Another reminder that escaping rules for options and transients changed a bit in 3.0.
Recent comments
newtonsongbird on Suggestions Kim Parsell on Core Contributor Handbook Lance Willett on We’re getting very close… Muhammad Abdi on Core Contributor Handbook Maor Chasen on We’re getting very close…
arena and 
arena 10:50 pm on May 28, 2010 Permalink
Best should be to clean up code in
wp-login.php
$user_login = $user_data->user_login;
$user_email = $user_data->user_email;
and in wp-pluggable.php (several times)
$user_login = stripslashes($user->user_login);
$user_email = stripslashes($user->user_email);
arena 11:22 pm on May 28, 2010 Permalink
btw as i am reviewing mails in pluggable.php and hooks on mails in wp-login.php
in wp-login.php we have :
if ( is_multisite() )
$blogname = $GLOBALS['current_site']->site_name;
else
// The blogname option is escaped with esc_html on the way into the database in sanitize_option
// we want to reverse this for the plain text arena of emails.
$blogname = wp_specialchars_decode(get_option(‘blogname’), ENT_QUOTES);
in pluggable.php, we have :
// The blogname option is escaped with esc_html on the way into the database in sanitize_option
// we want to reverse this for the plain text arena of emails.
$blogname = wp_specialchars_decode(get_option(‘blogname’), ENT_QUOTES);
what is the right sequence of code ?
Peter Westwood 1:21 pm on May 29, 2010 Permalink
Please could you open a ticket for this.
The special_chars_decode probably needs applying in the is_multisite() case above for the same reason it was applied in pluggable.php
arena 11:26 pm on May 29, 2010 Permalink
done #13618
arena 11:26 pm on May 29, 2010 Permalink
done #13618
not sure this line
$blogname = $GLOBALS['current_site']->site_name;
is usefull !?