-
Notifications
You must be signed in to change notification settings - Fork 572
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run stripslashes before saving data, since WordPress forces magic quotes #162
Conversation
The thing that concerns me with deep changes like this is the unintended side-effects for existing users. Can you think of any reasons why/how this would cause problems? |
Also, if we implement this, it most likely should go in the CMB2_Sanitize constructor. |
@jtsternberg I think this is a safe change because we're only dealing with input. Everyone who has input that is already badly escaped will have to fix it manually anyway. As far as putting it in CMB2_Sanitize, I agree and have moved it thusly. |
Thanks @clifgriffin! |
##### Enhancements * New constant, `CMB2_DIR`, which stores the file-path to the CMB2 directory. * `text_date`, `text_time`, `text_date_timestamp`, `text_datetime_timestamp`, and ` text_datetime_timestamp_timezone` field types now take an arguments array so they can be extended by custom field types. * Removed auto-scroll when adding groups. To re-add the feature, use the [snippet/plugin here](https://github.com/WebDevStudios/CMB2-Snippet-Library/blob/master/javascript/cmb2-auto-scroll-to-new-group.php). ([#205](CMB2/CMB2#205)) * Updated Timepicker utilizing the [@trentrichardson](https://github.com/trentrichardson) jQuery Timepicker add-on (https://github.com/trentrichardson/jQuery-Timepicker-Addon), and updated Datepicker styles. Props [JonMasterson](https://github.com/JonMasterson). ([#204](CMB2/CMB2#204), [#206](CMB2/CMB2#206), [#45](CMB2/CMB2#45)). * Added a callback option for the field default value. The callback gets passed an array of all the field parameters as the first argument, and the field object as the second argument. (which means you can get the post id using `$field->object_id`). ([#233](CMB2/CMB2#233)). * New `CMB2::get_field()` method and `cmb2_get_field` helper function for retrieving a `CMB2_Field` object from the array of registered fields for a metabox. * New `CMB2::get_sanitized_values()` method and `cmb2_get_metabox_sanitized_values` helper function for retrieving sanitized values from an array of values (usually `$_POST` data). * New `'save_fields'` metabox property that can be used to disable (by setting `'save_fields' => false`) the automatic saving of the fields when the form is submitted. These can be useful when you want to handle the saving of the fields yourself, or want to use submitted data for other purposes like generating new posts, or sending emails, etc. ##### Bug Fixes * Fix commented out text_datetime_timestamp_timezone field registration example in `example-functions.php`. Props [cliffordp](https://github.com/cliffordp), ([#203](CMB2/CMB2#203)). * Fix sidebar styling for money fields and fields with textareas. ([#234](CMB2/CMB2#234)) * Fix `CMB2_Sanitize` class to properly use the stripslashed value (which was added in [#162](CMB2/CMB2#162) but never used). Props [dustyf](https://github.com/dustyf), ([#241](CMB2/CMB2#241)). git-svn-id: https://plugins.svn.wordpress.org/cmb2/trunk@1113335 b8457f37-d9ea-0310-8a92-e5e31aec5664
##### Enhancements * New constant, `CMB2_DIR`, which stores the file-path to the CMB2 directory. * `text_date`, `text_time`, `text_date_timestamp`, `text_datetime_timestamp`, and ` text_datetime_timestamp_timezone` field types now take an arguments array so they can be extended by custom field types. * Removed auto-scroll when adding groups. To re-add the feature, use the [snippet/plugin here](https://github.com/WebDevStudios/CMB2-Snippet-Library/blob/master/javascript/cmb2-auto-scroll-to-new-group.php). ([#205](CMB2/CMB2#205)) * Updated Timepicker utilizing the [@trentrichardson](https://github.com/trentrichardson) jQuery Timepicker add-on (https://github.com/trentrichardson/jQuery-Timepicker-Addon), and updated Datepicker styles. Props [JonMasterson](https://github.com/JonMasterson). ([#204](CMB2/CMB2#204), [#206](CMB2/CMB2#206), [#45](CMB2/CMB2#45)). * Added a callback option for the field default value. The callback gets passed an array of all the field parameters as the first argument, and the field object as the second argument. (which means you can get the post id using `$field->object_id`). ([#233](CMB2/CMB2#233)). * New `CMB2::get_field()` method and `cmb2_get_field` helper function for retrieving a `CMB2_Field` object from the array of registered fields for a metabox. * New `CMB2::get_sanitized_values()` method and `cmb2_get_metabox_sanitized_values` helper function for retrieving sanitized values from an array of values (usually `$_POST` data). * New `'save_fields'` metabox property that can be used to disable (by setting `'save_fields' => false`) the automatic saving of the fields when the form is submitted. These can be useful when you want to handle the saving of the fields yourself, or want to use submitted data for other purposes like generating new posts, or sending emails, etc. ##### Bug Fixes * Fix commented out text_datetime_timestamp_timezone field registration example in `example-functions.php`. Props [cliffordp](https://github.com/cliffordp), ([#203](CMB2/CMB2#203)). * Fix sidebar styling for money fields and fields with textareas. ([#234](CMB2/CMB2#234)) * Fix `CMB2_Sanitize` class to properly use the stripslashed value (which was added in [#162](CMB2/CMB2#162) but never used). Props [dustyf](https://github.com/dustyf), ([#241](CMB2/CMB2#241)). git-svn-id: https://plugins.svn.wordpress.org/cmb2/trunk@1113336 b8457f37-d9ea-0310-8a92-e5e31aec5664
We found that when entering a single tick
'
into text fields, the resulting save adds an unnecessary escape character:\'
This is because of that weird legacy quirk with WordPress that forces magic quotes onto all incoming data, whether
$_GET
or$_POST
. This happens regardless of the PHP setting so trying to useget_magic_quotes_gpc()
in this context does not work. (See note here: http://codex.wordpress.org/Function_Reference/stripslashes_deep)This patch uses stripslashes_deep to nuke all of these befor storing fields in the database. We've tested and it works perfectly.