WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 13 months ago

#42195 new defect (bug)

wp_slash() is lossy

Reported by: johnbillion Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Formatting Keywords: needs-patch dev-feedback has-unit-tests
Focuses: Cc:
PR Number:

Description

Calling wp_slash() converts all values to strings, causing data loss for integers, floats, and booleans.

Example:

wp_slash( 123 ); // '123'
wp_slash( 123.4 ); // '123.4'

The above results in the values being cast to strings.

Booleans are cast to strings too, with a value of '1' or an empty string:

wp_slash( true ); // '1'
wp_slash( false ); // ''

This causes particular problems for delete_metadata() when passing a meta value, because the meta value is slashed before being serialized in order to perform the SQL lookup for matching rows, causing the lookup to fail.

Attachments (2)

42195-unit-tests.diff (1.0 KB) - added by andizer 21 months ago.
Unit tests
42195.patch (525 bytes) - added by ryotasakamoto 13 months ago.

Download all attachments as: .zip

Change History (6)

@andizer
21 months ago

Unit tests

#2 @andizer
21 months ago

  • Keywords has-unit-tests added; needs-unit-tests removed

#3 @jrf
21 months ago

Anyone any feedback on the question I pose here: https://core.trac.wordpress.org/ticket/24106#comment:12 ?

#4 @ryotasakamoto
13 months ago

I think that it can be corrected below, but is there something wrong?

function wp_slash( $value ) {
	if ( is_array( $value ) ) {
		foreach ( $value as $k => $v ) {
			if ( is_array( $v ) ) {
				$value[ $k ] = wp_slash( $v );
			} else {
				if (is_bool( $v )) {
					$v = (int) $v;
				}
				$value[ $k ] = addslashes( $v );
			}
		}
	} else {
		if ( is_bool( $value ) ) {
			$value = (int) $value;
		}
		$value = addslashes( $value );
	}

	return $value;
}
Note: See TracTickets for help on using tickets.