Make those chars feel special.

git-svn-id: http://svn.automattic.com/wordpress/trunk@4112 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2006-08-24 22:33:16 +00:00
parent 52d65dc101
commit 207d876c81
13 changed files with 165 additions and 25 deletions

View File

@ -293,23 +293,55 @@ function wp_insert_link($linkdata) {
extract($linkdata); extract($linkdata);
$update = false; $update = false;
if ( !empty($link_id) ) if ( !empty($link_id) )
$update = true; $update = true;
if( trim( $link_name ) == '' )
return 0;
$link_name = apply_filters('pre_link_name', $link_name);
if( trim( $link_url ) == '' )
return 0;
$link_url = apply_filters('pre_link_url', $link_url);
if ( empty($link_rating) ) if ( empty($link_rating) )
$link_rating = 0; $link_rating = 0;
else
$link_rating = (int) $link_rating;
if ( empty($link_image) )
$link_image = '';
$link_image = apply_filters('pre_link_image', $link_image);
if ( empty($link_target) ) if ( empty($link_target) )
$link_target = ''; $link_target = '';
$link_target = apply_filters('pre_link_target', $link_target);
if ( empty($link_visible) ) if ( empty($link_visible) )
$link_visible = 'Y'; $link_visible = 'Y';
$link_visibile = preg_replace('/[^YNyn]/', '', $link_visible);
if ( empty($link_owner) ) if ( empty($link_owner) )
$link_owner = $current_user->id; $link_owner = $current_user->id;
else
$link_owner = (int) $link_owner;
if ( empty($link_notes) ) if ( empty($link_notes) )
$link_notes = ''; $link_notes = '';
$link_notes = apply_filters('pre_link_notes', $link_notes);
if ( empty($link_description) )
$link_description = '';
$link_description = apply_filters('pre_link_description', $link_description);
if ( empty($link_rss) )
$link_rss = '';
$link_rss = apply_filters('pre_link_rss', $link_rss);
if ( empty($link_rel) )
$link_rel = '';
$link_rel = apply_filters('pre_link_rel', $link_rel);
// Make sure we set a valid category // Make sure we set a valid category
if (0 == count($link_category) || !is_array($link_category)) { if (0 == count($link_category) || !is_array($link_category)) {

