Opened 2 years ago
Closed 2 years ago
#54601 closed defect (bug) (invalid)
wp_insert_post function removes backslashes
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Posts, Post Types | Keywords: | |
Focuses: | Cc: |
Description
wp_insert_post function removes all backslashes from the post_title and post_content
reproducing the issue:
$my_post = array( 'post_title' => 'test post \include', 'post_content' => 'test content', ); // Insert the post into the database $insert= wp_insert_post( $my_post );
Expected result: new post with title new post \inlude
Returned result: new post with title new post include
reproduce#2
$my_post = array( 'post_title' => 'test post \\include', 'post_content' => 'test content', ); // Insert the post into the database $insert= wp_insert_post( $my_post );
Expected result: new post with title new post \inlude
Returned result: new post with title new post include
not clearly sure if this is a defect or I'm doing something wrong
Change History (5)
#3
@
2 years ago
- Resolution invalid deleted
- Status changed from closed to reopened
I don't think your decision is correct
at least what you state will get removed as for sanitization does not get really stripped
can you just test it?
I did test what you call will get stripped and only the \ was removed from the post content and why at all will a bracket or & will ever get stripped from the added post content
please reopen the case
//wp-load require_once('../../../wp-load.php'); $my_post = array( 'post_title' => 'test [&<>"\'] post \include', 'post_content' => 'test content', ); // Insert the post into the database $insert= wp_insert_post( $my_post );
returned title test [&<>"'] post include
exptected title test [&<>"\'] post \include
#5
@
2 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from reopened to closed
Hello @sweetheatmn,
by default wp_insert_post()
doesn't add slashes to the post data because it expects the data already to be slashed. Before the data gets stored into the database wp_unslash()
is called. That's why the slash from your input is removed.
To solve this you have to call wp_slash()
on your data first.
Related: #41593
afaik that's because of Sanitization (default behaviour)
all
[&<>"\']
will be stripped.Looks like this can be filtered, but I cannot provide a ready to go solution.
At least no core bug, but default behaviour, so let's close. Feel free to comment more