#12281 closed defect (bug) (fixed)
Double Escaped Problem in wp_getComments
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 3.0 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | XML-RPC | Keywords: | has-patch |
| Focuses: | Cc: |
Description
The XML-RPC method wp.getComments uses the wp_getComment function to gather up the individual comment details. It provides the wp_getComment with the already escaped version of blog_id, username, and password. The wp_getComment function then escapes those values again. This causes a problem if your password happens to have a single quote in it.
We need to pass the original, un-escaped, raw arguments to wp_getComment so that they don't end up escaped twice. I've created a patch that keeps a copy of $args in $raw_args and uses those when calling wp_getComment.
This is definitely a bug so I'd like to see it in 3.0. If we have another 2.9.x release it should probably go in there as well. I'm happy to put together a 2.9.x specific patch if we do that.
(In [13208]) Fix double escaping in wp_getComments. Props josephscott. fixes #12281 for 2.9