Make WordPress Core

Opened 15 years ago

Closed 15 years ago

#10801 closed defect (bug) (fixed)

Revision posts are saved with double-filtered content

Reported by: redsweater's profile redsweater Owned by: ryan's profile ryan
Milestone: 2.9 Priority: normal
Severity: normal Version: 2.8.4
Component: Formatting Keywords:
Focuses: Cc:

Description (last modified by ryan)

When a post is saved using wp_insert_post, the post is first sanitized with sanitize_post, which applies the content_save_pre filter to the description of the post.

Later in wp_insert_post, the pre_post_update filter is called, which causes the wp_save_post_revision method to be called, with the ALREADY-sanitized content of the post. The wp_save_post_revision ends up calling wp_insert_post for the revision entry, which this time sanitizes the post content again before saving it in the revision.

The problem here is if any content_save_pre filter (or any of the other sanitizing content filters, for that matter) produce "nonterminal" results, then the content that is saved to the revision copy ends up being an inaccurate representation of the post.

For example, the popular SyntaxHighlighter Evolved plugin:

http://www.viper007bond.com/wordpress-plugins/syntaxhighlighter/

Uses a technique that escapes entities on the way into the database, and unescapes them on the way out. So for instance, an ampersand in the post content is escaped to "&". But by the time the post revision is saved, it is asked again to sanitize, this time converting "&" into "&".

I'm not sure what the right fix is.

Attachments (2)

10801.diff (876 bytes) - added by ryan 15 years ago.
Check filter before sanitizing. Untested.
10801.2.diff (1.8 KB) - added by ryan 15 years ago.

Download all attachments as: .zip

Change History (9)

#1 @ryan
15 years ago

  • Description modified (diff)

sanitize_post() sets a "filter" field in the passed object. We can check to see if filter is already set before filtering again.

#2 @ryan
15 years ago

  • Component changed from General to Formatting
  • Milestone changed from Unassigned to 2.9

@ryan
15 years ago

Check filter before sanitizing. Untested.

#3 @ryan
15 years ago

Since pre_post_update is being passed an ID instead of an object, I'm not sure how this is getting double filtered unless the global post object is being polluted and then retrieved with get_post(). I don't think that's happening here, but just in case I've put a check in get_post() to make sure it is does not use global post if it is already filtered in a way other than requested.

@ryan
15 years ago

#4 @ryan
15 years ago

  • Owner set to ryan
  • Status changed from new to assigned

#5 @johanee
15 years ago

First part (to get_post()) looks really weird, not sure what the purpose is. Won't the "isset($GLOBALSpost?->ID)" branch result in an infinite recursion?

#6 @ryan
15 years ago

(In [12062]) Improve sanitize_post() performance. Perform raw filtering only once. Add filter check to eliminate double filtering. Props johanee. fixes #10972 see #10801

#7 @ryan
15 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.