[wp-trac] [WordPress Trac] #13655: Login/Install/User Edit should stripslashes() $_POST data
WordPress Trac
wp-trac at lists.automattic.com
Sun Aug 8 13:36:01 UTC 2010
#13655: Login/Install/User Edit should stripslashes() $_POST data
----------------------------+-----------------------------------------------
Reporter: dd32 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Triage
Component: Administration | Version: 3.0
Severity: normal | Keywords: has-patch
----------------------------+-----------------------------------------------
Changes (by johanee):
* cc: johan.eenfeldt@… (added)
* keywords: needs-patch => has-patch
Comment:
Attaching patch to fix this.
All paths for creating / editing users have been tested, including
migration of un-stripslashed passwords.
Not directly regarding this issue:
Slashes handling in wp_insert_user, wp_create_user, + callers is rather
convoluted (though less so for passwords compared to other fields).
It took more than one read-through of the code to convince myself that
user name handling is valid (it all get fixed by a strict sanitize_user()
in the end), and I'm still not entirely certain that the user_meta fields
could not somehow get it wrong.
It could do with some reorganization, really.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/13655#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list