From e80637d860d1389f12531a40a079699df0654cb8 Mon Sep 17 00:00:00 2001 From: Ryan Boren Date: Fri, 15 May 2009 21:27:39 +0000 Subject: [PATCH] Escape posts passed as objects. Props Denis-de-Bernardy. fixes #9727 git-svn-id: https://develop.svn.wordpress.org/trunk@11344 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-includes/post.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/wp-includes/post.php b/wp-includes/post.php index a25afaad2c..5c44e6a692 100644 --- a/wp-includes/post.php +++ b/wp-includes/post.php @@ -1611,12 +1611,15 @@ function wp_insert_post($postarr = array(), $wp_error = false) { * * @since 1.0.0 * - * @param array|object $postarr Post data. + * @param array|object $postarr Post data. Arrays are expected to be escaped, objects are not. * @return int 0 on failure, Post ID on success. */ function wp_update_post($postarr = array()) { - if ( is_object($postarr) ) + if ( is_object($postarr) ) { + // non-escaped post was passed $postarr = get_object_vars($postarr); + $postarr = add_magic_quotes($postarr); + } // First, get all of the original fields $post = wp_get_single_post($postarr['ID'], ARRAY_A);