[wp-trac] [WordPress Trac] #11253: update_option escapes input but get_option doesn't un-escape

WordPress Trac wp-trac at lists.automattic.com
Tue Nov 24 19:06:21 UTC 2009


#11253: update_option escapes input but get_option doesn't un-escape
--------------------------+-------------------------------------------------
 Reporter:  nullvariable  |       Owner:  westi     
     Type:  defect (bug)  |      Status:  new       
 Priority:  normal        |   Milestone:  Unassigned
Component:  Plugins       |     Version:  2.8.5     
 Severity:  trivial       |    Keywords:            
--------------------------+-------------------------------------------------
 Version: WordPress MU 2.8.6

 Duplicate the issue:
 write any data to an update_option value in the database and include
 quotes in it.

 Problem is in the source code (verified by reading line 167+ of /wp-
 includes/functions.php)

 Server: Apache2, PHP5

 Details:
 adding an option to the database using update_option() (line 228+ of
 functions.php) will cause any quotes to be escaped. However output
 returned by get_option() (line 167+) does not un-escape this value. It
 seems which PHP5 that even if I escape my own data it get's escaped again
 so anytime I expect to use html or quotes in an option field I have to
 make sure there's a stripslashes applied to the get_option output. Makes
 sense to me that if we escape the content on the way in we should un-
 escape the content on the way back out. But I could be wrong.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11253>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list