[buddypress-trac] [BuddyPress] #2776: Most content is double-escaped in the database

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Sat Dec 4 23:48:40 UTC 2010


#2776: Most content is double-escaped in the database
--------------------+-------------------------------------------------------
 Reporter:  DJPaul  |       Owner:     
     Type:  defect  |      Status:  new
 Priority:  major   |   Milestone:  1.3
Component:  Core    |     Version:     
 Keywords:          |  
--------------------+-------------------------------------------------------

Old description:

> Throughout BuddyPress, a lot of input (i.e. xprofile data, group name,
> group description) is being stored double-escaped in the database. This
> is demonstrated by creating a group with an apostrophe in its group
> description field, and then by creating a regular WP post with the same
> phrase, and comparing the contents of the database tables.
>
> This is because WordPress, in wp_magic_quotes(), escapes everything in
> $_POST, $_GET and $_COOKIE. BuddyPress needs to stripslashes() on
> relevant content before we put it into the database, as $wpdb->prepare()
> escapes the input again.
> This problem hasn't been very visible due to stripslashes() being added
> to most template tag's output functions, and a few local workarounds, but
> ticket #1209 led me to find this issue.

New description:

 Throughout BuddyPress, a lot of input (i.e. xprofile data, group name,
 group description) is being stored double-escaped in the database. This is
 demonstrated by creating a group with an apostrophe in its group
 description field, and then by creating a regular WP post with the same
 phrase, and comparing the contents of the database tables.

 This is because WordPress, in wp_magic_quotes(), escapes everything in
 $_POST, $_GET and $_COOKIE. BuddyPress needs to stripslashes() on relevant
 content before we put it into the database, as $wpdb->prepare() escapes
 the input again.
 This problem hasn't been very visible due to stripslashes() being added to
 most template tag's output functions, and a few local workarounds, but
 ticket #1209 led me to find this issue.

 Related:
 #1209
 #2283

--

Comment(by DJPaul):

 T

-- 
Ticket URL: <http://trac.buddypress.org/ticket/2776#comment:5>
BuddyPress <http://buddypress.org/>
BuddyPress


More information about the buddypress-trac mailing list