View File

@ -301,6 +301,8 @@ function get_post_to_edit($id) {
$post->post_title = format_to_edit($post->post_title); $post->post_title = format_to_edit($post->post_title);
$post->post_title = apply_filters('title_edit_pre', $post->post_title); $post->post_title = apply_filters('title_edit_pre', $post->post_title);
$post->post_password = format_to_edit($post->post_password);
if ($post->post_type == 'page') if ($post->post_type == 'page')
$post->page_template = get_post_meta($id, '_wp_page_template', true); $post->page_template = get_post_meta($id, '_wp_page_template', true);
@ -381,6 +383,23 @@ function wp_dropdown_roles( $default = false ) {
} }
function get_user_to_edit($user_id) {
$user = new WP_User($user_id);
$user->user_login = wp_specialchars($user->user_login, 1);
$user->user_email = wp_specialchars($user->user_email, 1);
$user->user_url = wp_specialchars($user->user_url, 1);
$user->first_name = wp_specialchars($user->first_name, 1);
$user->last_name = wp_specialchars($user->last_name, 1);
$user->display_name = wp_specialchars($user->display_name, 1);
$user->nickname = wp_specialchars($user->nickname, 1);
$user->aim = wp_specialchars($user->aim, 1);
$user->yim = wp_specialchars($user->yim, 1);
$user->jabber = wp_specialchars($user->jabber, 1);
$user->description = wp_specialchars($user->description);
return $user;
}
// Creates a new user from the "Users" form using $_POST information. // Creates a new user from the "Users" form using $_POST information.
function add_user() { function add_user() {
@ -509,9 +528,11 @@ function get_link_to_edit($link_id) {
$link->link_url = wp_specialchars($link->link_url, 1); $link->link_url = wp_specialchars($link->link_url, 1);
$link->link_name = wp_specialchars($link->link_name, 1); $link->link_name = wp_specialchars($link->link_name, 1);
$link->link_description = wp_specialchars($link->link_description); $link->link_image = wp_specialchars($link->link_image, 1);
$link->link_description = wp_specialchars($link->link_description, 1);
$link->link_notes = wp_specialchars($link->link_notes); $link->link_notes = wp_specialchars($link->link_notes);
$link->link_rss = wp_specialchars($link->link_rss); $link->link_rss = wp_specialchars($link->link_rss, 1);
$link->link_rel = wp_specialchars($link->link_rel, 1);
$link->post_category = $link->link_category; $link->post_category = $link->link_category;
return $link; return $link;
@ -959,7 +980,7 @@ function list_meta($meta) {
$style = ''; $style = '';
if ('_' == $entry['meta_key'] { 0 }) if ('_' == $entry['meta_key'] { 0 })
$style .= ' hidden'; $style .= ' hidden';
$key_js = addslashes(wp_specialchars( $entry['meta_key'], 'double' )); $key_js = js_escape($entry['meta_key']);
$entry['meta_key'] = wp_specialchars( $entry['meta_key'], true ); $entry['meta_key'] = wp_specialchars( $entry['meta_key'], true );
$entry['meta_value'] = wp_specialchars( $entry['meta_value'], true ); $entry['meta_value'] = wp_specialchars( $entry['meta_value'], true );
$r .= "\n\t<tr id='meta-{$entry['meta_id']}' class='$style'>"; $r .= "\n\t<tr id='meta-{$entry['meta_id']}' class='$style'>";
@ -1011,6 +1032,7 @@ function meta_form() {
<?php <?php
foreach ($keys as $key) { foreach ($keys as $key) {
$key = wp_specialchars($key, 1);
echo "\n\t<option value='$key'>$key</option>"; echo "\n\t<option value='$key'>$key</option>";
} }
?> ?>

View File

@ -39,7 +39,7 @@ if ('' != $post->pinged) {
$pings = '<p>'. __('Already pinged:') . '</p><ul>'; $pings = '<p>'. __('Already pinged:') . '</p><ul>';
$already_pinged = explode("\n", trim($post->pinged)); $already_pinged = explode("\n", trim($post->pinged));
foreach ($already_pinged as $pinged_url) { foreach ($already_pinged as $pinged_url) {
$pings .= "\n\t<li>$pinged_url</li>"; $pings .= "\n\t<li>" . wp_specialchars($pinged_url) . "</li>";
} }
$pings .= '</ul>'; $pings .= '</ul>';
} }

View File

@ -17,7 +17,7 @@ include('admin-header.php');
<table class="editform optiontable"> <table class="editform optiontable">
<tr valign="top"> <tr valign="top">
<th scope="row"><?php _e('Store uploads in this folder'); ?>:</th> <th scope="row"><?php _e('Store uploads in this folder'); ?>:</th>
<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo str_replace(ABSPATH, '', get_settings('upload_path')); ?>" size="40" /> <td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo wp_specialchars(str_replace(ABSPATH, '', get_settings('upload_path')), 1); ?>" size="40" />
<br /> <br />
<?php _e('Default is <code>wp-content/uploads</code>'); ?> <?php _e('Default is <code>wp-content/uploads</code>'); ?>
</td> </td>

