14

I am sending stringified JSON object to a wordpress action

console.log( JSON.stringify(alloptions) );

$.ajax({
    type: "post",
    dataType: "json",
    url: ajaxurl,
    processData: false,
    data: {
        'action': 'create_preset',
        'preset': JSON.stringify(alloptions)
    },
    success: function( response ) {

        console.log( response );

    }
});

the console log of the stringified object before sent via ajax is this

http://prntscr.com/7990ro

so the string is correctly processed ,

but on the other side it comes out with slashes 

function _create_preset(){

    if(!is_admin() && !isset($_POST['preset'])) return;

    print_r($_POST['preset']);

}

add_action("wp_ajax_create_preset", "_create_preset");

gives 

{\"get_presets\":\"eedewd\",\"site_width\":\"1400px\",\"layout_type\":...

I know I can use 

stripslashes( $_POST['preset'] )

to clean it up but that is what I am trying to avoid. I need the JSON string to be sent to the action as it is before the ajax, without slashes.

any help is appreciated!

and magic quotes is not on

http://prntscr.com/7996a9

*UPDATE AND SOLUTION

Jesse nailed it and WP was causing the trouble. Since the wp_unslash() is on its way to fix this in 5.0 https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/172 I added this to my code

global $wp_version;
$new_preset_options = $_POST['preset'];

if ( version_compare( $wp_version, '5.0', '<' ) ) {

    $new_preset_content = wp_unslash( $new_preset_options );

}else{

    $new_preset_content = $new_preset_options ;
}
Benn
  • 4,840
  • 8
  • 65
  • 106
  • brrrrrrrr, sounds like magic quotes: http://php.net/manual/en/security.magicquotes.what.php – jeroen May 25 '15 at 16:51
  • @jeroen no is not , http://prntscr.com/7996a9 – Benn May 25 '15 at 16:52
  • It looks like you're right, but can you confirm that checking the value of `get_magic_quotes_gpc()`? – jeroen May 25 '15 at 16:55
  • did you look at the actual request to see if it's escaped there? (as in, look at browser Net tab or charles proxy or w/e) – CrayonViolent May 25 '15 at 16:57
  • I believe WordPress causes this internally, you might be stuck using stripslashes. – Jesse Kernaghan May 25 '15 at 16:57
  • @jeroen http://prntscr.com/7998g3 , I think is connected to this http://stackoverflow.com/a/1565913/594423 but I cant process my data with it set to false – Benn May 25 '15 at 16:58
  • @JesseKernaghan that is what I was afraid off. – Benn May 25 '15 at 16:59
  • 1
    @Benn They pass all global input data through wp_slash, but it looks like that might be patched in 5.0 to be auto unslashed when being requested: https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/172 – Jesse Kernaghan May 25 '15 at 17:08
  • @JesseKernaghan that is it , I thought I was going crazy. Post it as answer please so that I can accept it. – Benn May 25 '15 at 17:15
  • I cannot find proof that this did make it into WP 5.0 (I only did a little investigation.) I am running into the same error with wp_unslash, so I am using it despite being on v5.3 – Jacob Raccuia Nov 25 '19 at 19:09

1 Answers1

21

WordPress made the decision a long time ago to auto add slashes to all global input variables ($_POST, etc). They pass it through an internal wp_slash() function. The official recommended way to remove these slashes is to use their provided wp_unslash:

wp_unslash( $_POST['preset'] );

Here is the codex reference.

**Note: It looks like this might be getting fixed in version 5.0, where they will be doing the wp_unslash for you when you request values from the global input variables.

Jesse Kernaghan
  • 4,544
  • 2
  • 18
  • 25