Make WordPress Core

Opened 3 years ago

Closed 3 weeks ago

Last modified 3 weeks ago

#42195 closed defect (bug) (fixed)

wp_slash() is lossy

Reported by: johnbillion Owned by: SergeyBiryukov
Milestone: 5.5 Priority: normal
Severity: normal Version:
Component: Formatting Keywords: dev-feedback has-unit-tests has-patch needs-testing needs-dev-note
Focuses: Cc:


Calling wp_slash() converts all values to strings, causing data loss for integers, floats, and booleans.


wp_slash( 123 ); // '123'
wp_slash( 123.4 ); // '123.4'

The above results in the values being cast to strings.

Booleans are cast to strings too, with a value of '1' or an empty string:

wp_slash( true ); // '1'
wp_slash( false ); // ''

This causes particular problems for delete_metadata() when passing a meta value, because the meta value is slashed before being serialized in order to perform the SQL lookup for matching rows, causing the lookup to fail.

Attachments (3)

42195-unit-tests.diff (1.0 KB) - added by andizer 3 years ago.
Unit tests
42195.patch (525 bytes) - added by ryotasakamoto 23 months ago.
42195.diff (4.6 KB) - added by whyisjake 3 weeks ago.

Download all attachments as: .zip

Change History (14)

3 years ago

Unit tests

#2 @andizer
3 years ago

  • Keywords has-unit-tests added; needs-unit-tests removed

#3 @jrf
3 years ago

Anyone any feedback on the question I pose here: https://core.trac.wordpress.org/ticket/24106#comment:12 ?

#4 @ryotasakamoto
23 months ago

I think that it can be corrected below, but is there something wrong?

function wp_slash( $value ) {
	if ( is_array( $value ) ) {
		foreach ( $value as $k => $v ) {
			if ( is_array( $v ) ) {
				$value[ $k ] = wp_slash( $v );
			} else {
				if (is_bool( $v )) {
					$v = (int) $v;
				$value[ $k ] = addslashes( $v );
	} else {
		if ( is_bool( $value ) ) {
			$value = (int) $value;
		$value = addslashes( $value );

	return $value;

#5 @SergeyBiryukov
4 months ago

  • Milestone changed from Awaiting Review to 5.5
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

Related: #24106, #48605.

Last edited 4 months ago by SergeyBiryukov (previous) (diff)

This ticket was mentioned in PR #288 on WordPress/wordpress-develop by donmhico.

3 months ago

Leave non-string values untouched in wp_slash()

Trac ticket: https://core.trac.wordpress.org/ticket/42195

#7 @donmhico
3 months ago

  • Keywords has-patch needs-testing added; needs-patch removed

In PR-288, only string values are passed to addslashes(). Basically non-string values passed to wp_slash() are just returned.

#8 @whyisjake
3 weeks ago

I agree with @jrf that we can simplify this a bit using a map function. Adding a patch that could combine the efforts here and #24106.

3 weeks ago

#9 @whyisjake
3 weeks ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 48433:

Formatting: Prevent wp_slash from returning non-strings as strings.

If a bool/float/int is passed into wp_slash it will be coerced into a string.

This changes the behavior to only slash strings. At the same time, handles recursion a little nicer by calling array_map for arrays.

Fixes #42195, #24106.

Props johnbillion, andizer, jrf, ryotasakamoto, SergeyBiryukov, donmhico, TobiasBg, markoheijnen, ryan, nacin, devesine, whyisjake.

#10 @ocean90
3 weeks ago

  • Keywords needs-dev-note added
Note: See TracTickets for help on using tickets.