[wp-trac] [WordPress Trac] #35898: Customizer eats backslashes when sanitizing (including updates for nav menus and some widgets)
WordPress Trac
noreply at wordpress.org
Mon Feb 22 06:43:34 UTC 2016
#35898: Customizer eats backslashes when sanitizing (including updates for nav
menus and some widgets)
--------------------------+-----------------
Reporter: westonruter | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.5
Component: Customize | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------
This is a follow up to #35869.
I found that the Customizer will drop backslashes from several locations
where they are entered, including:
* Site Title (try saving a title with “\o/”)
* Site Description
* Nav Menu Name
* Custom Menu widget title (also on widgets admin page)
* Tag Cloud widget title (also happens on widgets admin
* Text widget body if can't `unfiltered_html` (also happens on widgets
admin page)
The first two settings use `WP_Customize_Setting::sanitize()` which
includes as its first line of code:
{{{#!php
<?php
$value = wp_unslash( $value );
}}}
This, however, is unnecessary because the value being passed in originates
from the incoming `$_POST['customized']` JSON blob which is unslashed as a
whole:
{{{#!php
<?php
$this->_post_values = json_decode( wp_unslash( $_POST['customized'] ),
true );
}}}
So this is why any intentional slashes are getting stripped.
For nav menus, the problem is that `wp_update_nav_menu_object()` and
`wp_create_nav_menu()` expect pre-slashed input, and the
`WP_Customize_Nav_Menu_Setting` was not ensuring this.
For the widgets, a few are calling `stripslashes()` unexpectedly,
resulting in backslashes being dropped both in the Customizer and on the
widgets admin page.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/35898>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list