[buddypress-trac] [BuddyPress] #5180: groups_update_groupmeta() mangles line breaks

buddypress-trac noreply at wordpress.org
Wed Oct 2 18:50:21 UTC 2013

#5180: groups_update_groupmeta() mangles line breaks
 Reporter:  rogercoathup  |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  high          |   Milestone:  1.9
Component:  Core          |     Version:  1.8.1
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |
Changes (by boonebgorges):

 * keywords:   => has-patch
 * priority:  normal => high
 * milestone:  Awaiting Review => 1.9


 Thanks for the ticket. A few thoughts:

 - `stripslashes()` vs `wp_unslash()` is beside the point here. That's not
 affecting `\r` and `\n`.
 - The `sanitize_meta()` suggestion is reasonable as a feature request, but
 I don't think it does what you intend it to do here. The only thing
 `sanitize_meta()` does is provide a wrapper for a more specific filter; by
 default, there is nothing hooked to it. In other words, despite its name,
 it doesn't actually sanitize anything. So I suggest we leave it out of
 this ticket.
 - We don't need to be escaping `$meta_value` here. We use
 `$wpdb->prepare()` to assemble the query, which eventually calls WP's core
 sanitization functions. `esc_sql()` or whatever are only necessary when we
 are assembling SQL queries that do not get passed through
 `$wpdb->prepare()` (such as concatenated `LIKE` queries).

 Patch attached. I'd like a sanity check on this, before I commit (and
 apply the same change to similar functions in other components).

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/5180#comment:3>
BuddyPress <http://buddypress.org/>

More information about the buddypress-trac mailing list