View File

@ -148,7 +148,7 @@ checked="checked"
</label> </label>
<br /> <br />
</p> </p>
<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo $permalink_structure; ?>" size="50" /></p> <p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo wp_specialchars($permalink_structure, 1); ?>" size="50" /></p>
<h3><?php _e('Optional'); ?></h3> <h3><?php _e('Optional'); ?></h3>
<?php if ($is_apache) : ?> <?php if ($is_apache) : ?>
@ -157,7 +157,7 @@ checked="checked"
<p><?php _e('If you like, you may enter a custom prefix for your category URIs here. For example, <code>/index.php/taxonomy/tags</code> would make your category links like <code>http://example.org/index.php/taxonomy/tags/uncategorized/</code>. If you leave this blank the default will be used.') ?></p> <p><?php _e('If you like, you may enter a custom prefix for your category URIs here. For example, <code>/index.php/taxonomy/tags</code> would make your category links like <code>http://example.org/index.php/taxonomy/tags/uncategorized/</code>. If you leave this blank the default will be used.') ?></p>
<?php endif; ?> <?php endif; ?>
<p> <p>
<?php _e('Category base'); ?>: <input name="category_base" type="text" class="code" value="<?php echo $category_base; ?>" size="30" /> <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code" value="<?php echo wp_specialchars($category_base, 1); ?>" size="30" />
</p> </p>
<p class="submit"> <p class="submit">
<input type="submit" name="submit" value="<?php _e('Update Permalink Structure &raquo;') ?>" /> <input type="submit" name="submit" value="<?php _e('Update Permalink Structure &raquo;') ?>" />

View File

@ -10,6 +10,67 @@ wp_reset_vars(array('action'));
if ( !current_user_can('manage_options') ) if ( !current_user_can('manage_options') )
wp_die(__('Cheatin&#8217; uh?')); wp_die(__('Cheatin&#8217; uh?'));
function sanitize_option($option, $value) {
switch ($option) {
case 'admin_email':
$value = sanitize_email($value);
break;
case 'default_post_edit_rows':
case 'mailserver_port':
case 'comment_max_links':
$value = abs((int) $value);
break;
case 'posts_per_page':
case 'posts_per_rss':
$value = (int) $value;
if ( empty($value) ) $value = 1;
if ( $value < -1 ) $value = abs($value);
break;
case 'default_ping_status':
case 'default_comment_status':
// Options that if not there have 0 value but need to be something like "closed"
if ( $value == '0' || $value == '')
$value = 'closed';
break;
case 'blogdescription':
case 'blogname':
if (current_user_can('unfiltered_html') == false)
$value = wp_filter_post_kses( $value );
break;
case 'blog_charset':
$value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value);
break;
case 'date_format':
case 'time_format':
case 'mailserver_url':
case 'mailserver_login':
case 'mailserver_pass':
case 'ping_sites':
case 'upload_path':
$value = strip_tags($value);
$value = wp_filter_kses($value);
break;
case 'gmt_offset':
$value = preg_replace('/[^0-9:.-]/', '', $value);
break;
case 'siteurl':
case 'home':
$value = clean_url($value);
break;
}
return $value;
}
switch($action) { switch($action) {
case 'update': case 'update':
@ -29,19 +90,11 @@ case 'update':
$old_siteurl = get_settings('siteurl'); $old_siteurl = get_settings('siteurl');
$old_home = get_settings('home'); $old_home = get_settings('home');
// HACK
// Options that if not there have 0 value but need to be something like "closed"
$nonbools = array('default_ping_status', 'default_comment_status');
if ($options) { if ($options) {
foreach ($options as $option) { foreach ($options as $option) {
$option = trim($option); $option = trim($option);
$value = trim(stripslashes($_POST[$option])); $value = trim(stripslashes($_POST[$option]));
if( in_array($option, $nonbools) && ( $value == '0' || $value == '') ) $value = sanitize_option($option, $value);
$value = 'closed';
if( $option == 'blogdescription' || $option == 'blogname' )
if (current_user_can('unfiltered_html') == false)
$value = wp_filter_post_kses( $value );
if (update_option($option, $value) ) { if (update_option($option, $value) ) {
$any_changed++; $any_changed++;

View File

@ -8,7 +8,7 @@ if ( current_user_can('edit_users') )
else else
$parent_file = 'profile.php'; $parent_file = 'profile.php';
include_once('admin-header.php'); include_once('admin-header.php');
$profileuser = new WP_User($user_ID); $profileuser = get_user_to_edit($user_ID);
$bookmarklet_height= 440; $bookmarklet_height= 440;
?> ?>

