WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 16 months ago

#23905 new defect (bug)

Add_post_meta strips slashes

Reported by: Looimaster Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 2.5
Component: Options, Meta APIs Keywords: close
Focuses: Cc:

Description

Let's assume that JS generated an object that I want to store in custom field. Everything goes smooth when I convert it back and forth from JS to PHP and from PHP to JS (using json_encode() and json_decode()) and it even works when I do update_post_meta() manually in my file but this stops working as soon as WordPress Importer tries to load it from XML file (in XML it's still valid object) using add_post_meta().

This is the code from importer from the bottom of process_posts() function:

if ( $key ) {
	// export gets meta straight from the DB so could have a serialized string
	if ( ! $value )
		$value = maybe_unserialize( $meta['value'] );
		$value = '{"0":{"type":"text","text":""},"1":{"type":"html","html":"<div class=\"cssclass\" style=\"margin-top: 3em;\"><p>here goes html</p></div>","css_class":""}}'; // I added this for test purposes

	add_post_meta( $post_id, $key, $value );
	do_action( 'import_post_meta', $post_id, $key, $value );

This is an object:

{"0":{"type":"text","text":""},"1":{"type":"html","html":"<div class=\"cssclass\" style=\"margin-top: 3em;\"><p>here goes html</p></div>","css_class":""}}

It strips slashes from HTML tags (before each double quote sign) from objects that are stored as strings. I bet it shouldn't happen. Why would add_post_meta strip slashes or anything if XML explicitly says:

<wp:meta_value><![CDATA[{"0":{"type":"text","text":""},"1":{"type":"html","html":"<div class=\"cssclass\" style=\"margin-top: 3em;\"><p>here goes html</p></div>","css_class":""}}]]></wp:meta_value>

which in XML language is considered "use as is. Do not modify". I think that it might be a bug.

Change History (5)

comment:1 @Looimaster2 years ago

I think that it happens in:
http://core.trac.wordpress.org/browser/tags/3.5.1/wp-includes/meta.php#L0

When it performs:

// expected_slashed ($meta_key)
46 $meta_key = stripslashes($meta_key);
47 $meta_value = stripslashes_deep($meta_value);
48 $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );

So, it is there for a reason but it is conflicting my strings by removing slashes from them... Shouldn't a string always remain an intact string?

And one more update: if you go over to Posts > Add New and put this code there and hit "Update" then slashes will not be stripped. It works differently for sure.

Last edited 2 years ago by Looimaster (previous) (diff)

comment:2 @SergeyBiryukov2 years ago

  • Version changed from 3.5.1 to 2.5

Introduced in [6240]. Related: [5249] (for #4028), [14755] (for #12860), #12416, #21767.

comment:3 @kovshenin2 years ago

  • Cc kovshenin added

comment:4 @nacin16 months ago

  • Keywords close added

Duplicate of #18322?

comment:5 @nacin16 months ago

  • Component changed from General to Options and Meta
Note: See TracTickets for help on using tickets.