Make WordPress Core

Opened 16 years ago

Closed 16 years ago

#9822 closed defect (bug) (fixed)

Quick Edit loses \ in the post content

Reported by: hailin's profile hailin Owned by: ryan's profile ryan
Milestone: 2.8 Priority: normal
Severity: normal Version:
Component: Quick/Bulk Edit Keywords:
Focuses: Cc:

Description

If a post contains \, Quick Edit it, such as changing the category, then click "Update Post". The \ is lost.

The root cause is that $post is read from the db, and the post insertion and save logic assumes magic_quotes are already added.

The fix is dd_magic_quotes($post);

Attachments (1)

9822_quick_edit.diff (666 bytes) - added by hailin 16 years ago.
revised patch

Download all attachments as: .zip

Change History (12)

#1 @Denis-de-Bernardy
16 years ago

probably the same as #9727

#2 @Denis-de-Bernardy
16 years ago

  • Milestone changed from Unassigned to 2.8

#3 @hailin
16 years ago

I think the underlying reason is that
we always assume PHP directive magic_quotes_gpc is on, since it's on by default.
Therefore, for any piece of post data, the outer layer of insertion functions strips off \ to produce the 'clean' data.

Then in several cases (#9199 and this case, and perhaps #9727), data is actually read from db, so it is already clean. In order to make the above logic work, we need to arbitrarily add \

In my opinion, PHP magic_quotes_gpc is the root of these types of troubles :)

#4 @Denis-de-Bernardy
16 years ago

oh, it's much worse, actually. we strip magic quotes when on, and then wpdb->escapre POST, GET, COOKIE, etc. :D

#5 @hailin
16 years ago

Also in that function,

update the post
$_POST = $data;

seems redundant, because $data = &$_POST; assignment before.

#6 @hailin
16 years ago

$wpdb->prepare seems to addslashes to vars.

So it seems when we call $wpdb->prepare, we need to "stripslashes" vars first, if the var is from usr input, say $_GETkey?

Seems this convention is not followed. Correct me if I'm wrong.

#7 @Denis-de-Bernardy
16 years ago

there might be an area here and there where things don't occur as they should, yeah.

#8 @ryan
16 years ago

Such areas are called bugs. :-)

#9 @ryan
16 years ago

  • Component changed from General to Quick Edit
  • Owner set to ryan
  • Status changed from new to assigned

@hailin
16 years ago

revised patch

#10 @hailin
16 years ago

removed $_POST = $data;
assignment, and tested. Revised patch.

#11 @ryan
16 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [11343]) Add escaping for quick edit saves. Props hailin. fixes #9822

Note: See TracTickets for help on using tickets.