WordPress.org

Make WordPress Core

Opened 8 years ago

Last modified 5 months ago

#18395 new defect (bug)

Non-URL GUIDs are stripped on post update

Reported by: alexkingorg Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.2.1
Component: Posts, Post Types Keywords: needs-patch needs-refresh
Focuses: Cc:
PR Number:

Description

The post guid is run through several filters before the post is saved. the esc_url_raw() call will end up setting a GUID to an empty string if the GUID does not begin with a known/accepted protocol.

If a plugin/etc. wants to use the GUID column to store an external ID for an item brought in from another system (say a Flickr photo ID), then updating a post that has the Flickr ID as its GUID through the WP admin will end up setting the GUID for that post to .

This would need to be changed if the move was made to UUIDs for GUID values as well. Related: #6492.

A very basic patch for this specific issue is attached, but a larger discussion around how this should work is likely needed. Related: #18315

Attachments (1)

patch.diff (598 bytes) - added by alexkingorg 8 years ago.
very basic patch

Download all attachments as: .zip

Change History (5)

@alexkingorg
8 years ago

very basic patch

#1 @nacin
8 years ago

This is a security precaution. Unfortunately, $post->guid may be used as a URL, which means that it needs to be secure if so. (Otherwise it's possible to stuff this with a POST.) Deciding whether we can use esc_url_raw vs regular attribute escaping (or strip_tags) can be a challenge.

#2 @prettyboymp
8 years ago

Wouldn't it be better escaped on output rather than input?

#3 @nacin
6 years ago

  • Component changed from Validation to Post Types

#4 @chriscct7
4 years ago

  • Keywords needs-patch needs-refresh added
Note: See TracTickets for help on using tickets.