[wp-trac] [WordPress Trac] #13655: Login/Install/User Edit should stripslashes() $_POST data

WordPress Trac wp-trac at lists.automattic.com
Sat Oct 23 21:38:47 UTC 2010


#13655: Login/Install/User Edit should stripslashes() $_POST data
----------------------------+-----------------------------------------------
 Reporter:  dd32            |       Owner:                 
     Type:  defect (bug)    |      Status:  new            
 Priority:  normal          |   Milestone:  Awaiting Triage
Component:  Administration  |     Version:  3.0            
 Severity:  normal          |    Keywords:  has-patch      
----------------------------+-----------------------------------------------

Comment(by johanee):

 ''Posted from Wordcamp Stockholm''

 I've gone back and thought more about the best way to implement this. I
 also found a bug in current patch -- will update.

 My first solution stripslash passwords on input. This differs from how
 strings are generally handled: keep them slash'ed until the very end.

 It is possible to delay stripslashing until calls to wp_hash_password().
 This corresponds with how other wp_insert_user() strings are handled.

 I've made another version implementing this.

 It does however raise a question: what password version should be sent to
 the authenticate filters: slashed (like its always been) or stripslashed
 (which might be more intuitive)?

 In the new version of the patch I've left it as-is (slashed for the
 filters). In the original version it is stripslashed. For variety!

 Please comment if any of these approaches is accepatable.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/13655#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list