Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run stripslashes before saving data, since WordPress forces magic quotes #162

Merged
merged 2 commits into from
Jan 27, 2015

Conversation

clifgriffin
Copy link
Contributor

We found that when entering a single tick ' into text fields, the resulting save adds an unnecessary escape character: \'

This is because of that weird legacy quirk with WordPress that forces magic quotes onto all incoming data, whether $_GET or $_POST. This happens regardless of the PHP setting so trying to use get_magic_quotes_gpc() in this context does not work. (See note here: http://codex.wordpress.org/Function_Reference/stripslashes_deep)

This patch uses stripslashes_deep to nuke all of these befor storing fields in the database. We've tested and it works perfectly.

@jtsternberg
Copy link
Member

The thing that concerns me with deep changes like this is the unintended side-effects for existing users. Can you think of any reasons why/how this would cause problems?

@jtsternberg
Copy link
Member

Also, if we implement this, it most likely should go in the CMB2_Sanitize constructor.

@clifgriffin
Copy link
Contributor Author

@jtsternberg I think this is a safe change because we're only dealing with input. Everyone who has input that is already badly escaped will have to fix it manually anyway.

As far as putting it in CMB2_Sanitize, I agree and have moved it thusly.

@jtsternberg jtsternberg merged commit 55cce39 into CMB2:master Jan 27, 2015
@jtsternberg
Copy link
Member

Thanks @clifgriffin!

pluginmirror-worker pushed a commit to wp-plugins/cmb2 that referenced this pull request Mar 17, 2015
##### Enhancements

* New constant, `CMB2_DIR`, which stores the file-path to the CMB2 directory.
* `text_date`, `text_time`, `text_date_timestamp`, `text_datetime_timestamp`, and ` text_datetime_timestamp_timezone` field types now take an arguments array so they can be extended by custom field types.
* Removed auto-scroll when adding groups. To re-add the feature, use the [snippet/plugin here](https://github.com/WebDevStudios/CMB2-Snippet-Library/blob/master/javascript/cmb2-auto-scroll-to-new-group.php). ([#205](CMB2/CMB2#205))
* Updated Timepicker utilizing the [@trentrichardson](https://github.com/trentrichardson) jQuery Timepicker add-on (https://github.com/trentrichardson/jQuery-Timepicker-Addon), and updated Datepicker styles. Props [JonMasterson](https://github.com/JonMasterson). ([#204](CMB2/CMB2#204), [#206](CMB2/CMB2#206), [#45](CMB2/CMB2#45)).
* Added a callback option for the field default value. The callback gets passed an array of all the field parameters as the first argument, and the field object as the second argument. (which means you can get the post id using `$field->object_id`). ([#233](CMB2/CMB2#233)).
* New `CMB2::get_field()` method and `cmb2_get_field` helper function for retrieving a `CMB2_Field` object from the array of registered fields for a metabox.
* New `CMB2::get_sanitized_values()` method and `cmb2_get_metabox_sanitized_values` helper function for retrieving sanitized values from an array of values (usually `$_POST` data).
* New `'save_fields'` metabox property that can be used to disable (by setting `'save_fields' => false`) the automatic saving of the fields when the form is submitted. These can be useful when you want to handle the saving of the fields yourself, or want to use submitted data for other purposes like generating new posts, or sending emails, etc.

##### Bug Fixes

* Fix commented out text_datetime_timestamp_timezone field registration example in `example-functions.php`. Props [cliffordp](https://github.com/cliffordp), ([#203](CMB2/CMB2#203)).
* Fix sidebar styling for money fields and fields with textareas. ([#234](CMB2/CMB2#234))
* Fix `CMB2_Sanitize` class to properly use the stripslashed value (which was added in [#162](CMB2/CMB2#162) but never used). Props [dustyf](https://github.com/dustyf), ([#241](CMB2/CMB2#241)).

git-svn-id: https://plugins.svn.wordpress.org/cmb2/trunk@1113335 b8457f37-d9ea-0310-8a92-e5e31aec5664
pluginmirror-worker pushed a commit to wp-plugins/cmb2 that referenced this pull request Mar 17, 2015
##### Enhancements

* New constant, `CMB2_DIR`, which stores the file-path to the CMB2 directory.
* `text_date`, `text_time`, `text_date_timestamp`, `text_datetime_timestamp`, and ` text_datetime_timestamp_timezone` field types now take an arguments array so they can be extended by custom field types.
* Removed auto-scroll when adding groups. To re-add the feature, use the [snippet/plugin here](https://github.com/WebDevStudios/CMB2-Snippet-Library/blob/master/javascript/cmb2-auto-scroll-to-new-group.php). ([#205](CMB2/CMB2#205))
* Updated Timepicker utilizing the [@trentrichardson](https://github.com/trentrichardson) jQuery Timepicker add-on (https://github.com/trentrichardson/jQuery-Timepicker-Addon), and updated Datepicker styles. Props [JonMasterson](https://github.com/JonMasterson). ([#204](CMB2/CMB2#204), [#206](CMB2/CMB2#206), [#45](CMB2/CMB2#45)).
* Added a callback option for the field default value. The callback gets passed an array of all the field parameters as the first argument, and the field object as the second argument. (which means you can get the post id using `$field->object_id`). ([#233](CMB2/CMB2#233)).
* New `CMB2::get_field()` method and `cmb2_get_field` helper function for retrieving a `CMB2_Field` object from the array of registered fields for a metabox.
* New `CMB2::get_sanitized_values()` method and `cmb2_get_metabox_sanitized_values` helper function for retrieving sanitized values from an array of values (usually `$_POST` data).
* New `'save_fields'` metabox property that can be used to disable (by setting `'save_fields' => false`) the automatic saving of the fields when the form is submitted. These can be useful when you want to handle the saving of the fields yourself, or want to use submitted data for other purposes like generating new posts, or sending emails, etc.

##### Bug Fixes

* Fix commented out text_datetime_timestamp_timezone field registration example in `example-functions.php`. Props [cliffordp](https://github.com/cliffordp), ([#203](CMB2/CMB2#203)).
* Fix sidebar styling for money fields and fields with textareas. ([#234](CMB2/CMB2#234))
* Fix `CMB2_Sanitize` class to properly use the stripslashed value (which was added in [#162](CMB2/CMB2#162) but never used). Props [dustyf](https://github.com/dustyf), ([#241](CMB2/CMB2#241)).

git-svn-id: https://plugins.svn.wordpress.org/cmb2/trunk@1113336 b8457f37-d9ea-0310-8a92-e5e31aec5664
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants