A couple of teacups later I figured out what was causing the issue. In the old wp-settings.php file there was this line of code forcing $_REQUEST to be $_GET + $_POST:

$_REQUEST = array_merge($_GET, $_POST);

In the old version it was closer to the beginning of the file, on line 51, but somewhere between versions 2.8.5 and 2.9.1 it was moved to line 637. Right after this part:

$_GET    = add_magic_quotes($_GET   );
$_POST   = add_magic_quotes($_POST  );
$_COOKIE = add_magic_quotes($_COOKIE);
$_SERVER = add_magic_quotes($_SERVER);

Stray Quotes uses $_REQUEST to process submitted data. There we go.

I’m sure the folks at WordPress had their reasons for such a change (that’s why I’m calling it an “issue” and not a “problem”), it’s just that I can’t help wondering how many plugins (or even parts of the core) were affected by it. Last week, I was setting up a NextGEN Gallery on another — fresh — installation of WordPress 2.9.1, and watched the same behavior when filling in photo captions. I admit I didn’t look into it then, but today I got suspicious all right.

Now, I reckon you want a solution… Sorry to disappoint you, but I can’t give you one. Not a quick one, at least.

What about writing to support guys, you’re probably asking yourself now? Don’t. I really doubt that this change can (or should, for that matter) be reversed in future versions of WordPress. Like I said, there must have been a reason for it.

So I’d say the best thing you can do is to figure out which plugins among those installed on your system(s) are affected, and contact their developers with either the information on the issue or, if you can, an implementation of the fix. And wait for updates.

Just please don’t go hack the core!

Here’s my two cents.

PHP: You shoot yourself in the foot and spend the rest of the week making sure that nobody else can pull the trigger of your gun which is now stuck between your belt and your belly. That involves both gun, belt, and room tweaking.

Java: You find that the standard implementation of RFC NNN-1 (Gun) lacks the trigging mechanism, so you check Apache Commons if they have an alternative. They do, bit it doesn’t fit the standard implementation of RFC NNN-2 (Bullet), and there is no Commons’ alternative to that one. You are in the middle of implementing your own Bullet when someone says there is already a project for that. You download a shareware version which turns out to be a blank shot. You pay for the armed one but they never send it to you. In the end, you take the standard implementation of RFC XXX (Axe) and chop your foot off.