Avoid saving slashed data in XML-RPC's wp.setOptions.

props danielbachhuber.
fixes #22936.


git-svn-id: https://develop.svn.wordpress.org/trunk@27551 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/class-wp-xmlrpc-server.php

@@ -3244,7 +3244,7 @@ class wp_xmlrpc_server extends IXR_Server {
 			if ( $this->blog_options[$o_name]['readonly'] == true )
 				continue;
 
-			update_option( $this->blog_options[$o_name]['option'], $o_value );
+			update_option( $this->blog_options[$o_name]['option'], wp_unslash( $o_value ) );
 		}
 
 		//Now return the updated values

tests/phpunit/tests/xmlrpc/wp/setOptions.php

@@ -0,0 +1,24 @@
+<?php
+/**
+ * @group xmlrpc
+ */
+class Tests_XMLRPC_wp_setOptions extends WP_XMLRPC_UnitTestCase {
+
+	/**
+	 * @ticket 22936
+	 */
+	function test_set_option_no_escape_strings() {
+		$this->make_user_by_role( 'administrator' );
+		$string_with_quote = "Mary's Lamb Shop";
+		$escaped_string_with_quote = esc_html( $string_with_quote ); // title is passed through esc_html()
+
+		$result = $this->myxmlrpcserver->wp_setOptions( array( 1, 'administrator', 'administrator', array(
+			'blog_title' => $string_with_quote,
+			'users_can_register' => true,
+		) ) );
+
+		$this->assertInternalType( 'array', $result );
+		$this->assertEquals( $escaped_string_with_quote, $result['blog_title']['value'] );
+		$this->assertEquals( true, $result['users_can_register']['value'] );
+	}
+}