View File

@ -40,7 +40,7 @@ if( !is_wp_error( $errors ) ) {
default: default:
include ('admin-header.php'); include ('admin-header.php');
$profileuser = new WP_User($user_id); $profileuser = get_user_to_edit($user_id);
if ( !current_user_can('edit_user', $user_id) ) if ( !current_user_can('edit_user', $user_id) )
if ( !is_wp_error( $errors ) ) if ( !is_wp_error( $errors ) )

View File

@ -97,7 +97,7 @@ class WP_User_Search {
} }
function get_results() { function get_results() {
return $this->results; return (array) $this->results;
} }
function page_links() { function page_links() {
@ -335,13 +335,13 @@ default:
<div class="wrap"> <div class="wrap">
<?php if ( $wp_user_search->is_search() ) : ?> <?php if ( $wp_user_search->is_search() ) : ?>
<h2><?php printf(__('Users Matching "%s" by Role'), $wp_user_search->search_term); ?></h2> <h2><?php printf(__('Users Matching "%s" by Role'), wp_specialchars($wp_user_search->search_term)); ?></h2>
<?php else : ?> <?php else : ?>
<h2><?php _e('User List by Role'); ?></h2> <h2><?php _e('User List by Role'); ?></h2>
<?php endif; ?> <?php endif; ?>
<form action="" method="get" name="search" id="search"> <form action="" method="get" name="search" id="search">
<p><input type="text" name="usersearch" id="usersearch" value="<?php echo wp_specialchars($wp_user_search->search_term); ?>" /> <input type="submit" value="<?php _e('Search for users &raquo;'); ?>" /></p> <p><input type="text" name="usersearch" id="usersearch" value="<?php echo wp_specialchars($wp_user_search->search_term, 1); ?>" /> <input type="submit" value="<?php _e('Search for users &raquo;'); ?>" /></p>
</form> </form>
<?php if ( is_wp_error( $wp_user_search->search_errors ) ) : ?> <?php if ( is_wp_error( $wp_user_search->search_errors ) ) : ?>

View File

@ -55,6 +55,31 @@ add_filter('pre_category_name', 'wp_filter_kses');
add_filter('pre_category_name', 'wp_specialchars', 30); add_filter('pre_category_name', 'wp_specialchars', 30);
add_filter('pre_category_description', 'wp_filter_kses'); add_filter('pre_category_description', 'wp_filter_kses');
//Links
add_filter('pre_link_name', 'strip_tags');
add_filter('pre_link_name', 'trim');
add_filter('pre_link_name', 'wp_filter_kses');
add_filter('pre_link_name', 'wp_specialchars', 30);
add_filter('pre_link_description', 'wp_filter_kses');
add_filter('pre_link_notes', 'wp_filter_kses');
add_filter('pre_link_url', 'strip_tags');
add_filter('pre_link_url', 'trim');
add_filter('pre_link_url', 'clean_url');
add_filter('pre_link_image', 'strip_tags');
add_filter('pre_link_image', 'trim');
add_filter('pre_link_image', 'clean_url');
add_filter('pre_link_rss', 'strip_tags');
add_filter('pre_link_rss', 'trim');
add_filter('pre_link_rss', 'clean_url');
add_filter('pre_link_target', 'strip_tags');
add_filter('pre_link_target', 'trim');
add_filter('pre_link_target', 'wp_filter_kses');
add_filter('pre_link_target', 'wp_specialchars', 30);
add_filter('pre_link_rel', 'strip_tags');
add_filter('pre_link_rel', 'trim');
add_filter('pre_link_rel', 'wp_filter_kses');
add_filter('pre_link_rel', 'wp_specialchars', 30);
// Users // Users
add_filter('pre_user_display_name', 'strip_tags'); add_filter('pre_user_display_name', 'strip_tags');
add_filter('pre_user_display_name', 'trim'); add_filter('pre_user_display_name', 'trim');
@ -115,6 +140,7 @@ add_filter('the_author', 'ent2ncr', 8);
// Misc filters // Misc filters
add_filter('option_ping_sites', 'privacy_ping_filter'); add_filter('option_ping_sites', 'privacy_ping_filter');
add_filter('option_blog_charset', 'wp_specialchars');
// Actions // Actions
add_action('wp_head', 'rsd_link'); add_action('wp_head', 'rsd_link');

