[wp-trac] [WordPress Trac] #24248: 'guid' not properly escaped

WordPress Trac noreply at wordpress.org
Thu May 9 04:30:17 UTC 2013 

#24248: 'guid' not properly escaped
-------------------------------------+------------------------------
 Reporter:  meloniq                  |       Owner:
     Type:  defect (bug)             |      Status:  new
 Priority:  normal                   |   Milestone:  Awaiting Review
Component:  Post Types               |     Version:  trunk
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-testing  |
-------------------------------------+------------------------------
Description changed by SergeyBiryukov:

Old description:

> Probably related issues: [#18274] [#19248]
>
> 'guid' being saved in database not properly escaped, example:
> {{{http://www.wordpress.dev/?post_type=changeset&p=57}}} , see the
> ampersand encode {{{&}}}
> It supposed to be {{{&}}} or at least {{{&}}}
>
> Once 'auto-draft' saved, 'guid' is correct:
> {{{http://www.wordpress.dev/?post_type=changeset&p=57}}}
>
> Once post is saved as 'draft' or published (triggered 'update post' on
> auto-draft), 'guid' gets malformed.
>
> Source of issue: inappropriate usage of {{{get_post_field()}}} function
> in the {{{wp_insert_post()}}}
>
> {{{get_post_field()}}} defaults to 'display' context, we not specify
> context while obtaining field, and in the {{{wp_insert_post()}}} we are
> not going to display it anywhere, just get, check, and save again,
> correct?
>
> Attached patch adds the 'raw' context to usage of {{{get_post_field()}}}
> with 'guid'

New description:

 Probably related issues: #18274 #19248

 'guid' being saved in database not properly escaped, example:
 {{{http://www.wordpress.dev/?post_type=changeset&p=57}}} , see the
 ampersand encode {{{&}}}
 It supposed to be {{{&}}} or at least {{{&}}}

 Once 'auto-draft' saved, 'guid' is correct:
 {{{http://www.wordpress.dev/?post_type=changeset&p=57}}}

 Once post is saved as 'draft' or published (triggered 'update post' on
 auto-draft), 'guid' gets malformed.

 Source of issue: inappropriate usage of {{{get_post_field()}}} function in
 the {{{wp_insert_post()}}}

 {{{get_post_field()}}} defaults to 'display' context, we not specify
 context while obtaining field, and in the {{{wp_insert_post()}}} we are
 not going to display it anywhere, just get, check, and save again,
 correct?

 Attached patch adds the 'raw' context to usage of {{{get_post_field()}}}
 with 'guid'

--

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/24248#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list