Make WordPress Core

Opened 3 years ago

Closed 3 months ago

#23905 closed defect (bug) (duplicate)

Add_post_meta strips slashes

Reported by: Looimaster Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.5
Component: Options, Meta APIs Keywords:
Focuses: Cc:


Let's assume that JS generated an object that I want to store in custom field. Everything goes smooth when I convert it back and forth from JS to PHP and from PHP to JS (using json_encode() and json_decode()) and it even works when I do update_post_meta() manually in my file but this stops working as soon as WordPress Importer tries to load it from XML file (in XML it's still valid object) using add_post_meta().

This is the code from importer from the bottom of process_posts() function:

if ( $key ) {
	// export gets meta straight from the DB so could have a serialized string
	if ( ! $value )
		$value = maybe_unserialize( $meta['value'] );
		$value = '{"0":{"type":"text","text":""},"1":{"type":"html","html":"<div class=\"cssclass\" style=\"margin-top: 3em;\"><p>here goes html</p></div>","css_class":""}}'; // I added this for test purposes

	add_post_meta( $post_id, $key, $value );
	do_action( 'import_post_meta', $post_id, $key, $value );

This is an object:

{"0":{"type":"text","text":""},"1":{"type":"html","html":"<div class=\"cssclass\" style=\"margin-top: 3em;\"><p>here goes html</p></div>","css_class":""}}

It strips slashes from HTML tags (before each double quote sign) from objects that are stored as strings. I bet it shouldn't happen. Why would add_post_meta strip slashes or anything if XML explicitly says:

<wp:meta_value><![CDATA[{"0":{"type":"text","text":""},"1":{"type":"html","html":"<div class=\"cssclass\" style=\"margin-top: 3em;\"><p>here goes html</p></div>","css_class":""}}]]></wp:meta_value>

which in XML language is considered "use as is. Do not modify". I think that it might be a bug.

Change History (6)

#1 @Looimaster
3 years ago

I think that it happens in:

When it performs:

// expected_slashed ($meta_key)
46 $meta_key = stripslashes($meta_key);
47 $meta_value = stripslashes_deep($meta_value);
48 $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );

So, it is there for a reason but it is conflicting my strings by removing slashes from them... Shouldn't a string always remain an intact string?

And one more update: if you go over to Posts > Add New and put this code there and hit "Update" then slashes will not be stripped. It works differently for sure.

Last edited 3 years ago by Looimaster (previous) (diff)

#2 @SergeyBiryukov
3 years ago

  • Version changed from 3.5.1 to 2.5

Introduced in [6240]. Related: [5249] (for #4028), [14755] (for #12860), #12416, #21767.

#3 @kovshenin
3 years ago

  • Cc kovshenin added

#4 @nacin
23 months ago

  • Keywords close added

Duplicate of #18322?

#5 @nacin
23 months ago

  • Component changed from General to Options and Meta

#6 @chriscct7
3 months ago

  • Keywords close removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #18322.

Note: See TracTickets for help on using tickets.