Heartbeat: Hooks should always receive unslashed data.

This affects the privileged hooks; the unprivileged hooks already received unslashed data.

props johnbillion, TobiasBg.
fixes #27260.


git-svn-id: https://develop.svn.wordpress.org/trunk@27576 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-admin/includes/ajax-actions.php

@@ -2119,7 +2119,7 @@ function wp_ajax_heartbeat() {
 		$screen_id = 'front';
 
 	if ( ! empty($_POST['data']) ) {
-		$data = (array) $_POST['data'];
+		$data = wp_unslash( (array) $_POST['data'] );
 
 		/**
 		 * Filter the Heartbeat response received.

src/wp-admin/includes/post.php

@@ -1450,9 +1450,9 @@ function wp_autosave( $post_data ) {
 
 	if ( ! wp_check_post_lock( $post->ID ) && get_current_user_id() == $post->post_author && ( 'auto-draft' == $post->post_status || 'draft' == $post->post_status ) ) {
 		// Drafts and auto-drafts are just overwritten by autosave for the same user if the post is not locked
-		return edit_post( $post_data );
+		return edit_post( wp_slash( $post_data ) );
 	} else {
 		// Non drafts or other users drafts are not overwritten. The autosave is stored in a special post revision for each user.
-		return wp_create_post_autosave( $post_data );
+		return wp_create_post_autosave( wp_slash( $post_data ) );
 	}
 }