#5704 closed defect (bug) (fixed)
Issue with the backslash character in xprofile admin
Reported by: | dontdream | Owned by: | djpaul |
---|---|---|---|
Milestone: | 2.0.2 | Priority: | normal |
Severity: | normal | Version: | 2.0 |
Component: | Extended Profile | Keywords: | has-patch |
Cc: |
Description
Steps to reproduce:
- Create a Radio Buttons xprofile field
- Add the option O'Hara
- Save the field
- Reopen the field for edit
- The option is now O\'Hara
If you save again and reopen for edit, two more backslashes will be added, and so on indefinitely.
Attachments (2)
Change History (11)
#3
@
10 years ago
I'd like to see a more thorough examination of what's going on here. At the very least, we should be stripping slashes further up the chain - maybe in BP_XProfile_Field::get_children()
? In theory, we should not be saving slashed data in the first place; see #2776. This ticket is maybe not the place to solve the entire problem, but could we at least have a closer look at why this particular piece of data is ending up slashed in the first place?
#5
in reply to:
↑ 4
@
10 years ago
Replying to DJPaul:
Also interesting to know if this is a regression or not.
I confirm it's a regression from 1.9. Just checked 1.9.2, and in BP_XProfile_Field->render_admin_form_children()
the value was stripslashed:
<input type="text" name="<?php echo esc_attr( $type ); ?>_option[<?php echo esc_attr( $j ); ?>]" id="<?php echo esc_attr( $type ); ?>_option<?php echo esc_attr( $j ); ?>" value="<?php echo stripslashes( esc_attr( $options[$i]->name ) ); ?>" />
Replying to boonebgorges:
In theory, we should not be saving slashed data in the first place
Well a filter is available so we can stripslash the array of options before saving it to db.
see 5704.02.patch
#6
@
10 years ago
Cool, any attempts to un-slash the data should be dealt with in the other ticket, and that's a giant piece of work.
#7
@
10 years ago
- Milestone changed from Awaiting Review to 2.0.2
For the 2.0.x series, let's fix the regression and put the stripslashes() back where it was before.
We should be stripslashing on the way in, but 5704.02 is probably not the best way to do it. (1) we don't have to use filters, because we are the core developers :) And (2) we should be stripping intelligently: slashes would come from POST
ed data, so we should be stripping at the point that $_POST
is parsed.
Hi dontdream
Thanks a lot for your feedback.
There may be a more elegant way, but simply stripslashing the value is fixing this.