Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().
see #WP21767 git-svn-id: http://core.svn.wordpress.org/trunk@23591 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
2798e396e3
commit
15a06a35ab
|
@ -116,7 +116,7 @@ Please click the following link to confirm the invite:
|
||||||
if ( is_wp_error( $user_details[ 'errors' ] ) && !empty( $user_details[ 'errors' ]->errors ) ) {
|
if ( is_wp_error( $user_details[ 'errors' ] ) && !empty( $user_details[ 'errors' ]->errors ) ) {
|
||||||
$add_user_errors = $user_details[ 'errors' ];
|
$add_user_errors = $user_details[ 'errors' ];
|
||||||
} else {
|
} else {
|
||||||
$new_user_login = apply_filters('pre_user_login', sanitize_user(stripslashes($_REQUEST['user_login']), true));
|
$new_user_login = apply_filters('pre_user_login', sanitize_user(wp_unslash($_REQUEST['user_login']), true));
|
||||||
if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
|
if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
|
||||||
add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email
|
add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email
|
||||||
}
|
}
|
||||||
|
@ -309,7 +309,7 @@ foreach ( array( 'user_login' => 'login', 'first_name' => 'firstname', 'last_nam
|
||||||
$var = "new_user_$var";
|
$var = "new_user_$var";
|
||||||
if( isset( $_POST['createuser'] ) ) {
|
if( isset( $_POST['createuser'] ) ) {
|
||||||
if ( ! isset($$var) )
|
if ( ! isset($$var) )
|
||||||
$$var = isset( $_POST[$post_field] ) ? stripslashes( $_POST[$post_field] ) : '';
|
$$var = isset( $_POST[$post_field] ) ? wp_unslash( $_POST[$post_field] ) : '';
|
||||||
} else {
|
} else {
|
||||||
$$var = false;
|
$$var = false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -64,9 +64,9 @@ get_current_screen()->set_help_sidebar(
|
||||||
);
|
);
|
||||||
|
|
||||||
if ( empty($_REQUEST) ) {
|
if ( empty($_REQUEST) ) {
|
||||||
$referer = '<input type="hidden" name="wp_http_referer" value="'. esc_attr(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
|
$referer = '<input type="hidden" name="wp_http_referer" value="'. esc_attr( wp_unslash( $_SERVER['REQUEST_URI'] ) ) . '" />';
|
||||||
} elseif ( isset($_REQUEST['wp_http_referer']) ) {
|
} elseif ( isset($_REQUEST['wp_http_referer']) ) {
|
||||||
$redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), stripslashes($_REQUEST['wp_http_referer']));
|
$redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), wp_unslash( $_REQUEST['wp_http_referer'] ) );
|
||||||
$referer = '<input type="hidden" name="wp_http_referer" value="' . esc_attr($redirect) . '" />';
|
$referer = '<input type="hidden" name="wp_http_referer" value="' . esc_attr($redirect) . '" />';
|
||||||
} else {
|
} else {
|
||||||
$redirect = 'users.php';
|
$redirect = 'users.php';
|
||||||
|
@ -357,7 +357,7 @@ break;
|
||||||
default:
|
default:
|
||||||
|
|
||||||
if ( !empty($_GET['_wp_http_referer']) ) {
|
if ( !empty($_GET['_wp_http_referer']) ) {
|
||||||
wp_redirect(remove_query_arg(array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI'])));
|
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -381,7 +381,7 @@ default:
|
||||||
case 'add':
|
case 'add':
|
||||||
if ( isset( $_GET['id'] ) && ( $user_id = $_GET['id'] ) && current_user_can( 'edit_user', $user_id ) ) {
|
if ( isset( $_GET['id'] ) && ( $user_id = $_GET['id'] ) && current_user_can( 'edit_user', $user_id ) ) {
|
||||||
$messages[] = '<div id="message" class="updated"><p>' . sprintf( __( 'New user created. <a href="%s">Edit user</a>' ),
|
$messages[] = '<div id="message" class="updated"><p>' . sprintf( __( 'New user created. <a href="%s">Edit user</a>' ),
|
||||||
esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ),
|
esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ),
|
||||||
self_admin_url( 'user-edit.php?user_id=' . $user_id ) ) ) ) . '</p></div>';
|
self_admin_url( 'user-edit.php?user_id=' . $user_id ) ) ) ) . '</p></div>';
|
||||||
} else {
|
} else {
|
||||||
$messages[] = '<div id="message" class="updated"><p>' . __( 'New user created.' ) . '</p></div>';
|
$messages[] = '<div id="message" class="updated"><p>' . __( 'New user created.' ) . '</p></div>';
|
||||||
|
|
|
@ -310,7 +310,7 @@ final class WP_Customize_Manager {
|
||||||
public function post_value( $setting ) {
|
public function post_value( $setting ) {
|
||||||
if ( ! isset( $this->_post_values ) ) {
|
if ( ! isset( $this->_post_values ) ) {
|
||||||
if ( isset( $_POST['customized'] ) )
|
if ( isset( $_POST['customized'] ) )
|
||||||
$this->_post_values = json_decode( stripslashes( $_POST['customized'] ), true );
|
$this->_post_values = json_decode( wp_unslash( $_POST['customized'] ), true );
|
||||||
else
|
else
|
||||||
$this->_post_values = false;
|
$this->_post_values = false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -144,7 +144,7 @@ class WP_Customize_Setting {
|
||||||
* @return mixed Null if an input isn't valid, otherwise the sanitized value.
