Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
0bb47182a4
commit
43a7e695e9
|
@ -43,7 +43,7 @@ if ( get_option('db_upgraded') ) {
|
|||
do_action('after_db_upgrade');
|
||||
} elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) {
|
||||
if ( !is_multisite() ) {
|
||||
wp_redirect( admin_url( 'upgrade.php?_wp_http_referer=' . urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
|
||||
wp_redirect(admin_url('upgrade.php?_wp_http_referer=' . urlencode(stripslashes($_SERVER['REQUEST_URI']))));
|
||||
exit;
|
||||
} elseif ( apply_filters( 'do_mu_upgrade', true ) ) {
|
||||
/**
|
||||
|
@ -82,7 +82,7 @@ wp_enqueue_script( 'common' );
|
|||
$editing = false;
|
||||
|
||||
if ( isset($_GET['page']) ) {
|
||||
$plugin_page = wp_unslash( $_GET['page'] );
|
||||
$plugin_page = stripslashes($_GET['page']);
|
||||
$plugin_page = plugin_basename($plugin_page);
|
||||
}
|
||||
|
||||
|
|
|
@ -378,7 +378,7 @@ if ( current_theme_supports( 'custom-background', 'default-color' ) )
|
|||
|
||||
// Add the meta-data
|
||||
wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) );
|
||||
wp_update_post_meta( $id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) );
|
||||
update_post_meta( $id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) );
|
||||
|
||||
set_theme_mod('background_image', esc_url_raw($url));
|
||||
|
||||
|
@ -415,7 +415,7 @@ if ( current_theme_supports( 'custom-background', 'default-color' ) )
|
|||
if ( in_array( $_POST['size'], $sizes ) )
|
||||
$size = esc_attr( $_POST['size'] );
|
||||
|
||||
wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) );
|
||||
update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) );
|
||||
$url = wp_get_attachment_image_src( $attachment_id, $size );
|
||||
$thumbnail = wp_get_attachment_image_src( $attachment_id, 'thumbnail' );
|
||||
set_theme_mod( 'background_image', esc_url_raw( $url[0] ) );
|
||||
|
|
|
@ -948,7 +948,7 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
|
|||
'width' => $choice['width'],
|
||||
);
|
||||
|
||||
wp_update_post_meta( $choice['attachment_id'], '_wp_attachment_is_custom_header', get_stylesheet() );
|
||||
update_post_meta( $choice['attachment_id'], '_wp_attachment_is_custom_header', get_stylesheet() );
|
||||
set_theme_mod( 'header_image', $choice['url'] );
|
||||
set_theme_mod( 'header_image_data', $header_image_data );
|
||||
return;
|
||||
|
|
|
@ -20,9 +20,9 @@ if ( $doaction ) {
|
|||
check_admin_referer( 'bulk-comments' );
|
||||
|
||||
if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
|
||||
$comment_status = $_REQUEST['comment_status'];
|
||||
$delete_time = $_REQUEST['pagegen_timestamp'];
|
||||
$comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
|
||||
$comment_status = $wpdb->escape( $_REQUEST['comment_status'] );
|
||||
$delete_time = $wpdb->escape( $_REQUEST['pagegen_timestamp'] );
|
||||
$comment_ids = $wpdb->get_col( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = '$comment_status' AND '$delete_time' > comment_date_gmt" );
|
||||
$doaction = 'delete';
|
||||
} elseif ( isset( $_REQUEST['delete_comments'] ) ) {
|
||||
$comment_ids = $_REQUEST['delete_comments'];
|
||||
|
@ -95,7 +95,7 @@ if ( $doaction ) {
|
|||
wp_safe_redirect( $redirect_to );
|
||||
exit;
|
||||
} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
|
||||
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
|
||||
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
|
||||
exit;
|
||||
}
|
||||
|
||||
|
@ -153,7 +153,7 @@ else
|
|||
echo __('Comments');
|
||||
|
||||
if ( isset($_REQUEST['s']) && $_REQUEST['s'] )
|
||||
printf( '<span class="subtitle">' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?>
|
||||
printf( '<span class="subtitle">' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( esc_html( stripslashes( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?>
|
||||
</h2>
|
||||
|
||||
<?php
|
||||
|
|
|
@ -314,7 +314,7 @@ if ( isset( $post_new_file ) && current_user_can( $post_type_object->cap->create
|
|||
<input type="hidden" id="post_author" name="post_author" value="<?php echo esc_attr( $post->post_author ); ?>" />
|
||||
<input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr( $post_type ) ?>" />
|
||||
<input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr( $post->post_status) ?>" />
|
||||
<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url( wp_get_referer() ); ?>" />
|
||||
<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
|
||||
<?php if ( ! empty( $active_post_lock ) ) { ?>
|
||||
<input type="hidden" id="active_post_lock" value="<?php echo esc_attr( implode( ':', $active_post_lock ) ); ?>" />
|
||||
<?php
|
||||
|
|
|
@ -132,7 +132,7 @@ do_meta_boxes(null, 'normal', $comment);
|
|||
|
||||
<input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID) ?>" />
|
||||
<input type="hidden" name="p" value="<?php echo esc_attr($comment->comment_post_ID) ?>" />
|
||||
<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url( wp_get_referer() ); ?>" />
|
||||
<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
|
||||
<?php wp_original_referer_field(true, 'previous'); ?>
|
||||
<input type="hidden" name="noredir" value="1" />
|
||||
|
||||
|
|
|
@ -126,6 +126,7 @@ do_meta_boxes(null, 'advanced', $link);
|
|||
if ( $link_id ) : ?>
|
||||
<input type="hidden" name="action" value="save" />
|
||||
<input type="hidden" name="link_id" value="<?php echo (int) $link_id; ?>" />
|
||||
<input type="hidden" name="order_by" value="<?php echo esc_attr($order_by); ?>" />
|
||||
<input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
|
||||
<?php else: ?>
|
||||
<input type="hidden" name="action" value="add" />
|
||||
|
|
|
@ -47,9 +47,7 @@ case 'add-tag':
|
|||
if ( !current_user_can( $tax->cap->edit_terms ) )
|
||||
wp_die( __( 'Cheatin’ uh?' ) );
|
||||
|
||||
$post_data = wp_unslash( $_POST );
|
||||
|
||||
$ret = wp_insert_term( $post_data['tag-name'], $taxonomy, $post_data );
|
||||
$ret = wp_insert_term( $_POST['tag-name'], $taxonomy, $_POST );
|
||||
$location = 'edit-tags.php?taxonomy=' . $taxonomy;
|
||||
if ( 'post' != $post_type )
|
||||
$location .= '&post_type=' . $post_type;
|
||||
|
@ -134,10 +132,7 @@ case 'edit':
|
|||
break;
|
||||
|
||||
case 'editedtag':
|
||||
|
||||
$post_data = wp_unslash( $_POST );
|
||||
|
||||
$tag_ID = (int) $post_data['tag_ID'];
|
||||
$tag_ID = (int) $_POST['tag_ID'];
|
||||
check_admin_referer( 'update-tag_' . $tag_ID );
|
||||
|
||||
if ( !current_user_can( $tax->cap->edit_terms ) )
|
||||
|
@ -147,7 +142,7 @@ case 'editedtag':
|
|||
if ( ! $tag )
|
||||
wp_die( __( 'You attempted to edit an item that doesn’t exist. