Closed GoogleCodeExporter closed 9 years ago
Thanks Martijn. Hopefully you find the culprit
Original comment by ccagle8
on 28 Apr 2010 at 10:29
You can see my analysis on this problem :
http://get-simple.info/forum/viewtopic.php?pid=4339#p4355
Moreover, I didn't find any use of magic quotes in the project...
Original comment by spila...@gmail.com
on 28 Apr 2010 at 2:28
A possible fix:
http://get-simple.info/forum/viewtopic.php?pid=4649#p4649
Original comment by carnav
on 17 May 2010 at 7:46
Original comment by martijn.personal@gmail.com
on 2 Jun 2010 at 7:56
I have realised that this issue is not only with 'content' field, but with
others
like 'title', 'menu'... (those filtered by stripslashes in edit.php, lines
53-61)
(Though content and title fields may be the most important ones to be fixed.)
Original comment by carnav
on 6 Jun 2010 at 6:21
I can think of another solution (would imply changes not only in edit.php but
also in
theme_functions.php), based on what spilarix first suggested, but that way xml
page
file format would not be backwards compatible (backslashes would not be escaped
inside).
For now, I believe it's better to do the small fix I suggested (addslashes if
magic_quotes_gpc off) or something similar, but anyway if someone is interested
I can
send it by email, PM or whatever.
Carlos
Original comment by carnav
on 6 Jun 2010 at 6:28
Just a reminder: my suggested patch (comment 3) is:
/admin/changedata, line 97, replace by:
if(isset($_POST['post-content'])) {
if (get_magic_quotes_gpc()==0) {
$content = addslashes(htmlentities($_POST['post-content'], ENT_QUOTES, 'UTF-8'));
} else {
$content = htmlentities($_POST['post-content'], ENT_QUOTES, 'UTF-8');
}
}
That would fix the backslash problem in the content (escapes all backslashes
submitted if magic_gpc_quotes disabled -PHP 5.3-, making it work like if this
option
was enabled).
Same should be done to title (line 89), menu (line 94), and maybe to metak and
metad.
(So perhaps you might prefer to create some new formatting function not to
repeat all
these code.)
Original comment by carnav
on 6 Jun 2010 at 8:02
theme-edit.php and components.php have the same problem (stripped off slashes
if magic_quotes_gpc disabled)
Original comment by carnav
on 7 Jun 2010 at 9:29
I've made the changes to components and changedata. Where on theme-edit.php
should it be done?
Original comment by ccagle8
on 16 Oct 2010 at 1:43
theme-edit.php, line 48:
$FileContents = stripslashes(htmlspecialchars_decode($_POST['content'], ENT_QUOTES));
(suggested) replace by:
if (get_magic_quotes_gpc()==0) {
$FileContents = htmlspecialchars_decode($_POST['content'], ENT_QUOTES);
} else {
$FileContents = stripslashes(htmlspecialchars_decode($_POST['content'], ENT_QUOTES));
}
Original comment by carnav
on 16 Oct 2010 at 2:55
r201 took care of this. Thanks!
Original comment by ccagle8
on 18 Oct 2010 at 12:54
Got a question, this function uses this same type of cleaning... shouldnt this
use the same gpc check?
function get_page_content() {
global $content;
exec_action('content-top');
$content = stripslashes(htmlspecialchars_decode($content, ENT_QUOTES));
$content = exec_filter('content',$content);
echo $content;
exec_action('content-bottom');
}
Original comment by ccagle8
on 23 Oct 2010 at 12:43
No, the gpc problem was only with GET/POST/Cookie variables, which are not used
when displaying a page, but only when editing.
Original comment by carnav
on 23 Oct 2010 at 7:31
ooohh, ok. so i guess we have all the instances of this being a problem... Im
going to close this. thanks for all your help on this!
Original comment by ccagle8
on 23 Oct 2010 at 1:03
Original issue reported on code.google.com by
martijn.personal@gmail.com
on 27 Apr 2010 at 7:09