Make WordPress Core

Opened 2 years ago

#56118 new feature request

Exception to escapement: Exported or imported data

Reported by: anrghg's profile anrghg Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version:
Component: Export Keywords: needs-docs dev-feedback needs-dev-note
Focuses: docs Cc:

Description

JSON data echoed for download as in https://plugins.trac.wordpress.org/browser/anrghg/tags/1.3.1/admin/includes/export.php?rev=2749921#L327 cannot be escaped using wp_kses(). I’m opening this ticket for documentation purposes.

wp_kses() calls wp_kses_split(), that calls _wp_kses_split_callback(), that calls wp_kses_split2() (https://docs.classicpress.net/reference/functions/_wp_kses_split_callback/). And the first thing wp_kses_split2() does is to “fix” the data by calling wp_kses_stripslashes(), that strips backslashes from in front of double quotes (https://docs.classicpress.net/reference/functions/wp_kses_split2/ and https://developer.wordpress.org/reference/functions/wp_kses_stripslashes/) and thus breaks JSON.

Anyway, cxported data is expected to truly mirror the existing data, so there seems to be no way to escape anything here when echoing for download.

The same holds true when importing data as in https://plugins.trac.wordpress.org/browser/anrghg/tags/1.3.1/admin/includes/import.php?rev=2749921#L362

For PHPCS, such instances need to be whitelisted and I’m held accountable for linking to relevant documentation acknowledging the exceptions.

Change History (0)

Note: See TracTickets for help on using tickets.