[wp-trac] [WordPress Trac] #24941: esc_sql in 3.6 changes how /r /n and maybe other characters handled

WordPress Trac noreply at wordpress.org
Sat Aug 3 13:33:17 UTC 2013 

#24941: esc_sql in 3.6 changes how /r /n and maybe other characters handled
--------------------------+-----------------------------
 Reporter:  sc0ttkclark   |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Formatting    |    Version:  3.6
 Severity:  normal        |   Keywords:
--------------------------+-----------------------------
 In Pods, we've been using esc_sql (maybe wrongly, after reading #21767) in
 3.x, in conjunction with stripslashes_deep, when working with $_POST data.

 By default, WP slashes all $_POST data on load, so we come back around and
 set a scoped var with the $_POST data, stripslashes_deep on the array, and
 use the values in the code. Once ready to save, in certain areas we've
 been using esc_sql.

 Now I'm not yet sure what's going on well enough to fix it on my side for
 3.6+, but it appears that this change 3 weeks ago may have a big part to
 do with it: [changeset:"24718"]

 It seems now at some point in 3.6, \r and \n become just "r" and "n".

 We've been sanitizing data before it hits wp_update_post and other areas
 it looks like, so there's bound to be issues on our side here that we'll
 need to resolve now.

 I'm posting this ticket at the request of @markjaquith who wanted to
 better understand what we're dealing with right now. I'll post updates as
 I determine what fixes I needed to make in case it helps other plugin
 developers who come across this issue.

 If you read anything that would appear as a WP bug in this ticket, feel
 free to jump in and help figure out what needs to be done, otherwise you
 can close this as invalid if it ends up being a pilot error.

 Code to reproduce:

 {{{
 $content = "Testing it out\n\nTest";

 $postdata = array(
     'ID' => $post_ID,
     'post_content' => esc_sql( $content )
 );

 /*
    WP 3.x:
    $postdata[ 'post_content' ] = "Testing it out\n\nTest";

    WP 3.6:
    $postdata[ 'post_content' ] = "Testing it out\\n\\nTest";
 */

 wp_update_post( $postdata );
 }}}

--
Ticket URL: <http://core.trac.wordpress.org/ticket/24941>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list