Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#54601 closed defect (bug) (invalid)

wp_insert_post function removes backslashes

Reported by: sweetheatmn's profile sweetheatmn Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords:
Focuses: Cc:

Description

wp_insert_post function removes all backslashes from the post_title and post_content

reproducing the issue:

$my_post = array(
		'post_title'    =>  'test post \include',
		'post_content'  => 'test content',
	 	 
);

// Insert the post into the database
$insert= wp_insert_post( $my_post );

Expected result: new post with title new post \inlude
Returned result: new post with title new post include

reproduce#2

$my_post = array(
		'post_title'    =>  'test post \\include',
		'post_content'  => 'test content',
	 	 
);

// Insert the post into the database
$insert= wp_insert_post( $my_post );

Expected result: new post with title new post \inlude
Returned result: new post with title new post include

not clearly sure if this is a defect or I'm doing something wrong

Change History (5)

#1 @SergeyBiryukov
2 years ago

  • Component changed from General to Posts, Post Types

#2 @Presskopp
2 years ago

  • Keywords close added
  • Resolution set to invalid
  • Status changed from new to closed

afaik that's because of Sanitization (default behaviour)

all [&<>"\'] will be stripped.

Looks like this can be filtered, but I cannot provide a ready to go solution.

At least no core bug, but default behaviour, so let's close. Feel free to comment more

#3 @sweetheatmn
2 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

I don't think your decision is correct

at least what you state will get removed as for sanitization does not get really stripped

can you just test it?

I did test what you call will get stripped and only the \ was removed from the post content and why at all will a bracket or & will ever get stripped from the added post content

please reopen the case

//wp-load
require_once('../../../wp-load.php');

$my_post = array(
		'post_title'    =>  'test [&<>"\'] post \include',
		'post_content'  => 'test content',
	 	 
);



// Insert the post into the database
$insert= wp_insert_post( $my_post );

returned title test [&<>"'] post include
exptected title test [&<>"\'] post \include

#4 @Presskopp
2 years ago

  • Keywords close removed

#5 @ocean90
2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from reopened to closed

Hello @sweetheatmn,

by default wp_insert_post() doesn't add slashes to the post data because it expects the data already to be slashed. Before the data gets stored into the database wp_unslash() is called. That's why the slash from your input is removed.
To solve this you have to call wp_slash() on your data first.

Related: #41593

Note: See TracTickets for help on using tickets.