Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#35408 closed defect (bug) (fixed)

Side effect wp_create_post_autosave causes $_POST to be unslashed

Reported by: joehoyle's profile joehoyle Owned by: joehoyle's profile joehoyle
Milestone: 4.5 Priority: normal
Severity: normal Version: 2.6
Component: Autosave Keywords: has-patch needs-unit-tests
Focuses: Cc:


For some reason (explanation welcome) wp_create_post_autosave assigns it's data to $_POST by reference, in the case of a post auto draft for the revision not already existing, $post_data is passed to wp_unslash in preparing it for _wp_put_post_revision (as _wp_put_post_revision expects unslashed data). This has the nasty side effect of $_POST now being unslashed, when plugins (and other areas of WP) always expect the $_POST superglobal to have slashed data.

I don't know the original reasoning behind passing assigning by reference, it appears to have been introduced in the autosave refactor in

I'd like to get some tests for this, however these functions are wrought with superglobals so I'm not sure how easy that will be.

Attachments (1)

35408.diff (461 bytes) - added by joehoyle 8 years ago.

Download all attachments as: .zip

Change History (5)

8 years ago

#1 @joehoyle
8 years ago

  • Owner set to joehoyle
  • Status changed from new to assigned

This ticket was mentioned in Slack in #core by joehoyle. View the logs.

8 years ago

#3 @azaozz
8 years ago

Stripping slashes from the whole $_POST was introduced in r11117 for 2.8 (7 years ago). Don't think that fix for #9433 is still needed but a bit more investigation is in order.


Last edited 8 years ago by azaozz (previous) (diff)

#4 @azaozz
8 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 36543:

Do not strip slashes from the whole &_POST when doing autosaves.

Props joehoyle.
Fixes #35408.

Note: See TracTickets for help on using tickets.