[buddypress-trac] [BuddyPress] #5180: groups_update_groupmeta() mangles line breaks
buddypress-trac
noreply at wordpress.org
Wed Oct 2 18:50:21 UTC 2013
#5180: groups_update_groupmeta() mangles line breaks
--------------------------+--------------------
Reporter: rogercoathup | Owner:
Type: defect (bug) | Status: new
Priority: high | Milestone: 1.9
Component: Core | Version: 1.8.1
Severity: normal | Resolution:
Keywords: has-patch |
--------------------------+--------------------
Changes (by boonebgorges):
* keywords: => has-patch
* priority: normal => high
* milestone: Awaiting Review => 1.9
Comment:
Thanks for the ticket. A few thoughts:
- `stripslashes()` vs `wp_unslash()` is beside the point here. That's not
affecting `\r` and `\n`.
- The `sanitize_meta()` suggestion is reasonable as a feature request, but
I don't think it does what you intend it to do here. The only thing
`sanitize_meta()` does is provide a wrapper for a more specific filter; by
default, there is nothing hooked to it. In other words, despite its name,
it doesn't actually sanitize anything. So I suggest we leave it out of
this ticket.
- We don't need to be escaping `$meta_value` here. We use
`$wpdb->prepare()` to assemble the query, which eventually calls WP's core
sanitization functions. `esc_sql()` or whatever are only necessary when we
are assembling SQL queries that do not get passed through
`$wpdb->prepare()` (such as concatenated `LIKE` queries).
Patch attached. I'd like a sanity check on this, before I commit (and
apply the same change to similar functions in other components).
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/5180#comment:3>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list