[buddypress-trac] [BuddyPress] #2776: Most content is double-escaped in the database
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Sat Dec 4 23:48:40 UTC 2010
#2776: Most content is double-escaped in the database
--------------------+-------------------------------------------------------
Reporter: DJPaul | Owner:
Type: defect | Status: new
Priority: major | Milestone: 1.3
Component: Core | Version:
Keywords: |
--------------------+-------------------------------------------------------
Old description:
> Throughout BuddyPress, a lot of input (i.e. xprofile data, group name,
> group description) is being stored double-escaped in the database. This
> is demonstrated by creating a group with an apostrophe in its group
> description field, and then by creating a regular WP post with the same
> phrase, and comparing the contents of the database tables.
>
> This is because WordPress, in wp_magic_quotes(), escapes everything in
> $_POST, $_GET and $_COOKIE. BuddyPress needs to stripslashes() on
> relevant content before we put it into the database, as $wpdb->prepare()
> escapes the input again.
> This problem hasn't been very visible due to stripslashes() being added
> to most template tag's output functions, and a few local workarounds, but
> ticket #1209 led me to find this issue.
New description:
Throughout BuddyPress, a lot of input (i.e. xprofile data, group name,
group description) is being stored double-escaped in the database. This is
demonstrated by creating a group with an apostrophe in its group
description field, and then by creating a regular WP post with the same
phrase, and comparing the contents of the database tables.
This is because WordPress, in wp_magic_quotes(), escapes everything in
$_POST, $_GET and $_COOKIE. BuddyPress needs to stripslashes() on relevant
content before we put it into the database, as $wpdb->prepare() escapes
the input again.
This problem hasn't been very visible due to stripslashes() being added to
most template tag's output functions, and a few local workarounds, but
ticket #1209 led me to find this issue.
Related:
#1209
#2283
--
Comment(by DJPaul):
T
--
Ticket URL: <http://trac.buddypress.org/ticket/2776#comment:5>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list