Escaping user input properly, once and for all

[Nicolas]

When posting a message containing backslashes, and clicking Preview, half the backslashes disappear. When replying to a message originally containing backslashes, half of them disappear from the quote.

​http://isaac.ssl.berkeley.edu/alpha/forum_thread.php?id=57

[Ageless]

When editing a post, they go lost as well. This problem has now returned to the BOINC Dev forums, where we've been free of this problem for a couple of months. No longer, it seems. :-(

[jbk]

magic_quotes (which is indirectly the source of this problem) is deprecated in PHP5 and will be removed in PHP6. I'm happy that they made the decision to remove this function since it's causing more harm than help.

We should make absolutely sure that we properly handle our own escaping and do not rely on pre-escaped text. This is done by going through all files that receive input and making sure that they properly escape it.
We have been going in this direction pretty much since 2006 but I'm not sure how far we've gotten. There's probably still a lot of things that don't use undo_magic_quotes() (which is our temporary solution for the problem).

Perhaps we should make get_str() and post_str() call undo_magic_quotes() so that all code can safely assume non-escaped text?

I've escalated the priority of this issue slightly as it involves some fundamental changes and security checks that needs to be done before the release of PHP6.

[davea]

get_str() and post_str() already undo magic quotes.

[jbk]

Great, then all there's left to do is make sure that the rest of the code works with those assumptions (ie. no double-escaping like what was the case for the original post here).

[davea]

Is there still a problem?