|
* @return mixed Null if an input isn't valid, otherwise the sanitized value.
|
||||||
*/
|
*/
|
||||||
public function sanitize( $value ) {
|
public function sanitize( $value ) {
|
||||||
$value = stripslashes_deep( $value );
|
$value = wp_unslash( $value );
|
||||||
return apply_filters( "customize_sanitize_{$this->id}", $value, $this );
|
return apply_filters( "customize_sanitize_{$this->id}", $value, $this );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -280,16 +280,16 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
$meta['id'] = (int) $meta['id'];
|
$meta['id'] = (int) $meta['id'];
|
||||||
$pmeta = get_metadata_by_mid( 'post', $meta['id'] );
|
$pmeta = get_metadata_by_mid( 'post', $meta['id'] );
|
||||||
if ( isset($meta['key']) ) {
|
if ( isset($meta['key']) ) {
|
||||||
$meta['key'] = stripslashes( $meta['key'] );
|
$meta['key'] = wp_unslash( $meta['key'] );
|
||||||
if ( $meta['key'] != $pmeta->meta_key )
|
if ( $meta['key'] != $pmeta->meta_key )
|
||||||
continue;
|
continue;
|
||||||
$meta['value'] = stripslashes_deep( $meta['value'] );
|
$meta['value'] = wp_unslash( $meta['value'] );
|
||||||
if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) )
|
if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) )
|
||||||
update_metadata_by_mid( 'post', $meta['id'], $meta['value'] );
|
update_metadata_by_mid( 'post', $meta['id'], $meta['value'] );
|
||||||
} elseif ( current_user_can( 'delete_post_meta', $post_id, $pmeta->meta_key ) ) {
|
} elseif ( current_user_can( 'delete_post_meta', $post_id, $pmeta->meta_key ) ) {
|
||||||
delete_metadata_by_mid( 'post', $meta['id'] );
|
delete_metadata_by_mid( 'post', $meta['id'] );
|
||||||
}
|
}
|
||||||
} elseif ( current_user_can( 'add_post_meta', $post_id, stripslashes( $meta['key'] ) ) ) {
|
} elseif ( current_user_can( 'add_post_meta', $post_id, wp_unslash( $meta['key'] ) ) ) {
|
||||||
add_post_meta( $post_id, $meta['key'], $meta['value'] );
|
add_post_meta( $post_id, $meta['key'], $meta['value'] );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -3746,9 +3746,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
|
|
||||||
$categories = implode(',', wp_get_post_categories($post_ID));
|
$categories = implode(',', wp_get_post_categories($post_ID));
|
||||||
|
|
||||||
$content = '<title>'.stripslashes($post_data['post_title']).'</title>';
|
$content = '<title>'.wp_unslash($post_data['post_title']).'</title>';
|
||||||
$content .= '<category>'.$categories.'</category>';
|
$content .= '<category>'.$categories.'</category>';
|
||||||
$content .= stripslashes($post_data['post_content']);
|
$content .= wp_unslash($post_data['post_content']);
|
||||||
|
|
||||||
$struct = array(
|
$struct = array(
|
||||||
'userid' => $post_data['post_author'],
|
'userid' => $post_data['post_author'],
|
||||||
|
@ -3800,9 +3800,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
$post_date = $this->_convert_date( $entry['post_date'] );
|
$post_date = $this->_convert_date( $entry['post_date'] );
|
||||||
$categories = implode(',', wp_get_post_categories($entry['ID']));
|
$categories = implode(',', wp_get_post_categories($entry['ID']));
|
||||||
|
|
||||||
$content = '<title>'.stripslashes($entry['post_title']).'</title>';
|
$content = '<title>'.wp_unslash($entry['post_title']).'</title>';
|
||||||
$content .= '<category>'.$categories.'</category>';
|
$content .= '<category>'.$categories.'</category>';
|
||||||
$content .= stripslashes($entry['post_content']);
|
$content .= wp_unslash($entry['post_content']);
|
||||||
|
|
||||||
$struct[] = array(
|
$struct[] = array(
|
||||||
'userid' => $entry['post_author'],
|
'userid' => $entry['post_author'],
|
||||||
|
|
|
@ -634,21 +634,21 @@ function wp_set_comment_cookies($comment, $user) {
|
||||||
function sanitize_comment_cookies() {
|
function sanitize_comment_cookies() {
|
||||||
if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
|
if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
|
