Run stripslashes before saving data, since WordPress forces magic quotes #162
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The thing that concerns me with deep changes like this is the unintended side-effects for existing users. Can you think of any reasons why/how this would cause problems? |
|
Also, if we implement this, it most likely should go in the CMB2_Sanitize constructor. |
|
@jtsternberg I think this is a safe change because we're only dealing with input. Everyone who has input that is already badly escaped will have to fix it manually anyway. As far as putting it in CMB2_Sanitize, I agree and have moved it thusly. |
|
Thanks @clifgriffin! |
pluginmirror-worker
pushed a commit
to wp-plugins/cmb2
that referenced
this pull request
Mar 17, 2015
##### Enhancements * New constant, `CMB2_DIR`, which stores the file-path to the CMB2 directory. * `text_date`, `text_time`, `text_date_timestamp`, `text_datetime_timestamp`, and ` text_datetime_timestamp_timezone` field types now take an arguments array so they can be extended by custom field types. * Removed auto-scroll when adding groups. To re-add the feature, use the [snippet/plugin here](https://github.com/WebDevStudios/CMB2-Snippet-Library/blob/master/javascript/cmb2-auto-scroll-to-new-group.php). ([#205](CMB2/CMB2#205)) * Updated Timepicker utilizing the [@trentrichardson](https://github.com/trentrichardson) jQuery Timepicker add-on (https://github.com/trentrichardson/jQuery-Timepicker-Addon), and updated Datepicker styles. Props [JonMasterson](https://github.com/JonMasterson). ([#204](CMB2/CMB2#204), [#206](CMB2/CMB2#206), [#45](CMB2/CMB2#45)). * Added a callback option for the field default value. The callback gets passed an array of all the field parameters as the first argument, and the field object as the second argument. (which means you can get the post id using `$field->object_id`). ([#233](CMB2/CMB2#233)). * New `CMB2::get_field()` method and `cmb2_get_field` helper function for retrieving a `CMB2_Field` object from the array of registered fields for a metabox. * New `CMB2::get_sanitized_values()` method and `cmb2_get_metabox_sanitized_values` helper function for retrieving sanitized values from an array of values (usually `$_POST` data). * New `'save_fields'` metabox property that can be used to disable (by setting `'save_fields' => false`) the automatic saving of the fields when the form is submitted. These can be useful when you want to handle the saving of the fields yourself, or want to use submitted data for other purposes like generating new posts, or sending emails, etc. ##### Bug Fixes * Fix commented out text_datetime_timestamp_timezone field registration example in `example-functions.php`. Props [cliffordp](https://github.com/cliffordp), ([#203](CMB2/CMB2#203)). * Fix sidebar styling for money fields and fields with textareas. ([#234](CMB2/CMB2#234)) * Fix `CMB2_Sanitize` class to properly use the stripslashed value (which was added in [#162](CMB2/CMB2#162) but never used). Props [dustyf](https://github.com/dustyf), ([#241](CMB2/CMB2#241)). git-svn-id: https://plugins.svn.wordpress.org/cmb2/trunk@1113335 b8457f37-d9ea-0310-8a92-e5e31aec5664
pluginmirror-worker
pushed a commit
to wp-plugins/cmb2
that referenced
this pull request
Mar 17, 2015
##### Enhancements * New constant, `CMB2_DIR`, which stores the file-path to the CMB2 directory. * `text_date`, `text_time`, `text_date_timestamp`, `text_datetime_timestamp`, and ` text_datetime_timestamp_timezone` field types now take an arguments array so they can be extended by custom field types. * Removed auto-scroll when adding groups. To re-add the feature, use the [snippet/plugin here](https://github.com/WebDevStudios/CMB2-Snippet-Library/blob/master/javascript/cmb2-auto-scroll-to-new-group.php). ([#205](CMB2/CMB2#205)) * Updated Timepicker utilizing the [@trentrichardson](https://github.com/trentrichardson) jQuery Timepicker add-on (https://github.com/trentrichardson/jQuery-Timepicker-Addon), and updated Datepicker styles. Props [JonMasterson](https://github.com/JonMasterson). ([#204](CMB2/CMB2#204), [#206](CMB2/CMB2#206), [#45](CMB2/CMB2#45)). * Added a callback option for the field default value. The callback gets passed an array of all the field parameters as the first argument, and the field object as the second argument. (which means you can get the post id using `$field->object_id`). ([#233](CMB2/CMB2#233)). * New `CMB2::get_field()` method and `cmb2_get_field` helper function for retrieving a `CMB2_Field` object from the array of registered fields for a metabox. * New `CMB2::get_sanitized_values()` method and `cmb2_get_metabox_sanitized_values` helper function for retrieving sanitized values from an array of values (usually `$_POST` data). * New `'save_fields'` metabox property that can be used to disable (by setting `'save_fields' => false`) the automatic saving of the fields when the form is submitted. These can be useful when you want to handle the saving of the fields yourself, or want to use submitted data for other purposes like generating new posts, or sending emails, etc. ##### Bug Fixes * Fix commented out text_datetime_timestamp_timezone field registration example in `example-functions.php`. Props [cliffordp](https://github.com/cliffordp), ([#203](CMB2/CMB2#203)). * Fix sidebar styling for money fields and fields with textareas. ([#234](CMB2/CMB2#234)) * Fix `CMB2_Sanitize` class to properly use the stripslashed value (which was added in [#162](CMB2/CMB2#162) but never used). Props [dustyf](https://github.com/dustyf), ([#241](CMB2/CMB2#241)). git-svn-id: https://plugins.svn.wordpress.org/cmb2/trunk@1113336 b8457f37-d9ea-0310-8a92-e5e31aec5664
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We found that when entering a single tick
'into text fields, the resulting save adds an unnecessary escape character:\'This is because of that weird legacy quirk with WordPress that forces magic quotes onto all incoming data, whether
$_GETor$_POST. This happens regardless of the PHP setting so trying to useget_magic_quotes_gpc()in this context does not work. (See note here: http://codex.wordpress.org/Function_Reference/stripslashes_deep)This patch uses stripslashes_deep to nuke all of these befor storing fields in the database. We've tested and it works perfectly.