[wp-trac] [WordPress Trac] #9727: missing escape in wp_update_post?
WordPress Trac
wp-trac at lists.automattic.com
Tue May 5 12:36:00 GMT 2009
#9727: missing escape in wp_update_post?
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner: anonymous
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.8
Component: General | Version: 2.8
Severity: normal | Keywords: 2nd-opinion dev-feedback
-------------------------------+--------------------------------------------
Noticed this while looking into #9539. wp_update_post() starts like this:
{{{
function wp_update_post($postarr = array()) {
if ( is_object($postarr) )
$postarr = get_object_vars($postarr);
// First, get all of the original fields
$post = wp_get_single_post($postarr['ID'], ARRAY_A);
// Escape data pulled from DB.
$post = add_magic_quotes($post);
}}}
Shouldn't it be:
{{{
function wp_update_post($postarr = array()) {
if ( is_object($postarr) ) {
// non-escaped post was passed
$postarr = get_object_vars($postarr);
$postarr = add_magic_quotes($postarr);
}
// First, get all of the original fields
$post = wp_get_single_post($postarr['ID'], ARRAY_A);
// Escape data pulled from DB.
$post = add_magic_quotes($post);
}}}
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9727>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list