Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#2761 closed defect (bug) (fixed)

AYS Dialog adds slashes to quotes

Reported by: markjaquith Owned by: markjaquith
Milestone: Priority: high
Severity: major Version: 2.0.2
Component: Administration Keywords: has-patch 2nd-opinion
Focuses: Cc:


Post forms that go through the AYS dialog get an extra round of slashes. For instance, editing a comment turns

I'm going home.


I\'m going home

This is for version 2.0.3

Attachments (2)

ays_use_textarea.diff (966 bytes) - added by markjaquith 9 years ago.
Patch for 2.0.3 (branches/2.0)
strip_ays_post.diff (557 bytes) - added by ryan 9 years ago.

Download all attachments as: .zip

Change History (12)

@markjaquith9 years ago

Patch for 2.0.3 (branches/2.0)

comment:1 @markjaquith9 years ago

  • Keywords has-patch 2nd-opinion added
  • Owner changed from anonymous to markjaquith
  • Status changed from new to assigned

Patch changes the hidden inputs to hidden textareas. That way, we don't need to escape slashes.

comment:2 @mdawaffe9 years ago

The AYS should be designed to work in all manner of strange browsers (mobile, etc.). Can we depend on everything to deal with the CSS?

I don't understand why can't we just stripslashes the hidden field value.

This isn't a problem in trunk, but I don't see the difference. Do you?

@ryan9 years ago

comment:3 @ryan9 years ago

Alternative patch that stripslashes_deep $_POST. Think that'll work?

comment:4 @ryan9 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [3833]) Strip extra slashes from _POST when doing nonce AYS. Props MarkJaquith and mdawaffe. fixes #2761

comment:5 @ryan9 years ago

  • Resolution set to fixed

(In [3834]) Strip extra slashes from _POST when doing nonce AYS. Props MarkJaquith and mdawaffe. fixes #2761

comment:6 @ryan9 years ago

Hopefully that will get it. Please confirm.

comment:7 @markjaquith9 years ago

Just tested Ryan's patch, and it works.

I tested by editing /wp-admin/post.php and purposely mismatching the nonce keys.

And mdawaffe, yeah, you're right. I was really tired when I wrote that. Single quotes are already converted to HTML entities, so there's no problem sticking it in a hidden input.

comment:8 @Varsity9 years ago

How do us plebs apply this patch? Could someone provide an updated version of the file for 2.0.3?

comment:9 @markjaquith9 years ago

The plebs should just use this plugin that I made:


comment:10 @gwagenknecht9 years ago

  • Cc gunnar@… added
Note: See TracTickets for help on using tickets.