Opened 2 years ago
#56118 new feature request
Exception to escapement: Exported or imported data
Reported by: | anrghg | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | major | Version: | |
Component: | Export | Keywords: | needs-docs dev-feedback needs-dev-note |
Focuses: | docs | Cc: |
Description
JSON data echoed for download as in https://plugins.trac.wordpress.org/browser/anrghg/tags/1.3.1/admin/includes/export.php?rev=2749921#L327 cannot be escaped using wp_kses()
. I’m opening this ticket for documentation purposes.
wp_kses()
calls wp_kses_split()
, that calls _wp_kses_split_callback()
, that calls wp_kses_split2()
(https://docs.classicpress.net/reference/functions/_wp_kses_split_callback/). And the first thing wp_kses_split2()
does is to “fix” the data by calling wp_kses_stripslashes()
, that strips backslashes from in front of double quotes (https://docs.classicpress.net/reference/functions/wp_kses_split2/ and https://developer.wordpress.org/reference/functions/wp_kses_stripslashes/) and thus breaks JSON.
Anyway, cxported data is expected to truly mirror the existing data, so there seems to be no way to escape anything here when echoing for download.
The same holds true when importing data as in https://plugins.trac.wordpress.org/browser/anrghg/tags/1.3.1/admin/includes/import.php?rev=2749921#L362
For PHPCS, such instances need to be whitelisted and I’m held accountable for linking to relevant documentation acknowledging the exceptions.