Make WordPress Core

Opened 12 years ago

Closed 11 years ago

#3095 closed defect (bug) (fixed)

Can't escape characters for date format in Options > General

Reported by: pandem Owned by: mdawaffe
Milestone: 2.3 Priority: low
Severity: minor Version: 2.1
Component: Administration Keywords:
Focuses: Cc:


Backslashes are stripped; adding a second backslash to escape the first one only makes it visible.

Attachments (2)

3095.diff (2.5 KB) - added by mdawaffe 12 years ago.
3095b.diff (2.6 KB) - added by mdawaffe 12 years ago.

Download all attachments as: .zip

Change History (8)

12 years ago

#1 @mdawaffe
12 years ago

  • Milestone set to 2.1
  • Owner changed from anonymous to mdawaffe
  • Status changed from new to assigned

wp_kses_filters() stripslashes then addslashes, so we shouldn't stripslash stuff before it goes in.

3095.diff for trunk:

  1. Moves stripslashes() to sanitize_option() cases that need them.
  2. strip_tags() seems to do its job even without having first stripslashed. Can someone confirm for the sake of security?

I did not create a patch for 2.0.5. I can if this is deemed secure.

12 years ago


#2 @markjaquith
12 years ago


mdawaffe and I tried to break this, but couldn't.

Would appreciate special attention here, as this sort of thing has security implications if not done right. Will leave the ticket open and refrain from porting this to /branches/2.0/ until we're sure it's secure.

#3 @mdawaffe
12 years ago

It should be fine. I think strip_tags() is in there only for efficiency. Even if someone can get around strip_tags() via some crazy slashing (which I don't *think* is possible), kses should get them.

But I'm with markjaquith: more eyes.

#4 @matt
11 years ago

  • Milestone changed from 2.1 to 2.2

#5 @rob1n
11 years ago

  • Milestone changed from 2.2 to 2.3

#6 @Nazgul
11 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

I think this has been in trunk long enough to mark it as fixed.

Note: See TracTickets for help on using tickets.