Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#2761 closed defect (bug) (fixed)

AYS Dialog adds slashes to quotes

Reported by: markjaquith Owned by: markjaquith
Milestone: Priority: high
Severity: major Version: 2.0.2
Component: Administration Keywords: has-patch 2nd-opinion
Focuses: Cc:


Post forms that go through the AYS dialog get an extra round of slashes. For instance, editing a comment turns

I'm going home.


I\'m going home

This is for version 2.0.3

Attachments (2)

ays_use_textarea.diff (966 bytes) - added by markjaquith 9 years ago.
Patch for 2.0.3 (branches/2.0)
strip_ays_post.diff (557 bytes) - added by ryan 9 years ago.

Download all attachments as: .zip

Change History (12)

9 years ago

Patch for 2.0.3 (branches/2.0)

#1 @markjaquith
9 years ago

  • Keywords has-patch 2nd-opinion added
  • Owner changed from anonymous to markjaquith
  • Status changed from new to assigned

Patch changes the hidden inputs to hidden textareas. That way, we don't need to escape slashes.

#2 @mdawaffe
9 years ago

The AYS should be designed to work in all manner of strange browsers (mobile, etc.). Can we depend on everything to deal with the CSS?

I don't understand why can't we just stripslashes the hidden field value.

This isn't a problem in trunk, but I don't see the difference. Do you?

9 years ago

#3 @ryan
9 years ago

Alternative patch that stripslashes_deep $_POST. Think that'll work?

#4 @ryan
9 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [3833]) Strip extra slashes from _POST when doing nonce AYS. Props MarkJaquith and mdawaffe. fixes #2761

#5 @ryan
9 years ago

  • Resolution set to fixed

(In [3834]) Strip extra slashes from _POST when doing nonce AYS. Props MarkJaquith and mdawaffe. fixes #2761

#6 @ryan
9 years ago

Hopefully that will get it. Please confirm.

#7 @markjaquith
9 years ago

Just tested Ryan's patch, and it works.

I tested by editing /wp-admin/post.php and purposely mismatching the nonce keys.

And mdawaffe, yeah, you're right. I was really tired when I wrote that. Single quotes are already converted to HTML entities, so there's no problem sticking it in a hidden input.

#8 @Varsity
9 years ago

How do us plebs apply this patch? Could someone provide an updated version of the file for 2.0.3?

#9 @markjaquith
9 years ago

The plebs should just use this plugin that I made:


#10 @gwagenknecht
9 years ago

  • Cc gunnar@… added
Note: See TracTickets for help on using tickets.