Usermeta and postmeta functions assume data to be pre-escaped
|Reported by:||markjaquith||Owned by:||markjaquith|
Description (last modified by markjaquith)
User meta functions assume that data passed to them is already escaped ( $wpdb->escape()
Post meta functions assume data is not already escaped.
I think we should move to a standardized way of doing this, and I think the standard should be to expect unescaped data.
- It is safer.
- Worst case scenario with assuming data to be unescaped is that it gets double slashed
- Worst case scenario with assuming data to be escaped is SQL injection vulnerability
- Post meta has been doing it this way, for a longer time, so less code would have to change
- It would allow code consolidation, in terms of handling arrays/objects/strings, serialization, and escape.
- Currently, things like First Name and Last Name are passed through filters pre-slashed, which means that filters have to work around this.
Setting a milestone of 2.2
We can do this in trunk right after 2.1 ships, so that plugin authors will have 4 months to adapt.
Change History (14)
comment:1 @markjaquith — 8 years ago
- Description modified (diff)
- Status changed from new to assigned
- Keywords needs-patch added; hunt-irrelevant removed
- Summary changed from Usermeta functions assume data to be pre-escaped to Usermeta and postmeta functions assume data to be pre-escaped
- Keywords close added; needs-patch dev-feedback removed
- Priority changed from normal to high
- Keywords needs-patch added; close removed
- Type changed from task (blessed) to enhancement