The captured request data is slashed because of the insanity that is wp_magic_quotes()

[stefanfisk]

Version

v4.3.0

What did you expect to happen?

I expected the captured request data to not be slashed because the whole idea of wp_magic_quotes is crazy.

https://core.trac.wordpress.org/ticket/18322

What actually happens?

The captured request data is slashed.

AFAICT this seems like the most appropriate fix:

// Undo wp_magic_quotes()

$_GET     = stripslashes_deep($_GET);
$_POST    = stripslashes_deep($_POST);
$_COOKIE  = stripslashes_deep($_COOKIE);
$_SERVER  = stripslashes_deep($_SERVER);
$_REQUEST = array_merge($_GET, $_POST);

// Capture request

$request = Request::capture();

// Redo wp_magic_quotes()

wp_magic_quotes();

Here's a custom bootstrap workaround that seems OK after minimal testing:

<?php

declare(strict_types=1);

namespace App\Bootstrap;

use Illuminate\Contracts\Foundation\Application;
use Illuminate\Http\Request;

class UndoWpMagicQuotes
{
    public function bootstrap(Application $app): void
    {
        /** @var Request $request */
        $request = $app->make('request');

        $request->query->replace(stripslashes_deep($_GET));
        $request->request->replace(stripslashes_deep($_POST));
        $request->cookies->replace(stripslashes_deep($_COOKIE));
        $request->server->replace(stripslashes_deep($_SERVER));
    }
}

Steps to reproduce

1. Make a request to /?foo=\
2. Call app('request')->get('foo')
3. Watch the returned value be \\

System info

php:8.1-fpm docker image under Pop!_OS 22.04 LTS.

Log output

No response

Please confirm this isn't a support request.

Yes

[stefanfisk]

That workaround breaks request when it's derived from the request body.

Here's a fixed version:

<?php

declare(strict_types=1);

namespace App\Bootstrap;

use Illuminate\Contracts\Foundation\Application;
use Illuminate\Http\Request;

use function array_merge;

/**
 * Workaround for wp_magic_quotes() being applied to the captured request.
 *
 * @see https://github.com/roots/acorn/issues/408
 */
class UndoWpMagicQuotes
{
    public function bootstrap(Application $app): void
    {
        // Undo wp_magic_quotes()

        $_GET     = stripslashes_deep($_GET);
        $_POST    = stripslashes_deep($_POST);
        $_COOKIE  = stripslashes_deep($_COOKIE);
        $_SERVER  = stripslashes_deep($_SERVER);
        $_REQUEST = array_merge($_GET, $_POST);

        // Capture request

        $tempRequest = Request::capture();

        // Replace bound data

        /** @var Request $request */
        $request = $app->make('request');

        $request->query->replace($tempRequest->query->all());
        $request->request->replace($tempRequest->request->all());
        $request->cookies->replace($tempRequest->cookies->all());
        $request->server->replace($tempRequest->server->all());

        // Redo wp_magic_quotes()

        wp_magic_quotes();
    }
}

[stefanfisk]

@retlehs May I ask why?

[stefanfisk]

@retlehs If you are not planning to fix this, can you at least consider adding a note to the routing docs that the request data does not behave as in plain Laravel? When I encountered this issue it took me A fair amount of debugging to figure out why messages in form submits were being slashed. Just as in WP this also means that you have to manually unslash all request data which is not normally done in Laravel.

[retlehs]

@stefanfisk Thanks for the follow ups and I apologize - I was over zealous with closing out some issues when doing some clean up the other month

We're open to either fixing this in Acorn or at a minimum noting this in the docs