[wp-trac] [WordPress Trac] #21767: Remove stripslashes from API functions

WordPress Trac noreply at wordpress.org
Thu Dec 13 18:30:51 UTC 2012

#21767: Remove stripslashes from API functions
 Reporter:  alexkingorg                          |       Owner:
     Type:  task (blessed)                       |      Status:  new
 Priority:  normal                               |   Milestone:  3.6
Component:  General                              |     Version:  3.4
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch needs-testing needs-unit-  |
  tests 3.6-early                                |

Comment (by ryan):

 Here's a somewhat unorganized dump of my current notes on this:

 For 3.6, leave GPC slashed.

 Introduce wp_gpc_unslash() (or whatever we want to call it) to
 conditionally unslash strings and arrays of strings if GPC is slashed.

 Change core to expect unslashed data everywhere. Functions/methods/files
 that deal directly with GPC should do something along the lines of
 $post_data = wp_gpc_unslash( $_POST ) at the top. Functions that do not
 directly use GPC will have all slash adds and strips removed.

 Plugins should move to using wp_gpc_unslash() before passing GPC strings
 to core API.

 Plugins no longer have to worry about slashing data pulled from the DB
 before passing it back to core. Since most don't anyway, their code
 suddenly starts working correctly.

 Plugins should start expecting all data passed to filters to be unlashed.
 Most do already, so this too starts working according to expectations.

 The only abstraction is wp_gpc_unslash(). No fussing with abstraction of
 the GPC super globals themselves. The super globals are well known and
 just fine as an API. We just need to stop littering them with slashes.

 With GPC staying slashed and core moving to expecting unslashed, this
 leaves one major back compat pain point: double slashing of data coming in
 from GPC.

 So, we do a big push during 3.6 to get plugins using wp_gpc_unslash().
 Many won't update, but those are the ones that are probably already
 insecure and badly slashed. The goal would be to get the most popular ones
 updated and establish the pattern.

 In 3.7, turn off GPC slashing. All plugins using wp_gpc_unslash() keep
 working just fine. This allows us to push the bigger back compat pain --
 bare SQL queries directly using GPC -- until after we've established the
 wp_gpc_unslash() back compat pattern and worked out any double slashing

Ticket URL: <http://core.trac.wordpress.org/ticket/21767#comment:36>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list