||||||
$comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
|
$comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
|
||||||
$comment_author = stripslashes($comment_author);
|
$comment_author = wp_unslash($comment_author);
|
||||||
$comment_author = esc_attr($comment_author);
|
$comment_author = esc_attr($comment_author);
|
||||||
$_COOKIE['comment_author_'.COOKIEHASH] = $comment_author;
|
$_COOKIE['comment_author_'.COOKIEHASH] = $comment_author;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
|
if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
|
||||||
$comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
|
$comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
|
||||||
$comment_author_email = stripslashes($comment_author_email);
|
$comment_author_email = wp_unslash($comment_author_email);
|
||||||
$comment_author_email = esc_attr($comment_author_email);
|
$comment_author_email = esc_attr($comment_author_email);
|
||||||
$_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email;
|
$_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
|
if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
|
||||||
$comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
|
$comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
|
||||||
$comment_author_url = stripslashes($comment_author_url);
|
$comment_author_url = wp_unslash($comment_author_url);
|
||||||
$_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
|
$_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1262,7 +1262,7 @@ function wp_get_current_commenter() {
|
||||||
*/
|
*/
|
||||||
function wp_insert_comment($commentdata) {
|
function wp_insert_comment($commentdata) {
|
||||||
global $wpdb;
|
global $wpdb;
|
||||||
extract(stripslashes_deep($commentdata), EXTR_SKIP);
|
extract(wp_unslash($commentdata), EXTR_SKIP);
|
||||||
|
|
||||||
if ( ! isset($comment_author_IP) )
|
if ( ! isset($comment_author_IP) )
|
||||||
$comment_author_IP = '';
|
$comment_author_IP = '';
|
||||||
|
@ -1502,7 +1502,7 @@ function wp_update_comment($commentarr) {
|
||||||
$commentarr = wp_filter_comment( $commentarr );
|
$commentarr = wp_filter_comment( $commentarr );
|
||||||
|
|
||||||
// Now extract the merged array.
|
// Now extract the merged array.
|
||||||
extract(stripslashes_deep($commentarr), EXTR_SKIP);
|
extract(wp_unslash($commentarr), EXTR_SKIP);
|
||||||
|
|
||||||
$comment_content = apply_filters('comment_save_pre', $comment_content);
|
$comment_content = apply_filters('comment_save_pre', $comment_content);
|
||||||
|
|
||||||
|
|
|
@ -230,7 +230,7 @@ function spawn_cron( $gmt_time = 0 ) {
|
||||||
set_transient( 'doing_cron', $doing_wp_cron );
|
set_transient( 'doing_cron', $doing_wp_cron );
|
||||||
|
|
||||||
ob_start();
|
ob_start();
|
||||||
wp_redirect( add_query_arg('doing_wp_cron', $doing_wp_cron, stripslashes($_SERVER['REQUEST_URI'])) );
|
wp_redirect( add_query_arg( 'doing_wp_cron', $doing_wp_cron, wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
|
||||||
echo ' ';
|
echo ' ';
|
||||||
|
|
||||||
// flush any buffers and send the headers
|
// flush any buffers and send the headers
|
||||||
|
|
|
@ -488,7 +488,7 @@ function prep_atom_text_construct($data) {
|
||||||
*/
|
*/
|
||||||
function self_link() {
|
function self_link() {
|
||||||
$host = @parse_url(home_url());
|
$host = @parse_url(home_url());
|
||||||
echo esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . stripslashes( $_SERVER['REQUEST_URI'] ) ) ) );
|
echo esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -1423,7 +1423,7 @@ function addslashes_gpc($gpc) {
|
||||||
if ( get_magic_quotes_gpc() )
|
if ( get_magic_quotes_gpc() )
|
||||||
$gpc = stripslashes($gpc);
|
$gpc = stripslashes($gpc);
|
||||||
|
|
||||||
return esc_sql($gpc);
|
return wp_slash($gpc);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -1719,7 +1719,7 @@ function wp_rel_nofollow( $text ) {
|
||||||
// This is a pre save filter, so text is already escaped.
