[wp-trac] [WordPress Trac] #13655: Login/Install/User Edit should stripslashes() $_POST data
WordPress Trac
wp-trac at lists.automattic.com
Sat Oct 23 21:38:47 UTC 2010
#13655: Login/Install/User Edit should stripslashes() $_POST data
----------------------------+-----------------------------------------------
Reporter: dd32 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Triage
Component: Administration | Version: 3.0
Severity: normal | Keywords: has-patch
----------------------------+-----------------------------------------------
Comment(by johanee):
''Posted from Wordcamp Stockholm''
I've gone back and thought more about the best way to implement this. I
also found a bug in current patch -- will update.
My first solution stripslash passwords on input. This differs from how
strings are generally handled: keep them slash'ed until the very end.
It is possible to delay stripslashing until calls to wp_hash_password().
This corresponds with how other wp_insert_user() strings are handled.
I've made another version implementing this.
It does however raise a question: what password version should be sent to
the authenticate filters: slashed (like its always been) or stripslashed
(which might be more intuitive)?
In the new version of the patch I've left it as-is (slashed for the
filters). In the original version it is stripslashed. For variety!
Please comment if any of these approaches is accepatable.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/13655#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list