WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#11253 closed defect (bug) (invalid)

update_option escapes input but get_option doesn't un-escape

Reported by: nullvariable Owned by: westi
Milestone: Priority: normal
Severity: trivial Version: 2.8.5
Component: Plugins Keywords:
Focuses: Cc:

Description

Version: WordPress MU 2.8.6

Duplicate the issue:
write any data to an update_option value in the database and include quotes in it.

Problem is in the source code (verified by reading line 167+ of /wp-includes/functions.php)

Server: Apache2, PHP5

Details:
adding an option to the database using update_option() (line 228+ of functions.php) will cause any quotes to be escaped. However output returned by get_option() (line 167+) does not un-escape this value. It seems which PHP5 that even if I escape my own data it get's escaped again so anytime I expect to use html or quotes in an option field I have to make sure there's a stripslashes applied to the get_option output. Makes sense to me that if we escape the content on the way in we should un-escape the content on the way back out. But I could be wrong.

Change History (2)

#1 @Denis-de-Bernardy
11 years ago

  • Resolution set to invalid
  • Status changed from new to closed

#2 @nacin
11 years ago

  • Milestone Unassigned deleted
Note: See TracTickets for help on using tickets.