[wp-trac] [WordPress Trac] #55456: Double escaping wp_user-settings

WordPress Trac noreply at wordpress.org
Fri Mar 25 05:31:30 UTC 2022 

#55456: Double escaping wp_user-settings
-------------------------------------------------+-------------------------
 Reporter:  phatkoala                            |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  6.0
Component:  Users                                |     Version:  2.7
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch dev-feedback has-testing-  |     Focuses:
  info needs-testing                             |
-------------------------------------------------+-------------------------
Changes (by costdev):

 * keywords:  has-patch => has-patch dev-feedback has-testing-info needs-
     testing
 * version:  5.9.2 => 2.7
 * milestone:  Awaiting Review => 6.0


Comment:

 == Test Report

 === Env
 * Server: Apache (Linux)
 * WordPress: 6.0-alpha-52448-src
 * Browser: Chrome 99.0.4844.51
 * OS: Windows 10
 * Theme: Twenty Twenty-One
 * Plugins: None activated.

 === Steps to reproduce
 1. Save the plugin code in this ticket's description to `wp-
 content/plugins/ampersand_test/ampersand_test.php`.
 2. Navigate to `Plugins > Installed Plugins`.
 3. Activate the `Ampersand Test` plugin.
 4. Navigate to `Users > Profile`.
 5. Open the database and navigate to `{prefix}_usermeta`.
 6. Filter for `wp_user-settings`.
 7. See that the value contains `&ampfoo=1&ampbar=1`.
 8. Refresh the `Profile` page.
 9. Repeat steps 5 and 6.
 10. See that the value contains `&amp&ampfoo=1&amp&ampbar=1`.

 === Cleanup
 1. Edit the database entry and remove `&amp&ampfoo=1&amp&ampbar=1`.
 2. Save.
 3. Navigate to `Plugins > Installed Plugins`.
 4. Deactivate the `Ampersand Test` plugin, then reactivate it.

 === Steps to test [https://github.com/WordPress/wordpress-
 develop/pull/2458 PR 2458]
 1. Checkout [https://github.com/WordPress/wordpress-develop/pull/2458 PR
 2458].
 2. Open the database and navigate to the `{prefix}_usermeta` table.
 3. Filter for `wp_user-settings`.
 4. See that the value contains `&foo=1&bar=1`.
 5. Refresh the `Profile` page.
 6. See that the value still contains `&foo=1&bar=1`.

 === Results
 1. Issue reproduced. ✅
 2. [https://github.com/WordPress/wordpress-develop/pull/2458 PR 2458]
 resolves the issue. ✅

 === Notes
 1. Introduced in [8784].
 2. Milestoning for 6.0 to get this some visibility.
 3. Adding `dev-feedback` to verify that this approach has no unintended
 side effects / BC breaks.
 4. Adding `has-testing-info` and `needs-testing` to get some tester
 creativity on this.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/55456#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list