Skip to content
This repository has been archived by the owner on May 15, 2024. It is now read-only.

BR-1821 Prevent wp_unslash from breaking escaped chars in data or metadata #107

Merged
merged 3 commits into from
Dec 13, 2017
Merged

BR-1821 Prevent wp_unslash from breaking escaped chars in data or metadata #107

merged 3 commits into from
Dec 13, 2017

Conversation

joshkadis
Copy link
Contributor

Before, with wp_unslash():

screen shot 2017-12-13 at 2 06 02 pm

After, without wp_unslash()

screen shot 2017-12-13 at 2 07 58 pm

@joshkadis
Copy link
Contributor Author

@kevinfodness FWIW I think the only reason I had wp_unslash() there in the first place was to placate Travis

meddy
meddy approved these changes Dec 13, 2017
View reviewed changes
Copy link
Contributor

@meddy meddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🍰

Is this fix applicable to the edge case subtitile field too?

@joshkadis
Copy link
Contributor Author

@meddy unfortunately i don't think so, that issue had more to do with how the subtitle field is stored kinda separately from the rest of the metadata

kevinfodness
kevinfodness approved these changes Dec 13, 2017
View reviewed changes
Copy link
Member

@kevinfodness kevinfodness left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just need to add the WPCS exclusion line to appease Travis. 🍣

modules/class-simplechart-save.php
@@ -93,7 +93,7 @@ protected function _do_save_post( $post ) {
foreach ( array( 'chartData', 'chartOptions', 'chartMetadata', 'googleSheetId' ) as $field ) {
if ( ! empty( $_POST[ 'save-' . $field ] ) ) {
// sanitize field name w/ esc_attr() instead of sanitize_key() because we want to preserve uppercase letters
update_post_meta( $post->ID, 'save-' . esc_attr( $field ), sanitize_text_field( wp_unslash( $_POST[ 'save-' . $field ] ) ) );
update_post_meta( $post->ID, 'save-' . esc_attr( $field ), sanitize_text_field( $_POST[ 'save-' . $field ] ) );
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're going to need to tell WPCS to ignore the wp_unslash rule here. There is an open issue about false positives for this sniff with functions that expect slashed data, of which update_post_meta is one:

WordPress/WordPress-Coding-Standards#172

@joshkadis joshkadis merged commit c3b2655 into master Dec 13, 2017
@joshkadis joshkadis deleted the BR-1821-other-fields branch December 13, 2017 19:36
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@meddy meddy meddy approved these changes

@kevinfodness kevinfodness kevinfodness approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@joshkadis @meddy @kevinfodness