[wp-trac] [WordPress Trac] #10041: like_escape() should escape backslashes too
WordPress Trac
noreply at wordpress.org
Fri Jun 13 18:44:05 UTC 2014
#10041: like_escape() should escape backslashes too
---------------------------------+-----------------------------
Reporter: miau_jp | Owner: wonderboymusic
Type: defect (bug) | Status: reopened
Priority: high | Milestone: 4.0
Component: Formatting | Version: 2.8
Severity: normal | Resolution:
Keywords: 4.0-early has-patch | Focuses:
---------------------------------+-----------------------------
Comment (by boonebgorges):
> The problem wasn't just with usage. The docs actually said like_escape()
was SQL safe even though it was not. So we have to anticipate that message
resulted in the function being used in many strange ways in plugins.
I did a quick survey of plugins.svn.wordpress.org. It looks like maybe
half the plugins using `like_escape()` are doing separate SQL sanitization
(this includes BuddyPress, fwiw :) ), while the other half is not (or is
doing it wrong). It's likely that the incorrect docs for `like_escape()`
had something to do with this. Given the security implications, throwing a
deprecated notice to get the attention of developers is probably prudent,
and I think this ticket can probably be reclosed.
I strongly second jjj's suggestion above that we get a post somewhere
(make.wordpress.org/plugins/) seems like an appropriate place) that
explains the change and describes what they need to do to fix. If others
agree that this is the right way to go, I can take the reins on that task.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/10041#comment:69>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list