[wp-trac] [WordPress Trac] #13090: Widget Update Error

WordPress Trac wp-trac at lists.automattic.com
Fri Apr 23 02:43:22 UTC 2010


#13090: Widget Update Error
--------------------------+-------------------------------------------------
 Reporter:  greaterweb    |       Owner:  azaozz    
     Type:  defect (bug)  |      Status:  new       
 Priority:  normal        |   Milestone:  Unassigned
Component:  Widgets       |     Version:  2.9.2     
 Severity:  normal        |    Keywords:            
--------------------------+-------------------------------------------------
 A client of mine appears to have surfaced a bug when saving updates to a
 widget. This bug was originally discovered through an update to a custom
 slider widget I had developed. Further testing has replicated the issue
 with other widgets including the basic WordPress text widget.

 Turns out widget text (text ''input'' or ''textarea'') cannot contain the
 words '''select''' and '''from''', specifically in that order. An error
 remains present even if words are inserted between the two such as '''I
 selected WordPress as the best software from Automattic'''. Reversing the
 order of words will not trigger an error.


 == To Replicate ==
 Place a text widget in one of your widget areas. Enter the text '''select
 from''' in either the title ''input'' or main ''textarea'' box. Hit save
 and the circular icon will pop up (as expected), though as the ajax update
 fails the icon remains present.

 I was still able to replicate the issue even after disabling all plugins
 and reverting to the default WordPress theme.


 == The Error ==
 It seems pretty apparent that we have a bit SQL Injection prevention
 kicking in. I have tested this on two separate client sites and did some
 ajax debugging with the aid of Firebug. What is odd is one site makes the
 request to ''wp-admin/admin-ajax.php'' and gets a ''500 Internal Server
 Error''. An identical test on a second site return a ''404 Not Found'' for
 the ''wp-admin/admin-ajax.php'' request. Both of these sites reside on the
 same web server.

 As an additional debugging measure, on the site with the ''500 Internal
 Server Error'', I stripped out the entire contents of the ''wp-admin
 /admin-ajax.php'' file. The same ''500 Internal Server Error'' is returned
 for the ajax request to the blank file. We are choking somewhere before we
 actually get to the php file. I'll poke around some javascript next.

 I couldn't find a ticket for anything similar and was unable to get anyone
 to confirm/replicate in with [http://wordpress.org/support/topic/390575
 post in the forums].

 Thanks!

 -Ron

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/13090>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list