From c914491693f14450668d1b28a99ff6d3af9efc7f Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Tue, 18 Mar 2014 00:14:48 +0000 Subject: [PATCH] Heartbeat: Hooks should always receive unslashed data. This affects the privileged hooks; the unprivileged hooks already received unslashed data. props johnbillion, TobiasBg. fixes #27260. git-svn-id: https://develop.svn.wordpress.org/trunk@27576 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/includes/ajax-actions.php | 2 +- src/wp-admin/includes/post.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php index 44d378d345..e7f4f6bd56 100644 --- a/src/wp-admin/includes/ajax-actions.php +++ b/src/wp-admin/includes/ajax-actions.php @@ -2119,7 +2119,7 @@ function wp_ajax_heartbeat() { $screen_id = 'front'; if ( ! empty($_POST['data']) ) { - $data = (array) $_POST['data']; + $data = wp_unslash( (array) $_POST['data'] ); /** * Filter the Heartbeat response received. diff --git a/src/wp-admin/includes/post.php b/src/wp-admin/includes/post.php index e67352128f..f6030b9840 100644 --- a/src/wp-admin/includes/post.php +++ b/src/wp-admin/includes/post.php @@ -1450,9 +1450,9 @@ function wp_autosave( $post_data ) { if ( ! wp_check_post_lock( $post->ID ) && get_current_user_id() == $post->post_author && ( 'auto-draft' == $post->post_status || 'draft' == $post->post_status ) ) { // Drafts and auto-drafts are just overwritten by autosave for the same user if the post is not locked - return edit_post( $post_data ); + return edit_post( wp_slash( $post_data ) ); } else { // Non drafts or other users drafts are not overwritten. The autosave is stored in a special post revision for each user. - return wp_create_post_autosave( $post_data ); + return wp_create_post_autosave( wp_slash( $post_data ) ); } }