Opened 10 months ago
Last modified 3 months ago
#24248 new defect (bug)
'guid' not properly escaped
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Future Release | Priority: | normal |
| Severity: | normal | Version: | 2.5 |
| Component: | Posts, Post Types | Keywords: | has-patch needs-unit-tests 3.7-early |
| Focuses: | Cc: |
Description (last modified by SergeyBiryukov)
Probably related issues: #18274 #19248
'guid' being saved in database not properly escaped, example:
http://www.wordpress.dev/?post_type=changeset&p=57 , see the ampersand encode &
It supposed to be & or at least &
Once 'auto-draft' saved, 'guid' is correct: http://www.wordpress.dev/?post_type=changeset&p=57
Once post is saved as 'draft' or published (triggered 'update post' on auto-draft), 'guid' gets malformed.
Source of issue: inappropriate usage of get_post_field() function in the wp_insert_post()
get_post_field() defaults to 'display' context, we not specify context while obtaining field, and in the wp_insert_post() we are not going to display it anywhere, just get, check, and save again, correct?
Attached patch adds the 'raw' context to usage of get_post_field() with 'guid'
Attachments (1)
Change History (8)
comment:2
SergeyBiryukov
— 10 months ago
- Description modified (diff)
comment:3
SergeyBiryukov
— 10 months ago
- Keywords needs-unit-tests 3.7-early added; needs-testing removed
- Milestone changed from Awaiting Review to Future Release
- Version changed from trunk to 2.5
Introduced in [6593]. Triggered by the introduction of custom post types in 2.9, since their permalinks can contain an ampersand.
guid-context.patch seems good. Other get_post_field() instances in wp_insert_post() should probably use 'raw' context too.
comment:4
SergeyBiryukov
— 10 months ago
Related: #13555
comment:5
wonderboymusic
— 7 months ago
- Milestone changed from Future Release to 3.7
these are all marked 3.7-early
adds 'raw' context to get_post_field() call for 'guid' field