There should be no strip_slashes() in WP_Widget::update() - or should it?

[hakre]

The update function seem to require concrete widget implementations to stripslashes to only create the value for the new instance even so it is documented that the function is there to check for validity not to filter input from uncertain sources.

the need to stripslash here looks bad to me. instead, the values used for calling should already be propper sanitized and the server/php configuration should not be taken into account any longer here.

keep in mind that this is not a function in the global namespace but a class.

[hakre]

already fixed?

/wp-includes/widgets.php ~ line 222

$new_instance = stripslashes_deep($new_instance);

looks like this is already fixed. please clarify.

[azaozz]

Yes this line has been in the update_callback for a few weeks.

[hakre]

Okay, what about updating the widgets code then?

[hakre]

invalidity needs to be argumented. i do not see that this is solved. developer statement needed wether or not widget function gets raw or stripslashed values.

[Denis-de-Bernardy]

I'd personally expect stripslashed data. But good point in asking.

[Denis-de-Bernardy]

$new_instance apparently contains stripslashed data.

[hakre]

see #9727. dev statement avail here. further digging needed i tend to say.

[Denis-de-Bernardy]

see:

​http://core.trac.wordpress.org/ticket/9822#comment:8

​http://core.trac.wordpress.org/ticket/9705#comment:2

[hakre]

Suggestion: Expect Slashed Data. As in the title in the Search Widget (one of the latest widget updates afaik). $newinstance must be stripslashed before title can be used.