Opened 13 years ago
Last modified 5 years ago
#18395 new defect (bug)
Non-URL GUIDs are stripped on post update
Reported by: | alexkingorg | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.2.1 |
Component: | Posts, Post Types | Keywords: | needs-patch needs-refresh |
Focuses: | Cc: |
Description
The post guid is run through several filters before the post is saved. the esc_url_raw() call will end up setting a GUID to an empty string if the GUID does not begin with a known/accepted protocol.
If a plugin/etc. wants to use the GUID column to store an external ID for an item brought in from another system (say a Flickr photo ID), then updating a post that has the Flickr ID as its GUID through the WP admin will end up setting the GUID for that post to .
This would need to be changed if the move was made to UUIDs for GUID values as well. Related: #6492.
A very basic patch for this specific issue is attached, but a larger discussion around how this should work is likely needed. Related: #18315
Attachments (1)
Change History (5)
#1
@
13 years ago
This is a security precaution. Unfortunately, $post->guid may be used as a URL, which means that it needs to be secure if so. (Otherwise it's possible to stuff this with a POST.) Deciding whether we can use esc_url_raw vs regular attribute escaping (or strip_tags) can be a challenge.
very basic patch