View File

@ -199,7 +199,7 @@ function get_option($option) {
} }
function form_option($option) { function form_option($option) {
echo htmlspecialchars( get_option($option), ENT_QUOTES ); echo wp_specialchars( get_option($option), 1 );
} }
function get_alloptions() { function get_alloptions() {

View File

@ -476,17 +476,19 @@ function _max_num_pages() {
global $wpdb, $wp_query; global $wpdb, $wp_query;
if (isset($max_num_pages)) return $max_num_pages; if (isset($max_num_pages)) return $max_num_pages;
$posts_per = (int) get_option('posts_per_page');
if ( empty($posts_per) ) $posts_per = 1;
if ( 'posts' == get_query_var('what_to_show') ) { if ( 'posts' == get_query_var('what_to_show') ) {
preg_match('#FROM\s(.*)\sORDER BY#siU', $wp_query->request, $matches); preg_match('#FROM\s(.*)\sORDER BY#siU', $wp_query->request, $matches);
$fromwhere = $matches[1]; $fromwhere = $matches[1];
$numposts = $wpdb->get_var("SELECT COUNT(DISTINCT ID) FROM $fromwhere"); $numposts = $wpdb->get_var("SELECT COUNT(DISTINCT ID) FROM $fromwhere");
$max_num_pages = ceil($numposts / get_option('posts_per_page')); $max_num_pages = ceil($numposts / $posts_per);
} else { } else {
preg_match('#FROM\s(.*)\sORDER BY#siU', $wp_query->request, $matches); preg_match('#FROM\s(.*)\sORDER BY#siU', $wp_query->request, $matches);
$fromwhere = preg_replace('/( AND )?post_date >= (\'|\")(.*?)(\'|\")( AND post_date <= (\'\")(.*?)(\'\"))?/siU', '', $matches[1]); $fromwhere = preg_replace('/( AND )?post_date >= (\'|\")(.*?)(\'|\")( AND post_date <= (\'\")(.*?)(\'\"))?/siU', '', $matches[1]);
$num_days = $wpdb->query("SELECT DISTINCT post_date FROM $fromwhere GROUP BY year(post_date), month(post_date), dayofmonth(post_date)"); $num_days = $wpdb->query("SELECT DISTINCT post_date FROM $fromwhere GROUP BY year(post_date), month(post_date), dayofmonth(post_date)");
$max_num_pages = ceil($num_days / get_option('posts_per_page')); $max_num_pages = ceil($num_days / $posts_per);
} }
return $max_num_pages; return $max_num_pages;

View File

@ -551,6 +551,11 @@ class WP_Query {
$q['posts_per_page'] = get_settings('posts_per_rss'); $q['posts_per_page'] = get_settings('posts_per_rss');
$q['what_to_show'] = 'posts'; $q['what_to_show'] = 'posts';
} }
$q['posts_per_page'] = (int) $q['posts_per_page'];
if ( $q['posts_per_page'] < -1 )
$q['posts_per_page'] = abs($q['posts_per_page']);
else if ( $q['posts_per_page'] == 0 )
$q['posts_per_page'] = 1;
if ( $this->is_home && (empty($this->query) || $q['preview'] == 'true') && ( 'page' == get_option('show_on_front') ) && get_option('page_on_front') ) { if ( $this->is_home && (empty($this->query) || $q['preview'] == 'true') && ( 'page' == get_option('show_on_front') ) && get_option('page_on_front') ) {
$this->is_page = true; $this->is_page = true;