[wp-trac] [WordPress Trac] #35408: Side effect wp_create_post_autosave causes $_POST to be unslashed
WordPress Trac
noreply at wordpress.org
Mon Jan 11 20:27:46 UTC 2016
#35408: Side effect wp_create_post_autosave causes $_POST to be unslashed
--------------------------+----------------------------------------
Reporter: joehoyle | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.5
Component: Autosave | Version: 2.6
Severity: normal | Keywords: has-patch needs-unit-tests
Focuses: |
--------------------------+----------------------------------------
For some reason (explanation welcome) `wp_create_post_autosave` assigns
it's data to `$_POST` by reference, in the case of a post auto draft for
the revision not already existing, `$post_data` is passed to `wp_unslash`
in preparing it for `_wp_put_post_revision` (as `_wp_put_post_revision`
expects unslashed data). This has the nasty side effect of `$_POST` now
being unslashed, when plugins (and other areas of WP) always expect the
`$_POST` superglobal to have slashed data.
I don't know the original reasoning behind passing assigning by reference,
it appears to have been introduced in the autosave refactor in
https://github.com/WordPress/WordPress/commit/335add2573fd1a2f84071be441d24a053eff8933
#diff-c3d5c535db5622f3b0242411ee5f9dfdR1346
I'd like to get some tests for this, however these functions are wrought
with superglobals so I'm not sure how easy that will be.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/35408>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list