[wp-trac] [WordPress Trac] #10563: Text widget adds extra slashes when edited by someone without the unfiltered_html capability
WordPress Trac
wp-trac at lists.automattic.com
Fri Aug 7 01:26:31 UTC 2009
#10563: Text widget adds extra slashes when edited by someone without the
unfiltered_html capability
--------------------------+-------------------------------------------------
Reporter: jamescollins | Owner: azaozz
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.9
Component: Widgets | Version: 2.8
Severity: normal | Keywords:
--------------------------+-------------------------------------------------
(This bug was [http://trac.mu.wordpress.org/ticket/1067 originally
identified in WordPress Mu])
In [10802], the stripslashes() call was removed from the text widget:
{{{$text = stripslashes(wp_filter_post_kses( $widget_text['text'] ));}}}
changed to:
{{{$instance['text'] = wp_filter_post_kses( $new_instance['text'] );}}}
This bug will only affect users without the unfiltered_html capability.
In WP, admins and editors have this capability by default, so this bug
hasn't been noticed.
In WPMU, users don't have the unfiltered_html capability (except site
admins) so this causes extra slashes to be added when editing a text
widget.
[http://trac.mu.wordpress.org/ticket/1067#comment:9 Donncha has just
checked in a change in WPMU], and I think this change should be applied to
WP as well.
You can see [http://core.trac.wordpress.org/browser/trunk/wp-
includes/kses.php#L1062 here] that the wp_filter_post_kses() function adds
slashes. So logically whenever this function is used, stripslashes() needs
to be used as well.
If you remove the unfiltered_html capability from the administrator user
role (using role manager or similar), you will see that when editing a
text widget, the extra slashes are added.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10563>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list