fixed" in the future. But really, not anytime soon. I'd like to see it change when the move to PHP5-only support is added really.

comment:14 in reply to: ↑ 13 bilge5 years ago

Replying to dd32:

if a Core Dev did.. [...] it'd probably sit around open

So by your own admission, if someone else opened this ticket it wouldn't have been closed, even though that's contrary to the point you were trying to make.

comment:15 dd325 years ago

So by your own admission, if someone else opened this ticket it wouldn't have been closed, even though that's contrary to the point you were trying to make.

Yes, In my opinion, If a core Developer (Who i am not, Nor who can i speak on behalf of) opened it, then It'd have been left up to that developer as to close it, or to leave it open if they were to change it in the near future. Given Ryan closed it however.. Probably wouldn't've matered since he's the lead.

My points still stand.

comment:16 bilge5 years ago

If he is the lead then this project really has lost all hope. At least something useful has come from this in that I learn this is not an application one should be deploying for clients to use, but I suppose you get what you pay for.

comment:17 dd325 years ago

Not that all hope is lost, Mearly that sanity prevails. People whinge when you break backwards compatility, people complain when you dont, Its easier for the millions of end users to break a lot of back-compat at once, rather than cause an ongoing pain.

/me is going to stop replying to this ticket for everyones sake

Note: See TracTickets for help on using tickets.