From 8355232a65693ee73ba70ebd7d157a13bde5e836 Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Sat, 15 Mar 2014 04:46:53 +0000 Subject: [PATCH] Avoid saving slashed data in XML-RPC's wp.setOptions. props danielbachhuber. fixes #22936. git-svn-id: https://develop.svn.wordpress.org/trunk@27551 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/class-wp-xmlrpc-server.php | 2 +- tests/phpunit/tests/xmlrpc/wp/setOptions.php | 24 ++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 tests/phpunit/tests/xmlrpc/wp/setOptions.php diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php index 6aa76207ba..6399491dfc 100644 --- a/src/wp-includes/class-wp-xmlrpc-server.php +++ b/src/wp-includes/class-wp-xmlrpc-server.php @@ -3244,7 +3244,7 @@ class wp_xmlrpc_server extends IXR_Server { if ( $this->blog_options[$o_name]['readonly'] == true ) continue; - update_option( $this->blog_options[$o_name]['option'], $o_value ); + update_option( $this->blog_options[$o_name]['option'], wp_unslash( $o_value ) ); } //Now return the updated values diff --git a/tests/phpunit/tests/xmlrpc/wp/setOptions.php b/tests/phpunit/tests/xmlrpc/wp/setOptions.php new file mode 100644 index 0000000000..34232f7c33 --- /dev/null +++ b/tests/phpunit/tests/xmlrpc/wp/setOptions.php @@ -0,0 +1,24 @@ +make_user_by_role( 'administrator' ); + $string_with_quote = "Mary's Lamb Shop"; + $escaped_string_with_quote = esc_html( $string_with_quote ); // title is passed through esc_html() + + $result = $this->myxmlrpcserver->wp_setOptions( array( 1, 'administrator', 'administrator', array( + 'blog_title' => $string_with_quote, + 'users_can_register' => true, + ) ) ); + + $this->assertInternalType( 'array', $result ); + $this->assertEquals( $escaped_string_with_quote, $result['blog_title']['value'] ); + $this->assertEquals( true, $result['users_can_register']['value'] ); + } +}