[buddypress-trac] [BuddyPress] #2776: Most content is double-escaped in the database

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Sat Dec 4 15:36:37 UTC 2010

#2776: Most content is double-escaped in the database
 Reporter:  DJPaul  |       Owner:     
     Type:  defect  |      Status:  new
 Priority:  major   |   Milestone:  1.3
Component:  Core    |     Version:     
 Keywords:          |  
 Throughout BuddyPress, a lot of input (i.e. xprofile data, group name,
 group description) is being stored double-escaped in the database. This is
 demonstrated by creating a group with an apostrophe in its group
 description field, and then by creating a regular WP post with the same
 phrase, and comparing the contents of the database tables.

 This is because WordPress, in wp_magic_quotes(), escapes everything in
 $_POST, $_GET and $_COOKIE. BuddyPress needs to stripslashes() on relevant
 content before we put it into the database, as $wpdb->prepare() escapes
 the input again.
 This problem hasn't been very visible due to stripslashes() being added to
 most template tag's output functions, and a few local workarounds, but
 ticket #1209 led me to find this issue.

Ticket URL: <http://trac.buddypress.org/ticket/2776>
BuddyPress <http://buddypress.org/>

More information about the buddypress-trac mailing list