Make those chars feel special.

git-svn-id: http://svn.automattic.com/wordpress/trunk@4112 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/admin-db.php

@@ -293,23 +293,55 @@ function wp_insert_link($linkdata) {
 	extract($linkdata);
 
 	$update = false;
+
 	if ( !empty($link_id) )
 		$update = true;
 
+	if( trim( $link_name ) == '' )
+		return 0;
+	$link_name = apply_filters('pre_link_name', $link_name);
+
+	if( trim( $link_url ) == '' )
+		return 0;
+	$link_url = apply_filters('pre_link_url', $link_url);
+
 	if ( empty($link_rating) )
 		$link_rating = 0;
+	else
+		$link_rating = (int) $link_rating;
+
+	if ( empty($link_image) )
+		$link_image = '';
+	$link_image = apply_filters('pre_link_image', $link_image);
 
 	if ( empty($link_target) )
 		$link_target = '';
+	$link_target = apply_filters('pre_link_target', $link_target);
 
 	if ( empty($link_visible) )
 		$link_visible = 'Y';
+	$link_visibile = preg_replace('/[^YNyn]/', '', $link_visible);
 
 	if ( empty($link_owner) )
 		$link_owner = $current_user->id;
+	else
+		$link_owner = (int) $link_owner;
 
 	if ( empty($link_notes) )
 		$link_notes = '';
+	$link_notes = apply_filters('pre_link_notes', $link_notes);
+
+	if ( empty($link_description) )
+		$link_description = '';
+	$link_description = apply_filters('pre_link_description', $link_description);
+
+	if ( empty($link_rss) )
+		$link_rss = '';
+	$link_rss = apply_filters('pre_link_rss', $link_rss);
+
+	if ( empty($link_rel) )
+		$link_rel = '';
+	$link_rel = apply_filters('pre_link_rel', $link_rel);
 
 	// Make sure we set a valid category
 	if (0 == count($link_category) || !is_array($link_category)) {

wp-admin/admin-functions.php

@@ -301,6 +301,8 @@ function get_post_to_edit($id) {
 	$post->post_title = format_to_edit($post->post_title);
 	$post->post_title = apply_filters('title_edit_pre', $post->post_title);
 
+	$post->post_password = format_to_edit($post->post_password);
+
 	if ($post->post_type == 'page')
 		$post->page_template = get_post_meta($id, '_wp_page_template', true);
 
@@ -381,6 +383,23 @@ function wp_dropdown_roles( $default = false ) {
 }
 
 
+function get_user_to_edit($user_id) {
+	$user = new WP_User($user_id);
+	$user->user_login = wp_specialchars($user->user_login, 1);
+	$user->user_email = wp_specialchars($user->user_email, 1);
+	$user->user_url = wp_specialchars($user->user_url, 1);
+	$user->first_name = wp_specialchars($user->first_name, 1);
+	$user->last_name = wp_specialchars($user->last_name, 1);
+	$user->display_name = wp_specialchars($user->display_name, 1);
+	$user->nickname = wp_specialchars($user->nickname, 1);
+	$user->aim = wp_specialchars($user->aim, 1);
+	$user->yim = wp_specialchars($user->yim, 1);
+	$user->jabber = wp_specialchars($user->jabber, 1);
+	$user->description = wp_specialchars($user->description);
+
+	return $user;
+}
+
 // Creates a new user from the "Users" form using $_POST information.
 
 function add_user() {
@@ -509,9 +528,11 @@ function get_link_to_edit($link_id) {
 
 	$link->link_url = wp_specialchars($link->link_url, 1);
 	$link->link_name = wp_specialchars($link->link_name, 1);
-	$link->link_description = wp_specialchars($link->link_description);
+	$link->link_image = wp_specialchars($link->link_image, 1);
+	$link->link_description = wp_specialchars($link->link_description, 1);
 	$link->link_notes = wp_specialchars($link->link_notes);
-	$link->link_rss = wp_specialchars($link->link_rss);
+	$link->link_rss = wp_specialchars($link->link_rss, 1);
+	$link->link_rel = wp_specialchars($link->link_rel, 1);
 	$link->post_category = $link->link_category;
 
