[buddypress-trac] [BuddyPress] #2776: Most content is double-escaped in the database
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Sat Dec 4 15:36:37 UTC 2010
#2776: Most content is double-escaped in the database
--------------------+-------------------------------------------------------
Reporter: DJPaul | Owner:
Type: defect | Status: new
Priority: major | Milestone: 1.3
Component: Core | Version:
Keywords: |
--------------------+-------------------------------------------------------
Throughout BuddyPress, a lot of input (i.e. xprofile data, group name,
group description) is being stored double-escaped in the database. This is
demonstrated by creating a group with an apostrophe in its group
description field, and then by creating a regular WP post with the same
phrase, and comparing the contents of the database tables.
This is because WordPress, in wp_magic_quotes(), escapes everything in
$_POST, $_GET and $_COOKIE. BuddyPress needs to stripslashes() on relevant
content before we put it into the database, as $wpdb->prepare() escapes
the input again.
This problem hasn't been very visible due to stripslashes() being added to
most template tag's output functions, and a few local workarounds, but
ticket #1209 led me to find this issue.
--
Ticket URL: <http://trac.buddypress.org/ticket/2776>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list