[wp-trac] [WordPress Trac] #27260: Double-unslashing in "nopriv" handler of the Heartbeat API
WordPress Trac
noreply at wordpress.org
Mon Mar 3 11:44:08 UTC 2014
#27260: Double-unslashing in "nopriv" handler of the Heartbeat API
----------------------------+-----------------------
Reporter: TobiasBg | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.9
Component: Administration | Version: 3.6
Severity: normal | Keywords: has-patch
Focuses: |
----------------------------+-----------------------
The handler for not-logged-in ("nopriv") calls to the Heartbeat API (see
#23216), `wp_ajax_nopriv_heartbeat()`, (incorrectly)
[https://core.trac.wordpress.org/browser/tags/3.8.1/src/wp-admin/includes
/ajax-actions.php#L28 unslashes] the `$_POST['data']` array, while
`wp_ajax_heartbeat()` (correctly) does
[https://core.trac.wordpress.org/browser/tags/3.8.1/src/wp-admin/includes
/ajax-actions.php#L2175 not].
`wp_unslash()` is not necessary in both cases, as unslashing has already
been done globally via `wp_magic_quotes()` by the time the filters run.
This was introduced by an unfortunate timing of commits/reverts:
- [23355] introduced the (logged-in) Heartbeat API handler, without
unslashing.
- [23416] added the unslashing in an attempt (see #21767) to handle the
overall slashing mess in core.
- [23481] added the "nopriv" Heartbeat API handler, with unslashing
(because of #21767/[23416]).
- [23554] reverted [23416] but did not catch the `wp_unslash()` that had
been added in [23481] in the mean time.
The attached patch removes the extra `wp_unslash()` call.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27260>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list