 	return $link;
@@ -959,7 +980,7 @@ function list_meta($meta) {
 			$style = '';
 		if ('_' == $entry['meta_key'] { 0 })
 			$style .= ' hidden';
-		$key_js = addslashes(wp_specialchars( $entry['meta_key'], 'double' ));
+		$key_js = js_escape($entry['meta_key']);
 		$entry['meta_key'] = wp_specialchars( $entry['meta_key'], true );
 		$entry['meta_value'] = wp_specialchars( $entry['meta_value'], true );
 		$r .= "\n\t<tr id='meta-{$entry['meta_id']}' class='$style'>";
@@ -1011,6 +1032,7 @@ function meta_form() {
 <?php
 
 	foreach ($keys as $key) {
+		$key = wp_specialchars($key, 1);
 		echo "\n\t<option value='$key'>$key</option>";
 	}
 ?>

wp-admin/edit-form-advanced.php

@@ -39,7 +39,7 @@ if ('' != $post->pinged) {
 	$pings = '<p>'. __('Already pinged:') . '</p><ul>';
 	$already_pinged = explode("\n", trim($post->pinged));
 	foreach ($already_pinged as $pinged_url) {
-		$pings .= "\n\t<li>$pinged_url</li>";
+		$pings .= "\n\t<li>" . wp_specialchars($pinged_url) . "</li>";
 	}
 	$pings .= '</ul>';
 }

wp-admin/options-misc.php

@@ -17,7 +17,7 @@ include('admin-header.php');
 <table class="editform optiontable">
 <tr valign="top">
 <th scope="row"><?php _e('Store uploads in this folder'); ?>:</th>
-<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo str_replace(ABSPATH, '', get_settings('upload_path')); ?>" size="40" />
+<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo wp_specialchars(str_replace(ABSPATH, '', get_settings('upload_path')), 1); ?>" size="40" />
 <br />
 <?php _e('Default is <code>wp-content/uploads</code>'); ?>
 </td>

wp-admin/options-permalink.php

@@ -148,7 +148,7 @@ checked="checked"
 </label>
 <br />
 </p>
-<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo $permalink_structure; ?>" size="50" /></p>
+<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo wp_specialchars($permalink_structure, 1); ?>" size="50" /></p>
 
 <h3><?php _e('Optional'); ?></h3>
 <?php if ($is_apache) : ?>
@@ -157,7 +157,7 @@ checked="checked"
 	<p><?php _e('If you like, you may enter a custom prefix for your category URIs here. For example, <code>/index.php/taxonomy/tags</code> would make your category links like <code>http://example.org/index.php/taxonomy/tags/uncategorized/</code>. If you leave this blank the default will be used.') ?></p>
 <?php endif; ?>
 	<p> 
-  <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code"  value="<?php echo $category_base; ?>" size="30" /> 
+  <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code"  value="<?php echo wp_specialchars($category_base, 1); ?>" size="30" /> 
      </p> 
     <p class="submit"> 
       <input type="submit" name="submit" value="<?php _e('Update Permalink Structure &raquo;') ?>" /> 

wp-admin/options.php

@@ -10,6 +10,67 @@ wp_reset_vars(array('action'));
 if ( !current_user_can('manage_options') )
 	wp_die(__('Cheatin’ uh?'));
 
+function sanitize_option($option, $value) {
+
+	switch ($option) {
+		case 'admin_email':
+			$value = sanitize_email($value);
+			break;
+
+		case 'default_post_edit_rows':
+		case 'mailserver_port':
+		case 'comment_max_links':
+			$value = abs((int) $value);
+			break;
+
+		case 'posts_per_page':
+		case 'posts_per_rss':
+			$value = (int) $value;
+			if ( empty($value) ) $value = 1;
+			if ( $value < -1 ) $value = abs($value);
+			break;
+
+		case 'default_ping_status':
+		case 'default_comment_status':
+			// Options that if not there have 0 value but need to be something like "closed"
+			if ( $value == '0' || $value == '')
+				$value = 'closed';
+			break;
+
+		case 'blogdescription':
+		case 'blogname':
+			if (current_user_can('unfiltered_html') == false)
+				$value = wp_filter_post_kses( $value );
+			break;
+
+		case 'blog_charset':
+			$value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value);
+			break;
+
+		case 'date_format':
+		case 'time_format':
+		case 'mailserver_url':
+		case 'mailserver_login':
+		case 'mailserver_pass':
+		case 'ping_sites':
+		case 'upload_path':
+			$value = strip_tags($value);
+			$value = wp_filter_kses($value);
+			break;
+
+		case 'gmt_offset':
+			$value = preg_replace('/[^0-9:.-]/', '', $value);
+			break;
+
+		case 'siteurl':
+		case 'home':
+			$value = clean_url($value);
+			break;
+	}
+
+	return $value;	
+}
+
 switch($action) {
 
