[wp-trac] [WordPress Trac] #3036: theme-editor.php broken: stripslashes() and add_magic_quotes() screw up CR LFs

WordPress Trac wp-trac at lists.automattic.com
Tue Aug 15 15:10:30 GMT 2006 

#3036: theme-editor.php broken: stripslashes() and add_magic_quotes() screw up CR
LFs
----------------------------+-----------------------------------------------
 Reporter:  astounding      |       Owner:  anonymous       
     Type:  defect          |      Status:  new             
 Priority:  normal          |   Milestone:                  
Component:  Administration  |     Version:  2.0.4           
 Severity:  major           |    Keywords:  theme-editor.php
----------------------------+-----------------------------------------------
 Hi,

 I'm running wordpress 2.0.4 (installed this past weekend) under PHP 5 (and
 configured so that get_magic_quotes_gpc() returns zero--PHP's magic quotes
 are the spawn of the devil in my opinion and have caused more trouble for
 PHP users... I digress...)

 When I tried editing theme files with the theme editor (theme-editor.php),
 as soon as the edit was submitted, the file was totally screwed up.  Where
 before there were newlines in the file, now the character pairs "rn"
 appeared (no slashes).

 I traced it down to thus:

 theme-editor.php requires admin.php which requires wp-config.php which in
 turn includes wp-settings.php

 In wp-settings.php, the _POST array gets bulk-quoted with this line:

   $_POST   = add_magic_quotes($_POST  );

 Later on in theme-editor.php, there's this line:

   $newcontent = stripslashes($_POST['newcontent']);

 These two things screw things up together.  The first converts all CR LF
 pairs to "\r\n" (backslashes followed by "r" and "n").  The next strips
 out the slashes.  The end result:  All newlines get converted to "rn"
 which is meaningless to web browsers, web servers, etc.  Do it to an
 important theme file and watch your wordpress site be useless.

 So...  What's the fix?  Hasn't this issue turned up for other (all?)
 users?  Or if PHP's built-in magic quotes are ON, does the process of
 removing 'em and adding 'em back in the wp-settings.php file NOT convert
 CR LF characters?  It's a biggie.

 My current work-around is a preg_replace() in theme-editor.php to convert
 "\r" and "\n" back to the actual CR and LF characters just before
 stripslashes() gets called.  This seems to me to be an ugly kludge to the
 real problem.  But maybe a true design fix would require far too much
 work, potentially introducing loads more bugs...

 Thanks!

-- 
Ticket URL: <http://trac.wordpress.org/ticket/3036>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list