From 38154c01ce90437c1043cef3057907edb3cf1b92 Mon Sep 17 00:00:00 2001 From: Nikolay Bachiyski Date: Wed, 30 Mar 2016 17:32:22 +0000 Subject: [PATCH] Taxonomies: make sure taxonomy functions work correctly with taxonomy names with special characters The codex says that taxonomy names "should only contain lowercase letters and the underscore character", but that's not enforced. It's too late to enforce it, since some plugins haven't been following it and the official phpdoc doesn't mention this restriction. Merge of [37133] to the 4.1 branch. Built from https://develop.svn.wordpress.org/branches/4.1@37138 git-svn-id: http://core.svn.wordpress.org/branches/4.1@37105 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/taxonomy.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wp-includes/taxonomy.php b/wp-includes/taxonomy.php index 40a22f2970..68fb26eafd 100644 --- a/wp-includes/taxonomy.php +++ b/wp-includes/taxonomy.php @@ -593,7 +593,7 @@ function get_objects_in_term( $term_ids, $taxonomies, $args = array() ) { $term_ids = array_map('intval', $term_ids ); - $taxonomies = "'" . implode( "', '", $taxonomies ) . "'"; + $taxonomies = "'" . implode( "', '", array_map( 'esc_sql', $taxonomies ) ) . "'"; $term_ids = "'" . implode( "', '", $term_ids ) . "'"; $object_ids = $wpdb->get_col("SELECT tr.object_id FROM $wpdb->term_relationships AS tr INNER JOIN $wpdb->term_taxonomy AS tt ON tr.term_taxonomy_id = tt.term_taxonomy_id WHERE tt.taxonomy IN ($taxonomies) AND tt.term_id IN ($term_ids) ORDER BY tr.object_id $order"); @@ -1735,7 +1735,7 @@ function get_terms( $taxonomies, $args = '' ) { $order = 'ASC'; } - $where = "tt.taxonomy IN ('" . implode("', '", $taxonomies) . "')"; + $where = "tt.taxonomy IN ('" . implode("', '", array_map( 'esc_sql', $taxonomies ) ) . "')"; $exclude = $args['exclude']; $exclude_tree = $args['exclude_tree']; @@ -2638,7 +2638,7 @@ function wp_get_object_terms($object_ids, $taxonomies, $args = array()) { if ( '' !== $order && ! in_array( $order, array( 'ASC', 'DESC' ) ) ) $order = 'ASC'; - $taxonomies = "'" . implode("', '", $taxonomies) . "'"; + $taxonomies = "'" . implode("', '", array_map( 'esc_sql', $taxonomies ) ) . "'"; $object_ids = implode(', ', $object_ids); $select_this = '';