Opened 9 years ago
Closed 9 years ago
#35408 closed defect (bug) (fixed)
Side effect wp_create_post_autosave causes $_POST to be unslashed
Reported by: | joehoyle | Owned by: | joehoyle |
---|---|---|---|
Milestone: | 4.5 | Priority: | normal |
Severity: | normal | Version: | 2.6 |
Component: | Autosave | Keywords: | has-patch needs-unit-tests |
Focuses: | Cc: |
Description
For some reason (explanation welcome) wp_create_post_autosave
assigns it's data to $_POST
by reference, in the case of a post auto draft for the revision not already existing, $post_data
is passed to wp_unslash
in preparing it for _wp_put_post_revision
(as _wp_put_post_revision
expects unslashed data). This has the nasty side effect of $_POST
now being unslashed, when plugins (and other areas of WP) always expect the $_POST
superglobal to have slashed data.
I don't know the original reasoning behind passing assigning by reference, it appears to have been introduced in the autosave refactor in https://github.com/WordPress/WordPress/commit/335add2573fd1a2f84071be441d24a053eff8933#diff-c3d5c535db5622f3b0242411ee5f9dfdR1346
I'd like to get some tests for this, however these functions are wrought with superglobals so I'm not sure how easy that will be.
Stripping slashes from the whole $_POST was introduced in r11117 for 2.8 (7 years ago). Don't think that fix for #9433 is still needed but a bit more investigation is in order.