[wp-trac] [WordPress Trac] #35408: Side effect wp_create_post_autosave causes $_POST to be unslashed

WordPress Trac noreply at wordpress.org
Mon Jan 11 20:27:46 UTC 2016


#35408: Side effect wp_create_post_autosave causes $_POST to be unslashed
--------------------------+----------------------------------------
 Reporter:  joehoyle      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  4.5
Component:  Autosave      |    Version:  2.6
 Severity:  normal        |   Keywords:  has-patch needs-unit-tests
  Focuses:                |
--------------------------+----------------------------------------
 For some reason (explanation welcome) `wp_create_post_autosave` assigns
 it's data to `$_POST` by reference, in the case of a post auto draft for
 the revision not already existing, `$post_data` is passed to `wp_unslash`
 in preparing it for `_wp_put_post_revision` (as `_wp_put_post_revision`
 expects unslashed data). This has the nasty side effect of `$_POST` now
 being unslashed, when plugins (and other areas of WP) always expect the
 `$_POST` superglobal to have slashed data.

 I don't know the original reasoning behind passing assigning by reference,
 it appears to have been introduced in the autosave refactor in
 https://github.com/WordPress/WordPress/commit/335add2573fd1a2f84071be441d24a053eff8933
 #diff-c3d5c535db5622f3b0242411ee5f9dfdR1346

 I'd like to get some tests for this, however these functions are wrought
 with superglobals so I'm not sure how easy that will be.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/35408>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list