WordPress.org

Ready to get started?Download WordPress

Forums

function stripslashes_deep($value) should use is_string() on single values (1 post)

  1. abchouse
    Member
    Posted 2 years ago #

    my special case:
    lately i tried to store an array containing a bool among several values using function update_user_meta().

    the array was serialized and stored as string, but before that the boolean value always got converted to a string "1".

    several hours of debuging wp core code i found out that update_user_meta uses stripslashes_deep() in file wp-includes/formatting.php, which uses php function stripslashes recursively on all array (and object) elements.

    the problem here is that php function stripslashes() returns a string for every type which is given to it. hence a bool true becomes a string "1". and that is totally against what i expected from function update_user_meta().

    the wordpress documentation does mention the usage of php function stripslashes() on the page for stripslashes_deep(), but mentions nothing of type conversion or usage of either of the stripping functions on the page for update_user_meta().

    and anyways: this is totally counter intuitive and imo malicious.

    i hacked stripslashes_deep() so it does conversions just on strings, from

    function stripslashes_deep($value) {
    	if ( is_array($value) ) {
    		$value = array_map('stripslashes_deep', $value);
    	} elseif ( is_object($value) ) {
    		$vars = get_object_vars( $value );
    		foreach ($vars as $key=>$data) {
    			$value->{$key} = stripslashes_deep( $data );
    		}
    	} else{
    		$value = stripslashes($value);
    	}
    
    	return $value;
    }

    to

    function stripslashes_deep($value) {
    	if ( is_array($value) ) {
    		$value = array_map('stripslashes_deep', $value);
    	} elseif ( is_object($value) ) {
    		$vars = get_object_vars( $value );
    		foreach ($vars as $key=>$data) {
    			$value->{$key} = stripslashes_deep( $data );
    		}
    	} elseif(is_string($value)) {
    		$value = stripslashes($value);
    	}
    
    	return $value;
    }

    what is your opinion on this?

Topic Closed

This topic has been closed to new replies.

About this Topic