Make WordPress Core

Opened 13 months ago

Last modified 3 months ago

#23905 new defect (bug)

Add_post_meta strips slashes

Reported by: Looimaster Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 2.5
Component: Options, Meta APIs Keywords: close
Focuses: Cc:


Let's assume that JS generated an object that I want to store in custom field. Everything goes smooth when I convert it back and forth from JS to PHP and from PHP to JS (using json_encode() and json_decode()) and it even works when I do update_post_meta() manually in my file but this stops working as soon as WordPress Importer tries to load it from XML file (in XML it's still valid object) using add_post_meta().

This is the code from importer from the bottom of process_posts() function:

if ( $key ) {
	// export gets meta straight from the DB so could have a serialized string
	if ( ! $value )
		$value = maybe_unserialize( $meta['value'] );
		$value = '{"0":{"type":"text","text":""},"1":{"type":"html","html":"<div class=\"cssclass\" style=\"margin-top: 3em;\"><p>here goes html</p></div>","css_class":""}}'; // I added this for test purposes

	add_post_meta( $post_id, $key, $value );
	do_action( 'import_post_meta', $post_id, $key, $value );

This is an object:

{"0":{"type":"text","text":""},"1":{"type":"html","html":"<div class=\"cssclass\" style=\"margin-top: 3em;\"><p>here goes html</p></div>","css_class":""}}

It strips slashes from HTML tags (before each double quote sign) from objects that are stored as strings. I bet it shouldn't happen. Why would add_post_meta strip slashes or anything if XML explicitly says:

<wp:meta_value><![CDATA[{"0":{"type":"text","text":""},"1":{"type":"html","html":"<div class=\"cssclass\" style=\"margin-top: 3em;\"><p>here goes html</p></div>","css_class":""}}]]></wp:meta_value>

which in XML language is considered "use as is. Do not modify". I think that it might be a bug.

Change History (5)

comment:1 Looimaster13 months ago

I think that it happens in:

When it performs:

// expected_slashed ($meta_key)
46 $meta_key = stripslashes($meta_key);
47 $meta_value = stripslashes_deep($meta_value);
48 $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );

So, it is there for a reason but it is conflicting my strings by removing slashes from them... Shouldn't a string always remain an intact string?

And one more update: if you go over to Posts > Add New and put this code there and hit "Update" then slashes will not be stripped. It works differently for sure.

Last edited 13 months ago by Looimaster (previous) (diff)

comment:2 SergeyBiryukov13 months ago

  • Version changed from 3.5.1 to 2.5

Introduced in [6240]. Related: [5249] (for #4028), [14755] (for #12860), #12416, #21767.

comment:3 kovshenin13 months ago

  • Cc kovshenin added

comment:4 nacin3 months ago

  • Keywords close added

Duplicate of #18322?

comment:5 nacin3 months ago

  • Component changed from General to Options and Meta
Note: See TracTickets for help on using tickets.