WordPress.org

Make WordPress Core

#21892 closed defect (bug) (fixed)

sanitize_option() adds and strip slashes to use the wrong kses functions

Reported by: nacin Owned by: nacin
Milestone: 3.5 Priority: normal
Severity: normal Version:
Component: Formatting Keywords:
Focuses: Cc:

Description

sanitize_option() does this:

$value = addslashes($value);
$value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
$value = stripslashes($value);

When it should instead do this:

$value = wp_kses_post( $value );

Likewise for wp_filter_kses() versus wp_kses_data().

Change History (1)

comment:1 nacin19 months ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [21850]:

Use the non-slashing variants of kses functions in sanitize_option() to avoid slash ping pong. fixes #21892.

Note: See TracTickets for help on using tickets.