Skip to content

Stop double-escaping editorial comment fields#942

Merged
GaryJones merged 1 commit into
developfrom
GaryJones/fix-editorial-comments-esc-sql
Apr 23, 2026
Merged

Stop double-escaping editorial comment fields#942
GaryJones merged 1 commit into
developfrom
GaryJones/fix-editorial-comments-esc-sql

Conversation

@GaryJones
Copy link
Copy Markdown
Contributor

@GaryJones GaryJones commented Apr 23, 2026

Summary

When a user added an editorial comment, five fields on the comment — author name, email, URL, IP address and user agent — were passed through esc_sql() before being handed to wp_insert_comment(). That function already escapes every value via $wpdb->prepare(), so the pre-escape was applied a second time and the literal backslash-quote sequences from the first pass were stored as data in the comments table.

The most visible symptom was an author whose display name contained an apostrophe. "O'Brien" appeared on their editorial comment as "O'Brien", and the same corruption silently affected comment author email, URL, IP and user agent. The WordPress.Security.ValidatedSanitizedInput.InputNotSanitized phpcs notice on the two $_SERVER lines had gradually cemented the belief that esc_sql() was a sanitisation step; it is not.

Removing esc_sql() from all five fields is the correct fix. The two $_SERVER values retain a light sanitisation via sanitize_text_field( wp_unslash( ... ) ) so phpcs's input-not-sanitised rule is satisfied without reintroducing the double escape. A regression test pins the behaviour: a user whose display name contains an apostrophe must have that apostrophe stored verbatim on their editorial comment.

Test plan

  • composer test:integration — the new test_insert_comment_does_not_double_escape_author_name case passes, and the existing editorial-comments AJAX tests continue to pass
  • Create a user with a display name like "O'Brien" and add an editorial comment from them; the comment author on the resulting comment should read "O'Brien", not "O'Brien"

@GaryJones
fix: stop double-escaping editorial comment fields
3b88703 
The ajax_insert_comment handler passed five of the comment-data fields
through esc_sql() before handing the array to wp_insert_comment(). That
function already escapes every value through $wpdb->prepare(), so the
pre-escape was applied twice: the literal backslash-quote sequences
from the first pass were passed through as data to the second, and
stored verbatim in the comments table. A user whose display name
contained an apostrophe would appear on their editorial comment as
"O\'Brien", and the same corruption affected comment author email,
URL, IP address and user agent.

Removing esc_sql() from all five fields fixes the storage bug. The
$_SERVER values retain a light sanitisation via sanitize_text_field()
and wp_unslash() so we still satisfy phpcs without reintroducing the
double escape.
@GaryJones GaryJones requested a review from a team as a code owner April 23, 2026 23:26
@GaryJones GaryJones self-assigned this Apr 23, 2026
@GaryJones GaryJones added this to the Next milestone Apr 23, 2026
@GaryJones GaryJones merged commit b6149c1 into develop Apr 23, 2026
10 checks passed
@GaryJones GaryJones deleted the GaryJones/fix-editorial-comments-esc-sql branch April 23, 2026 23:40
@GaryJones GaryJones mentioned this pull request Apr 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@GaryJones GaryJones

Labels

type: bug

Projects

None yet

Milestone

0.10.4

Development

Successfully merging this pull request may close these issues.

1 participant

@GaryJones