From 5eee5cfc3cf1ef475c15fbab5879cf27d6f1d142 Mon Sep 17 00:00:00 2001 From: Boone Gorges Date: Tue, 19 Jan 2016 04:09:32 +0000 Subject: [PATCH] Don't double-escape the 'name' param in `get_terms()`. [32353] changed the way the 'name' param in `get_terms()` is sanitized, by running it through `sanitize_term_field( 'name' )` before performing the SQL query. An unintentional side effect of this change was that the string is double-escaped: once by `wp_filter_kses()`, and once by `esc_sql()`. The double-escaping was causing 'name' queries to fail when the param contained apostrophes or other escaped characters. Fixes #35493. git-svn-id: https://develop.svn.wordpress.org/trunk@36348 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/taxonomy.php | 3 ++- tests/phpunit/tests/term/getTerms.php | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/taxonomy.php b/src/wp-includes/taxonomy.php index 1f51ff9cd2..39b5b00423 100644 --- a/src/wp-includes/taxonomy.php +++ b/src/wp-includes/taxonomy.php @@ -1354,7 +1354,8 @@ function get_terms( $taxonomies, $args = '' ) { if ( ! empty( $args['name'] ) ) { $names = (array) $args['name']; foreach ( $names as &$_name ) { - $_name = sanitize_term_field( 'name', $_name, 0, reset( $taxonomies ), 'db' ); + // `sanitize_term_field()` returns slashed data. + $_name = stripslashes( sanitize_term_field( 'name', $_name, 0, reset( $taxonomies ), 'db' ) ); } $where .= " AND t.name IN ('" . implode( "', '", array_map( 'esc_sql', $names ) ) . "')"; diff --git a/tests/phpunit/tests/term/getTerms.php b/tests/phpunit/tests/term/getTerms.php index ec261f8ffc..111a95ef76 100644 --- a/tests/phpunit/tests/term/getTerms.php +++ b/tests/phpunit/tests/term/getTerms.php @@ -562,6 +562,32 @@ class Tests_Term_getTerms extends WP_UnitTestCase { $this->assertEqualSets( array( $t ), $found ); } + /** + * @ticket 35493 + */ + public function test_name_should_not_double_escape_apostrophes() { + register_taxonomy( 'wptests_tax', 'post' ); + + $name = "Foo'Bar"; + + $t = self::factory()->term->create( array( + 'taxonomy' => 'wptests_tax', + 'name' => $name, + ) ); + + $term = get_term( $t, 'wptests_tax' ); + + $this->assertSame( $name, $term->name ); + + $found = get_terms( 'wptests_tax', array( + 'hide_empty' => false, + 'fields' => 'ids', + 'name' => $name, + ) ); + + $this->assertEqualSets( array( $t ), $found ); + } + /** * @ticket 29839 */