[wp-hackers] Filter for '

Dion Hulse (dd32) wordpress at dd32.id.au
Fri Sep 2 13:48:59 UTC 2011


On 2 September 2011 23:40, Scott Kingsley Clark <scott at skcdev.com> wrote:

>
> If you *absolutely had to* remove it, you could hook into
> 'sanitize_comment_cookies' to stripslashes_deep($_var) on the global
> arrays you're after.
>

but *NEVER do this* and store the result back into the superglobal. Not
unless you want to open your site up to security issues from all the plugins
out there that expect slashed data - and break Quotes in posts/comments too
at the same time. (Tip: This is why WordPress can't just turn off Magic
quotes and be done with it. Doing so will introduce security issues into
older plugins, and well, most new ones too)

For a ray of sunshine in an otherwise dark world of Quoting, Pretty much
every Developer out there wants to get rid of it, it's just the security
implications it'd cause.  See
http://core.trac.wordpress.org/ticket/18322for very early discussions
of moving away from it.


More information about the wp-hackers mailing list