 case 'update':
@@ -29,19 +90,11 @@ case 'update':
 	$old_siteurl = get_settings('siteurl');
 	$old_home = get_settings('home');
 
-	// HACK
-	// Options that if not there have 0 value but need to be something like "closed"
-	$nonbools = array('default_ping_status', 'default_comment_status');
 	if ($options) {
 		foreach ($options as $option) {
 			$option = trim($option);
 			$value = trim(stripslashes($_POST[$option]));
-				if( in_array($option, $nonbools) && ( $value == '0' || $value == '') )
-				$value = 'closed';
-
-			if( $option == 'blogdescription' || $option == 'blogname' )
-				if (current_user_can('unfiltered_html') == false)
-					$value = wp_filter_post_kses( $value );
+			$value = sanitize_option($option, $value);
 
 			if (update_option($option, $value) ) {
 				$any_changed++;

wp-admin/profile.php

@@ -8,7 +8,7 @@ if ( current_user_can('edit_users') )
 else
 	$parent_file = 'profile.php';
 include_once('admin-header.php');
-$profileuser = new WP_User($user_ID);
+$profileuser = get_user_to_edit($user_ID);
 
 $bookmarklet_height= 440;
 ?>

wp-admin/user-edit.php

@@ -40,7 +40,7 @@ if( !is_wp_error( $errors ) ) {
 default:
 include ('admin-header.php');
 
-$profileuser = new WP_User($user_id);
+$profileuser = get_user_to_edit($user_id);
 
 if ( !current_user_can('edit_user', $user_id) )
 	if ( !is_wp_error( $errors ) )

wp-admin/users.php

@@ -97,7 +97,7 @@ class WP_User_Search {
 	}
 
 	function get_results() {
-		return $this->results;
+		return (array) $this->results;
 	}
 
 	function page_links() {
@@ -335,13 +335,13 @@ default:
 <div class="wrap">
 
 	<?php if ( $wp_user_search->is_search() ) : ?>
-		<h2><?php printf(__('Users Matching "%s" by Role'), $wp_user_search->search_term); ?></h2>
+		<h2><?php printf(__('Users Matching "%s" by Role'), wp_specialchars($wp_user_search->search_term)); ?></h2>
 	<?php else : ?>
 		<h2><?php _e('User List by Role'); ?></h2>
 	<?php endif; ?>
 
 	<form action="" method="get" name="search" id="search">
-		<p><input type="text" name="usersearch" id="usersearch" value="<?php echo wp_specialchars($wp_user_search->search_term); ?>" /> <input type="submit" value="<?php _e('Search for users &raquo;'); ?>" /></p>
+		<p><input type="text" name="usersearch" id="usersearch" value="<?php echo wp_specialchars($wp_user_search->search_term, 1); ?>" /> <input type="submit" value="<?php _e('Search for users &raquo;'); ?>" /></p>
 	</form>
 
 	<?php if ( is_wp_error( $wp_user_search->search_errors ) ) : ?>

wp-includes/default-filters.php

@@ -55,6 +55,31 @@ add_filter('pre_category_name', 'wp_filter_kses');
 add_filter('pre_category_name', 'wp_specialchars', 30);
 add_filter('pre_category_description', 'wp_filter_kses');
 
