Don't double-escape the 'name' param in `get_terms()`.

[32353] changed the way the 'name' param in `get_terms()` is sanitized, by
running it through `sanitize_term_field( 'name' )` before performing the SQL
query. An unintentional side effect of this change was that the string is
double-escaped: once by `wp_filter_kses()`, and once by `esc_sql()`. The
double-escaping was causing 'name' queries to fail when the param contained
apostrophes or other escaped characters.

Fixes #35493.

git-svn-id: https://develop.svn.wordpress.org/trunk@36348 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Boone Gorges 2016-01-19 04:09:32 +00:00
parent d36d6cc630
commit 5eee5cfc3c
2 changed files with 28 additions and 1 deletions

View File

@ -1354,7 +1354,8 @@ function get_terms( $taxonomies, $args = '' ) {
if ( ! empty( $args['name'] ) ) { if ( ! empty( $args['name'] ) ) {
$names = (array) $args['name']; $names = (array) $args['name'];
foreach ( $names as &$_name ) { foreach ( $names as &$_name ) {
$_name = sanitize_term_field( 'name', $_name, 0, reset( $taxonomies ), 'db' ); // `sanitize_term_field()` returns slashed data.
$_name = stripslashes( sanitize_term_field( 'name', $_name, 0, reset( $taxonomies ), 'db' ) );
} }
$where .= " AND t.name IN ('" . implode( "', '", array_map( 'esc_sql', $names ) ) . "')"; $where .= " AND t.name IN ('" . implode( "', '", array_map( 'esc_sql', $names ) ) . "')";

View File

@ -562,6 +562,32 @@ class Tests_Term_getTerms extends WP_UnitTestCase {
$this->assertEqualSets( array( $t ), $found ); $this->assertEqualSets( array( $t ), $found );
} }
/**
* @ticket 35493
*/
public function test_name_should_not_double_escape_apostrophes() {
register_taxonomy( 'wptests_tax', 'post' );
$name = "Foo'Bar";
$t = self::factory()->term->create( array(
'taxonomy' => 'wptests_tax',
'name' => $name,
) );
$term = get_term( $t, 'wptests_tax' );
$this->assertSame( $name, $term->name );
$found = get_terms( 'wptests_tax', array(
'hide_empty' => false,
'fields' => 'ids',
'name' => $name,
) );
$this->assertEqualSets( array( $t ), $found );
}
/** /**
* @ticket 29839 * @ticket 29839
*/ */