Formatting: Deprecate the addslashes_gpc() function.

westonruter · westonruter · commit 5930f083861d · 2026-02-04T18:51:51.000Z
This deprecates `addslashes_gpc()` in favor of `wp_slash()`, as the former is just a wrapper for the latter. The three remaining uses of `addslashes_gpc()` (in `WP_Query`) have been replaced with `wp_slash()`. Unit tests are added to verify that they have the same behavior. Developed in WordPress#10771 Follow-up to [23591], [23555]. Props rutviksavsani, audrasjb, westonruter, mindctrl, johnbillion. See #21767. Fixes #64539. git-svn-id: https://develop.svn.wordpress.org/trunk@61590 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/class-wp-query.php b/src/wp-includes/class-wp-query.php
@@ -2386,7 +2386,7 @@ public function get_posts() {
 		// Author/user stuff.
 
 		if ( ! empty( $query_vars['author'] ) && '0' != $query_vars['author'] ) {
-			$query_vars['author'] = addslashes_gpc( '' . urldecode( $query_vars['author'] ) );
+			$query_vars['author'] = wp_slash( '' . urldecode( $query_vars['author'] ) );
 			$authors              = array_unique( array_map( 'intval', preg_split( '/[,\s]+/', $query_vars['author'] ) ) );
 			sort( $authors );
 			foreach ( $authors as $author ) {
@@ -2505,7 +2505,7 @@ public function get_posts() {
 			$orderby_array = array();
 			if ( is_array( $query_vars['orderby'] ) ) {
 				foreach ( $query_vars['orderby'] as $_orderby => $order ) {
-					$orderby = addslashes_gpc( urldecode( $_orderby ) );
+					$orderby = wp_slash( urldecode( $_orderby ) );
 					$parsed  = $this->parse_orderby( $orderby );
 
 					if ( ! $parsed ) {
@@ -2518,7 +2518,7 @@ public function get_posts() {
 
 			} else {
 				$query_vars['orderby'] = urldecode( $query_vars['orderby'] );
-				$query_vars['orderby'] = addslashes_gpc( $query_vars['orderby'] );
+				$query_vars['orderby'] = wp_slash( $query_vars['orderby'] );
 
 				foreach ( explode( ' ', $query_vars['orderby'] ) as $i => $orderby ) {
 					$parsed = $this->parse_orderby( $orderby );
diff --git a/src/wp-includes/deprecated.php b/src/wp-includes/deprecated.php
@@ -6480,6 +6480,24 @@ function wp_print_auto_sizes_contain_css_fix() {
 	<?php
 }
 
+/**
+ * Adds slashes to a string or recursively adds slashes to strings within an array.
+ *
+ * This function is just a wrapper for `wp_slash()`. It was originally related to
+ * magic quotes functionality which was deprecated in PHP 5.3.0 and removed in PHP 5.4.0.
+ *
+ * @since 0.71
+ * @deprecated 7.0.0 Use wp_slash() instead.
+ * @see wp_slash()
+ *
+ * @param string|array $gpc String or array of data to slash.
+ * @return string|array Slashed `$gpc`.
+ */
+function addslashes_gpc( $gpc ) {
+	_deprecated_function( __FUNCTION__, '7.0.0', 'wp_slash()' );
+	return wp_slash( $gpc );
+}
+
 /**
  * Sanitizes an attributes array into an attributes string to be placed inside a `<script>` tag.
  *
@@ -6508,4 +6526,3 @@ function wp_sanitize_script_attributes( $attributes ) {
 	}
 	return $attributes_string;
 }
-
diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
@@ -2837,18 +2837,6 @@ function untrailingslashit( $value ) {
 	return rtrim( $value, '/\\' );
 }
 
-/**
- * Adds slashes to a string or recursively adds slashes to strings within an array.
- *
- * @since 0.71
- *
- * @param string|array $gpc String or array of data to slash.
- * @return string|array Slashed `$gpc`.
- */
-function addslashes_gpc( $gpc ) {
-	return wp_slash( $gpc );
-}
-
 /**
  * Navigates through an array, object, or scalar, and removes slashes from the values.
  *
diff --git a/tests/phpunit/tests/formatting/wpSlash.php b/tests/phpunit/tests/formatting/wpSlash.php
@@ -101,4 +101,37 @@ public function test_add_even_more_slashes() {
 		$this->assertSame( array( 'a' => $new ), wp_slash( array( 'a' => $old ) ) ); // Keyed array.
 		$this->assertSame( array( $new ), wp_slash( array( $old ) ) ); // Non-keyed.
 	}
+
+	/**
+	 * Tests that addslashes_gpc() returns the same result as wp_slash() for strings.
+	 *
+	 * @ticket 64539
+	 * @covers ::addslashes_gpc
+	 * @expectedDeprecated addslashes_gpc
+	 */
+	public function test_addslashes_gpc_matches_wp_slash_for_strings() {
+		$input = "String with 'quotes' and \"double quotes\"";
+		$this->assertSame( wp_slash( $input ), addslashes_gpc( $input ) );
+	}
+
+	/**
+	 * Tests that addslashes_gpc() returns the same result as wp_slash() for arrays.
+	 *
+	 * @ticket 64539
+	 * @covers ::addslashes_gpc
+	 * @expectedDeprecated addslashes_gpc
+	 */
+	public function test_addslashes_gpc_matches_wp_slash_for_arrays() {
+		$input = array(
+			'field1' => "Value with 'apostrophe'",
+			'field2' => 'Value with "quotes"',
+			'field3' => 'user@example.com',
+			'nested' => array(
+				'key1' => 'Nested value with \\ backslash',
+				'key2' => array( 'deeply', 'nested', 'array' ),
+			),
+		);
+
+		$this->assertSame( wp_slash( $input ), addslashes_gpc( $input ) );
+	}
 }