|
// This is a pre save filter, so text is already escaped.
|
||||||
$text = stripslashes($text);
|
$text = stripslashes($text);
|
||||||
$text = preg_replace_callback('|<a (.+?)>|i', 'wp_rel_nofollow_callback', $text);
|
$text = preg_replace_callback('|<a (.+?)>|i', 'wp_rel_nofollow_callback', $text);
|
||||||
$text = esc_sql($text);
|
$text = wp_slash($text);
|
||||||
return $text;
|
return $text;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -43,8 +43,8 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
|
||||||
$column = esc_sql($meta_type . '_id');
|
$column = esc_sql($meta_type . '_id');
|
||||||
|
|
||||||
// expected_slashed ($meta_key)
|
// expected_slashed ($meta_key)
|
||||||
$meta_key = stripslashes($meta_key);
|
$meta_key = wp_unslash($meta_key);
|
||||||
$meta_value = stripslashes_deep($meta_value);
|
$meta_value = wp_unslash($meta_value);
|
||||||
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
|
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
|
||||||
|
|
||||||
$check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
|
$check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
|
||||||
|
@ -114,9 +114,9 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v
|
||||||
$id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
|
$id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
|
||||||
|
|
||||||
// expected_slashed ($meta_key)
|
// expected_slashed ($meta_key)
|
||||||
$meta_key = stripslashes($meta_key);
|
$meta_key = wp_unslash($meta_key);
|
||||||
$passed_value = $meta_value;
|
$passed_value = $meta_value;
|
||||||
$meta_value = stripslashes_deep($meta_value);
|
$meta_value = wp_unslash($meta_value);
|
||||||
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
|
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
|
||||||
|
|
||||||
$check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
|
$check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
|
||||||
|
@ -196,8 +196,8 @@ function delete_metadata($meta_type, $object_id, $meta_key, $meta_value = '', $d
|
||||||
$type_column = esc_sql($meta_type . '_id');
|
$type_column = esc_sql($meta_type . '_id');
|
||||||
$id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
|
$id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
|
||||||
// expected_slashed ($meta_key)
|
// expected_slashed ($meta_key)
|
||||||
$meta_key = stripslashes($meta_key);
|
$meta_key = wp_unslash($meta_key);
|
||||||
$meta_value = stripslashes_deep($meta_value);
|
$meta_value = wp_unslash($meta_value);
|
||||||
|
|
||||||
$check = apply_filters( "delete_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $delete_all );
|
$check = apply_filters( "delete_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $delete_all );
|
||||||
if ( null !== $check )
|
if ( null !== $check )
|
||||||
|
|
|
@ -58,7 +58,7 @@ header( 'ETag: ' . $etag );
|
||||||
header( 'Expires: ' . gmdate( 'D, d M Y H:i:s', time() + 100000000 ) . ' GMT' );
|
header( 'Expires: ' . gmdate( 'D, d M Y H:i:s', time() + 100000000 ) . ' GMT' );
|
||||||
|
|
||||||
// Support for Conditional GET
|
// Support for Conditional GET
|
||||||
$client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false;
|
$client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? wp_unslash( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false;
|
||||||
|
|
||||||
if( ! isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) )
|
if( ! isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) )
|
||||||
$_SERVER['HTTP_IF_MODIFIED_SINCE'] = false;
|
$_SERVER['HTTP_IF_MODIFIED_SINCE'] = false;
|
||||||
|
|
Loading…
Reference in New Issue