[wp-trac] [WordPress Trac] #35493: get_terms does not return correct value when a term is searched by a name containing a single quote

WordPress Trac noreply at wordpress.org
Tue Jan 19 04:04:42 UTC 2016 

#35493: get_terms does not return correct value when a term is searched by a name
containing a single quote
---------------------------+------------------
 Reporter:  maximeschoeni  |       Owner:
     Type:  defect (bug)   |      Status:  new
 Priority:  normal         |   Milestone:  4.5
Component:  Taxonomy       |     Version:  4.3
 Severity:  normal         |  Resolution:
 Keywords:                 |     Focuses:
---------------------------+------------------
Changes (by boonebgorges):

 * version:  4.4.1 => 4.3
 * milestone:  Awaiting Review => 4.5


Comment:

 @maximeschoeni Welcome to WordPress Trac! Thanks for the detailed report.

 I've confirmed the issue, and traced it to [32353]. In that changeset, we
 switched from sanitizing using `sanitize_text_field()` on the value of
 `name` to using `sanitize_term_field( 'name' )`. This change was necessary
 because terms go through the `sanitize_term_field()` filter when being
 saved in the first place, so that terms names are run through a couple
 different sanitization routines before being stored in the database.

 One thing that `sanitize_term_field( 'name' )` does is run the `$name`
 through `wp_filter_kses()`.  This function runs `stripslashes()` on the
 value passed to it, and then runs `addslashes()` to it again before
 returning it. This is because `wp_filter_kses()` expects slashed data. But
 `get_terms()` expects the 'name' param to be unslashed already; see eg
 `WP_Terms_List_Table::prepare_items()`, where the search term is unslashed
 before being passed to `get_terms()`.

 Technically, the `addslashes()` performed by `wp_filter_kses()` does the
 same thing as the call to `esc_sql()` that you've pointed out. But this is
 partially an accident of how `wp_filter_kses()` - a function that was not
 designed for MySQL escaping - was designed. So, for developer clarity,
 it's probably wiser to keep the late `esc_sql()` escaping as-is but remove
 slashes on what's returned from `sanitize_term_field()`.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/35493#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list