[wp-trac] [WordPress Trac] #56118: Exception to escapement: Exported or imported data
WordPress Trac
noreply at wordpress.org
Fri Jul 1 02:21:19 UTC 2022
#56118: Exception to escapement: Exported or imported data
-------------------------+-------------------------------------------------
Reporter: anrghg | Owner: (none)
Type: feature | Status: new
request |
Priority: normal | Milestone: Awaiting Review
Component: Export | Version:
Severity: major | Keywords: needs-docs dev-feedback needs-dev-
Focuses: docs | note
-------------------------+-------------------------------------------------
JSON data echoed for download as in
https://plugins.trac.wordpress.org/browser/anrghg/tags/1.3.1/admin/includes/export.php?rev=2749921#L327
cannot be escaped using `wp_kses()`. I’m opening this ticket for
documentation purposes.
`wp_kses()` calls `wp_kses_split()`, that calls
`_wp_kses_split_callback()`, that calls `wp_kses_split2()`
(https://docs.classicpress.net/reference/functions/_wp_kses_split_callback/).
And the first thing `wp_kses_split2()` does is to “fix” the data by
calling `wp_kses_stripslashes()`, that strips backslashes from in front of
double quotes
(https://docs.classicpress.net/reference/functions/wp_kses_split2/ and
https://developer.wordpress.org/reference/functions/wp_kses_stripslashes/)
and thus breaks JSON.
Anyway, cxported data is expected to truly mirror the existing data, so
there seems to be no way to escape anything here when echoing for
download.
The same holds true when importing data as in
https://plugins.trac.wordpress.org/browser/anrghg/tags/1.3.1/admin/includes/import.php?rev=2749921#L362
For PHPCS, such instances need to be whitelisted and I’m held accountable
for linking to relevant documentation acknowledging the exceptions.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56118>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list