[wp-trac] [WordPress Trac] #10801: Revision posts are saved with double-filtered content

WordPress Trac wp-trac at lists.automattic.com
Thu Sep 17 14:19:14 UTC 2009


#10801: Revision posts are saved with double-filtered content
--------------------------+-------------------------------------------------
 Reporter:  redsweater    |       Owner:            
     Type:  defect (bug)  |      Status:  new       
 Priority:  normal        |   Milestone:  Unassigned
Component:  General       |     Version:  2.8.4     
 Severity:  normal        |    Keywords:            
--------------------------+-------------------------------------------------

Old description:

> When a post is saved using wp_insert_post, the post is first sanitized
> with sanitize_post, which applies the content_save_pre filter to the
> description of the post.
>
> Later in wp_insert_post, the pre_post_update filter is called, which
> causes the wp_save_post_revision method to be called, with the ALREADY-
> sanitized content of the post.  The wp_save_post_revision ends up calling
> wp_insert_post for the revision entry, which this time sanitizes the post
> content again before saving it in the revision.
>
> The problem here is if any content_save_pre filter (or any of the other
> sanitizing content filters, for that matter) produce "nonterminal"
> results, then the content that is saved to the revision copy ends up
> being an inaccurate representation of the post.
>
> For example, the popular SyntaxHighlighter Evolved plugin:
>
> http://www.viper007bond.com/wordpress-plugins/syntaxhighlighter/
>
> Uses a technique that escapes entities on the way into the database, and
> unescapes them on the way out. So for instance, an ampersand in the post
> content is escaped to "&". But by the time the post revision is
> saved, it is asked again to sanitize, this time converting "&" into
> "&".
>
> I'm not sure what the right fix is.

New description:

 When a post is saved using wp_insert_post, the post is first sanitized
 with sanitize_post, which applies the content_save_pre filter to the
 description of the post.

 Later in wp_insert_post, the pre_post_update filter is called, which
 causes the wp_save_post_revision method to be called, with the ALREADY-
 sanitized content of the post.  The wp_save_post_revision ends up calling
 wp_insert_post for the revision entry, which this time sanitizes the post
 content again before saving it in the revision.

 The problem here is if any content_save_pre filter (or any of the other
 sanitizing content filters, for that matter) produce "nonterminal"
 results, then the content that is saved to the revision copy ends up being
 an inaccurate representation of the post.

 For example, the popular SyntaxHighlighter Evolved plugin:

 http://www.viper007bond.com/wordpress-plugins/syntaxhighlighter/

 Uses a technique that escapes entities on the way into the database, and
 unescapes them on the way out. So for instance, an ampersand in the post
 content is escaped to "&". But by the time the post revision is saved,
 it is asked again to sanitize, this time converting "&" into
 "&".

 I'm not sure what the right fix is.

--

Comment(by ryan):

 sanitize_post() sets a "filter" field in the passed object. We can check
 to see if filter is already set before filtering again.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/10801#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list