Escape posts passed as objects. Props Denis-de-Bernardy. fixes #9727

git-svn-id: http://svn.automattic.com/wordpress/trunk@11344 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/post.php

@@ -1611,12 +1611,15 @@ function wp_insert_post($postarr = array(), $wp_error = false) {
  *
  * @since 1.0.0
  *
- * @param array|object $postarr Post data.
+ * @param array|object $postarr Post data. Arrays are expected to be escaped, objects are not.
  * @return int 0 on failure, Post ID on success.
  */
 function wp_update_post($postarr = array()) {
-	if ( is_object($postarr) )
+	if ( is_object($postarr) ) {
+		// non-escaped post was passed
 		$postarr = get_object_vars($postarr);
+		$postarr = add_magic_quotes($postarr);
+	}
 
 	// First, get all of the original fields
 	$post = wp_get_single_post($postarr['ID'], ARRAY_A);