WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#2761 closed defect (bug) (fixed)

AYS Dialog adds slashes to quotes

Reported by: markjaquith Owned by: markjaquith
Milestone: Priority: high
Severity: major Version: 2.0.2
Component: Administration Keywords: has-patch 2nd-opinion
Focuses: Cc:

Description

Post forms that go through the AYS dialog get an extra round of slashes. For instance, editing a comment turns

I'm going home.

Into:

I\'m going home

This is for version 2.0.3

Attachments (2)

ays_use_textarea.diff (966 bytes) - added by markjaquith 8 years ago.
Patch for 2.0.3 (branches/2.0)
strip_ays_post.diff (557 bytes) - added by ryan 8 years ago.

Download all attachments as: .zip

Change History (12)

markjaquith8 years ago

Patch for 2.0.3 (branches/2.0)

comment:1 markjaquith8 years ago

  • Keywords has-patch 2nd-opinion added
  • Owner changed from anonymous to markjaquith
  • Status changed from new to assigned

Patch changes the hidden inputs to hidden textareas. That way, we don't need to escape slashes.

comment:2 mdawaffe8 years ago

The AYS should be designed to work in all manner of strange browsers (mobile, etc.). Can we depend on everything to deal with the CSS?

I don't understand why can't we just stripslashes the hidden field value.

This isn't a problem in trunk, but I don't see the difference. Do you?

ryan8 years ago

comment:3 ryan8 years ago

Alternative patch that stripslashes_deep $_POST. Think that'll work?

comment:4 ryan8 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [3833]) Strip extra slashes from _POST when doing nonce AYS. Props MarkJaquith and mdawaffe. fixes #2761

comment:5 ryan8 years ago

  • Resolution set to fixed

(In [3834]) Strip extra slashes from _POST when doing nonce AYS. Props MarkJaquith and mdawaffe. fixes #2761

comment:6 ryan8 years ago

Hopefully that will get it. Please confirm.

comment:7 markjaquith8 years ago

Just tested Ryan's patch, and it works.

I tested by editing /wp-admin/post.php and purposely mismatching the nonce keys.

And mdawaffe, yeah, you're right. I was really tired when I wrote that. Single quotes are already converted to HTML entities, so there's no problem sticking it in a hidden input.

comment:8 Varsity8 years ago

How do us plebs apply this patch? Could someone provide an updated version of the file for 2.0.3?

comment:9 markjaquith8 years ago

The plebs should just use this plugin that I made:

http://txfx.net/code/wordpress/wordpress-203-tuneup/

comment:10 gwagenknecht8 years ago

  • Cc gunnar@… added
Note: See TracTickets for help on using tickets.