[wp-trac] [WordPress Trac] #40476: $_POST values ' and \ for sure are getting escaped with a slash

WordPress Trac noreply at wordpress.org
Wed Apr 19 00:11:41 UTC 2017 

#40476: $_POST values ' and \ for sure are getting escaped with a slash
----------------------------+------------------------
 Reporter:  Jossnaz         |       Owner:
     Type:  defect (bug)    |      Status:  closed
 Priority:  normal          |   Milestone:
Component:  Bootstrap/Load  |     Version:
 Severity:  normal          |  Resolution:  duplicate
 Keywords:                  |     Focuses:
----------------------------+------------------------
Changes (by dd32):

 * status:  new => closed
 * resolution:   => duplicate
 * milestone:  Awaiting Review =>


Comment:

 Hi @Jossnaz,

 Unfortunately this is a "feature", even though all of us - including all
 of the core developers I'm aware of, would prefer it wasn't.

 Back in the day, many many moons ago, WordPress blindly followed PHP in
 accepting that all of the superglobal values should be slashed.
 PHP later did a reversal on the idea to something more sane which you see
 today, but the damage was done, WordPress as an application had existed
 for long enough, and there were enough existing plugins and themes relying
 upon WordPress creating a sane single environment that WordPress also
 changing would cause irreparable damage to those sites - introduce
 security vulnerabilities, mangle content, and a bunch of other fun things.


 #18322 is our ticket for tracking this and getting to something more sane
 - in the shortterm (and longer term) we'd request that if you're accessing
 `$_POST` variables you do it as such: `$myvar = wp_unslash(
 $_POST['variable'] );` so that one day, we'll be able to have $_POST as an
 unslashed array.

 > Here's how I fixed it in my case:
 > <?php
 > $temp_POST = $_POST;
 > require '../www/wp_dir/wp-load.php'; // loading wordpress
 > $_POST = $temp_POST;

 Please don't do that. You're just opening yourself to security issues, and
 unexpected things happening to your content where WordPress does expect
 the values to be slashed.

 Instead, simply use `wp_unslash()`, and if you really need a copy of
 `$_POST` to operate on yourself, do it as such: `$my_POST = wp_unslash(
 $_POST );`.

 I'm marking this as a duplicate of #18322 - there's lots of discussion
 there over the years for sanity.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40476#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list