[wpmu-trac] [WordPress MU Trac] #1165: update_option escapes input but get_option doesn't un-escape
WordPress MU Trac
wpmu-trac at lists.automattic.com
Tue Nov 24 19:46:56 UTC 2009
#1165: update_option escapes input but get_option doesn't un-escape
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner: somebody
Type: defect | Status: new
Priority: normal | Milestone:
Component: Security | Version:
Severity: normal | Keywords:
-------------------------------+--------------------------------------------
As reported over at:
http://core.trac.wordpress.org/ticket/11253
Duplicate the issue: write any data to an update_option value in the
database and include quotes in it.
Problem is in the source code (verified by reading line 167+ of /wp-
includes/functions.php)
Server: Apache2, PHP5
Details: adding an option to the database using update_option() (line 228+
of functions.php) will cause any quotes to be escaped. However output
returned by get_option() (line 167+) does not un-escape this value. It
seems which PHP5 that even if I escape my own data it get's escaped again
so anytime I expect to use html or quotes in an option field I have to
make sure there's a stripslashes applied to the get_option output. Makes
sense to me that if we escape the content on the way in we should un-
escape the content on the way back out. But I could be wrong.
--
Ticket URL: <http://trac.mu.wordpress.org/ticket/1165>
WordPress MU Trac <http://mu.wordpress.org/>
WordPress Multiuser
More information about the wpmu-trac
mailing list