id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,focuses 12416,"*_option(), *_transient() and *_meta() functions should all expect unslashed data.",Denis-de-Bernardy,ryan,"Following up on: http://core.trac.wordpress.org/ticket/9015#comment:136 It's totally irresponsible to expect plugin authors to escape whatever they send into get_option(). As things stand: - get_option(), delete_option(), get_site_option() assume it's slashed - add_option(), update_option(), add_site_option() seem to assume it's unslashed, as does __get_option() - *_transient() seem to expect unslashed input. - delete_site_option() is very special: it expects slashed input if you're not on using multisite, but unslashed if you are - update_site_option() is equallty special: it needs slashed input if the option is not loaded already, and unslashed input if it is the list goes on, and on... these inconsistencies, which come on top of the *_meta() functions, which expect slashed data. it's totally nuts, insecure, and irresponsible. especially considering calls in WP such as: - get_option(""{$size}_crop""); or functions such as: {{{ function form_option( $option ) { echo esc_attr( get_option( $option ) ); } function get_settings_errors( $setting = '', $sanitize = FALSE ) { global $wp_settings_errors; //... isn't it ironic that using sanitize here makes it LESS secure? if ( $sanitize ) sanitize_option( $setting, get_option($setting)); // ... }}} we're asking for trouble here...",defect (bug),new,normal,3.0,Security,3.0,blocker,,,,