Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#27216 closed defect (bug) (fixed)

wp_ajax_time_format() and wp_ajax_date_format() need to return unslashed data

Reported by: greglone's profile GregLone Owned by: nacin's profile nacin
Milestone: 3.9 Priority: normal
Severity: normal Version: 3.4
Component: Formatting Keywords: has-patch needs-testing
Focuses: ui Cc:

Description

Hello.

wp_ajax_time_format() and wp_ajax_date_format() are missing some unslash operation.
How to reproduce:

  • Go to "Settings" >> "General" and look for the time format.
  • Change the value in the "Custom" field, including some escaped characters. For example, in French we have G \h i \m\i\n by default, I change it to H \h i \m\i\n.
  • Click outside the field, without submitting the form: an ajax call is made to update the time at the right of the field, with the new format.
  • Result: instead of displaying "22 h 34 min", it displays "22 \10 34 \02\34\2".

The problem is the new format sent via ajax: H \h i \m\i\n becomes H \\h i \\m\\i\\n.

The solution is to unslash it before passing it through date_i18n(), like this:

function wp_ajax_date_format() {
	wp_die( date_i18n( sanitize_option( 'date_format', wp_unslash( $_POST['date'] ) ) ) );
}

function wp_ajax_time_format() {
	wp_die( date_i18n( sanitize_option( 'time_format', wp_unslash( $_POST['date'] ) ) ) );
}

Bye

Attachments (1)

27216.patch (718 bytes) - added by bcworkz 10 years ago.
OP's suggested fix

Download all attachments as: .zip

Change History (4)

@bcworkz
10 years ago

OP's suggested fix

#1 @bcworkz
10 years ago

  • Component changed from Administration to Formatting
  • Keywords has-patch needs-testing added

#2 @nacin
10 years ago

  • Milestone changed from Awaiting Review to 3.9

#3 @nacin
10 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 27305:

Unslash in the time-format and date-format ajax endpoints.

props GregLone.
fixes #27216.

Note: See TracTickets for help on using tickets.