+//Links
+add_filter('pre_link_name', 'strip_tags');
+add_filter('pre_link_name', 'trim');
+add_filter('pre_link_name', 'wp_filter_kses');
+add_filter('pre_link_name', 'wp_specialchars', 30);
+add_filter('pre_link_description', 'wp_filter_kses');
+add_filter('pre_link_notes', 'wp_filter_kses');
+add_filter('pre_link_url', 'strip_tags');
+add_filter('pre_link_url', 'trim');
+add_filter('pre_link_url', 'clean_url');
+add_filter('pre_link_image', 'strip_tags');
+add_filter('pre_link_image', 'trim');
+add_filter('pre_link_image', 'clean_url');
+add_filter('pre_link_rss', 'strip_tags');
+add_filter('pre_link_rss', 'trim');
+add_filter('pre_link_rss', 'clean_url');
+add_filter('pre_link_target', 'strip_tags');
+add_filter('pre_link_target', 'trim');
+add_filter('pre_link_target', 'wp_filter_kses');
+add_filter('pre_link_target', 'wp_specialchars', 30);
+add_filter('pre_link_rel', 'strip_tags');
+add_filter('pre_link_rel', 'trim');
+add_filter('pre_link_rel', 'wp_filter_kses');
+add_filter('pre_link_rel', 'wp_specialchars', 30);
+
 // Users
 add_filter('pre_user_display_name', 'strip_tags');
 add_filter('pre_user_display_name', 'trim');
@@ -115,6 +140,7 @@ add_filter('the_author', 'ent2ncr', 8);
 
 // Misc filters
 add_filter('option_ping_sites', 'privacy_ping_filter');
+add_filter('option_blog_charset', 'wp_specialchars');
 
 // Actions
 add_action('wp_head', 'rsd_link');

wp-includes/functions.php

@@ -199,7 +199,7 @@ function get_option($option) {
 }
 
 function form_option($option) {
-	echo htmlspecialchars( get_option($option), ENT_QUOTES );
+	echo wp_specialchars( get_option($option), 1 );
 }
 
 function get_alloptions() {

wp-includes/link-template.php

@@ -476,17 +476,19 @@ function _max_num_pages() {
 	global $wpdb, $wp_query;
 	
 	if (isset($max_num_pages)) return $max_num_pages;
-	
+	$posts_per = (int) get_option('posts_per_page');
+	if ( empty($posts_per) ) $posts_per = 1;
+
 	if ( 'posts' == get_query_var('what_to_show') ) {
 		preg_match('#FROM\s(.*)\sORDER BY#siU', $wp_query->request, $matches);
 		$fromwhere = $matches[1];
 		$numposts = $wpdb->get_var("SELECT COUNT(DISTINCT ID) FROM $fromwhere");
-		$max_num_pages = ceil($numposts / get_option('posts_per_page'));
+		$max_num_pages = ceil($numposts / $posts_per);
 	} else {
 		preg_match('#FROM\s(.*)\sORDER BY#siU', $wp_query->request, $matches);
 		$fromwhere = preg_replace('/( AND )?post_date >= (\'|\")(.*?)(\'|\")( AND post_date <= (\'\")(.*?)(\'\"))?/siU', '', $matches[1]);
 		$num_days = $wpdb->query("SELECT DISTINCT post_date FROM $fromwhere GROUP BY year(post_date), month(post_date), dayofmonth(post_date)");
-		$max_num_pages = ceil($num_days / get_option('posts_per_page'));
+		$max_num_pages = ceil($num_days / $posts_per);
 	}
 
 	return $max_num_pages;

wp-includes/query.php

@@ -551,6 +551,11 @@ class WP_Query {
 			$q['posts_per_page'] = get_settings('posts_per_rss');
 			$q['what_to_show'] = 'posts';
 		}
+		$q['posts_per_page'] = (int) $q['posts_per_page'];
+		if ( $q['posts_per_page'] < -1 )
+			$q['posts_per_page'] = abs($q['posts_per_page']);
+		else if ( $q['posts_per_page'] == 0 )
+			$q['posts_per_page'] = 1;
 
 		if ( $this->is_home && (empty($this->query) || $q['preview'] == 'true') && ( 'page' == get_option('show_on_front') ) && get_option('page_on_front') ) {
 			$this->is_page = true;