Widget Update Error

A client of mine appears to have surfaced a bug when saving updates to a widget. This bug was originally discovered through an update to a custom slider widget I had developed. Further testing has replicated the issue with other widgets including the basic WordPress text widget.

Turns out widget text (text input or textarea) cannot contain the words select and from, specifically in that order. An error remains present even if words are inserted between the two such as I selected WordPress as the best software from Automattic. Reversing the order of words will not trigger an error.

To Replicate
Place a text widget in one of your widget areas. Enter the text select from in either the title or main textarea box. Hit save and the circular icon will pop up (as expected), though as the ajax update fails the icon remains present.

I was still able to replicate the issue even after disabling all plugins and reverting to the default WordPress theme.

The Error
It seems pretty apparent that we have a bit SQL Injection prevention kicking in. I have tested this on two separate client sites and did some ajax debugging with the aid of Firebug. What is odd is one site makes the request to wp-admin/admin-ajax.php and gets a 500 Internal Server Error. An identical test on a second site return a 404 Not Found for the wp-admin/admin-ajax.php request. Both of these sites reside on the same web server.

As an additional debugging measure, on the site with the 500 Internal Server Error, I stripped out the entire contents of the wp-admin/admin-ajax.php file. The same 500 Internal Server Error is returned for the ajax request. So we are choking somewhere before we actually get to the php file. I’ll poke around some javascript next.

I couldn’t find a ticket for anything similar on Trac but was curious if anyone else could replicate or had additional information to share.

Thanks!

-Ron