[wp-trac] [WordPress Trac] #27216: wp_ajax_time_format() and wp_ajax_date_format() need to return unslashed data

Wed Feb 26 22:10:31 UTC 2014

#27216: wp_ajax_time_format() and wp_ajax_date_format() need to return unslashed
data
----------------------------+-----------------------------
 Reporter:  GregLone        |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Administration  |    Version:  3.4
 Severity:  normal          |   Keywords:
  Focuses:  ui              |
----------------------------+-----------------------------
 Hello.

 `wp_ajax_time_format()` and `wp_ajax_date_format()` are missing some
 unslash operation.
 How to reproduce:
 - Go to "Settings" >> "General" and look for the time format.
 - Change the value in the "Custom" field, including some escaped
 characters. For example, in French we have `G \h i \m\i\n` by default, I
 change it to `H \h i \m\i\n`.
 - Click outside the field, without submitting the form: an ajax call is
 made to update the time at the right of the field, with the new format.
 - Result: instead of displaying "22 h 34 min", it displays "22 \10 34
 \02\34\2".

 The problem is the new format sent via ajax: `H \h i \m\i\n` becomes `H
 \\h i \\m\\i\\n`.

 The solution is to unslash it before passing it through `date_i18n()`,
 like this:

 {{{
 function wp_ajax_date_format() {
         wp_die( date_i18n( sanitize_option( 'date_format', wp_unslash(
 $_POST['date'] ) ) ) );
 }

 function wp_ajax_time_format() {
         wp_die( date_i18n( sanitize_option( 'time_format', wp_unslash(
 $_POST['date'] ) ) ) );
 }
 }}}

 Bye

--
Ticket URL: <https://core.trac.wordpress.org/ticket/27216>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform