[wp-trac] [WordPress Trac] #36438: Address Magic Quotes Problem with New Methods

WordPress Trac noreply at wordpress.org
Thu Apr 7 07:32:48 UTC 2016 

#36438: Address Magic Quotes Problem with New Methods
--------------------------+-----------------------------
 Reporter:  MikeSchinkel  |      Owner:
     Type:  enhancement   |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Obviously the magic quotes issue has been a major headache over the years.
 But it can't be fixed without breaking backward compatibility.  Or can it?

 I'd like to propose the addition of some static methods on the WP class to
 provide an alternative free of magic quotes that we could use to slowly
 replace the need for using `wp_slash()` inside so many core functions.  To
 include:

 {{{
 WP::POST()     // An unslashed version of $_POST
 WP::GET()      // An unslashed version of $_GET
 WP::REQUEST()  // An unslashed version of $_REQUEST
 }}}

 These can be set once early in `wp-settings.php` and then we could slowly
 replace any reference to `$_POST`, `$_GET` and `$_REQUEST` inside core
 that is followed by a `wp_unslash()`.

 Further, we could introduce alternatives to `wp_insert_post`,
 `wp_update_post`, `update_post_meta`, `wp_insert_term`, `wp_insert_user`,
 et. al. that do not expect slashed data and recommend against using the
 old ones in new themes and plugins:

 {{{
 WP::insert_post()
 WP::update_post()
 WP::update_post_meta()
 WP::insert_term()
 WP::insert_user()
 // And so on...
 }}}
 The benefits of this will be to provide a rational path forward
 '''[https://make.wordpress.org/core/2016/04/06/rest-api-slashed-data-in-
 wordpress-4-4-and-4-5/ so that we are not caught with our pants down
 again]''' on a future new feature, and to make it much easier for most
 people to deal with this issue when they need access to `$_POST`, `$_GET`
 and `$_REQUEST`.

 I'll be happy to add a patch if the core team is interested in pursuing
 this.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36438>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list