Make WordPress Core

Opened 12 years ago

Closed 12 years ago

#21892 closed defect (bug) (fixed)

sanitize_option() adds and strip slashes to use the wrong kses functions

Reported by: nacin's profile nacin Owned by: nacin's profile nacin
Milestone: 3.5 Priority: normal
Severity: normal Version:
Component: Formatting Keywords:
Focuses: Cc:


sanitize_option() does this:

$value = addslashes($value);
$value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
$value = stripslashes($value);

When it should instead do this:

$value = wp_kses_post( $value );

Likewise for wp_filter_kses() versus wp_kses_data().

Change History (1)

#1 @nacin
12 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [21850]:

Use the non-slashing variants of kses functions in sanitize_option() to avoid slash ping pong. fixes #21892.

Note: See TracTickets for help on using tickets.