[wp-trac] [WordPress Trac] #27260: Double-unslashing in "nopriv" handler of the Heartbeat API
WordPress Trac
noreply at wordpress.org
Wed Mar 5 23:55:59 UTC 2014
#27260: Double-unslashing in "nopriv" handler of the Heartbeat API
------------------------------+------------------
Reporter: TobiasBg | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.9
Component: Autosave | Version: 3.6
Severity: normal | Resolution:
Keywords: has-patch commit | Focuses:
------------------------------+------------------
Changes (by johnbillion):
* component: Administration => Autosave
Comment:
What an incredible mess this is. We've somehow managed to introduce brand
new functionality in the form of the heartbeat API which relies on slashed
data.
Replying to [ticket:27260 TobiasBg]:
> `wp_unslash()` is not necessary in both cases, as unslashing has already
been done globally via `wp_magic_quotes()` by the time the filters run.
Although `wp_unslash()` is indeed not needed here, that's not the reason.
`wp_magic_quotes()` adds slashes globally, it doesn't remove them. The
problem is that the callback functions hooked into the heartbeat API
expect slashed data (the main culprit being `edit_post()` in
`wp_autosave()` which is called by `heartbeat_autosave()`.
TL;DR the patch is correct, the reason for it isn't.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27260#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list