[wp-trac] [WordPress Trac] #12416: *_option() should all expect unslashed data.

[WordPress Trac]

#12416: *_option() should all expect unslashed data.
-------------------------------+--------------------------------------------
 Reporter:  Denis-de-Bernardy  |       Owner:  ryan
     Type:  defect (bug)       |      Status:  new 
 Priority:  normal             |   Milestone:  3.0 
Component:  Security           |     Version:  3.0 
 Severity:  blocker            |    Keywords:      
-------------------------------+--------------------------------------------
 Following up on:

 http://core.trac.wordpress.org/ticket/9015#comment:136

 It's totally irresponsible to expect plugin authors to escape whatever
 they send into get_option(). As things stand:

  - get_option(), delete_option(), get_site_option() both assume it's
 slashed
  - add_option(), update_option(), add_site_option() seem to assume it's
 unslashed, as does __get_option()
  - *_transient() seem to expect unslashed input.
  - delete_site_option() is very special: it expects slashed input if
 you're not on using multisite, but unslashed if you are
  - update_site_option() is equallty special: it needs slashed input if the
 option is not loaded already, and unslashed input if it is

 the list goes on, and on... these inconsistencies, which come on top of
 the *_meta() functions, are totally nuts and insecure.

 especially considering calls in WP such as:

  - get_option("{$size}_crop");

 or functions such as:

 {{{
 function form_option( $option ) {
         echo esc_attr( get_option( $option ) );
 }

 function get_settings_errors( $setting = '', $sanitize = FALSE ) {
         global $wp_settings_errors;
         //... isn't it ironic that using sanitize here makes it LESS
 secure?
         if ( $sanitize )
                 sanitize_option( $setting, get_option($setting));
         // ...
 }}}

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/12416>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software