From 2959d58c91d212bd4287e6200a3cca52e87e37b5 Mon Sep 17 00:00:00 2001 From: Dion Hulse Date: Mon, 29 Jun 2015 02:06:25 +0000 Subject: [PATCH] XML-RPC: Only escape what we need to in `wp.editPage`, this allows for passwords with the special characters `"'` to work in a request. Props redsweater for initial Patch. Fixes #32703 git-svn-id: https://develop.svn.wordpress.org/trunk@32993 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/class-wp-xmlrpc-server.php | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php index 2571a3510b..4a68aaae5a 100644 --- a/src/wp-includes/class-wp-xmlrpc-server.php +++ b/src/wp-includes/class-wp-xmlrpc-server.php @@ -2747,15 +2747,19 @@ class wp_xmlrpc_server extends IXR_Server { * @return array|IXR_Error */ public function wp_editPage( $args ) { - // Items not escaped here will be escaped in editPost. - $page_id = (int) $this->escape($args[1]); - $username = $this->escape($args[2]); - $password = $this->escape($args[3]); + // Items will be escaped in mw_editPost. + $page_id = (int) $args[1]; + $username = $args[2]; + $password = $args[3]; $content = $args[4]; $publish = $args[5]; - if ( !$user = $this->login($username, $password) ) + $escaped_username = $this->escape( $username ); + $escaped_password = $this->escape( $password ); + + if ( !$user = $this->login( $escaped_username, $escaped_password ) ) { return $this->error; + } /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ do_action( 'xmlrpc_call', 'wp.editPage' );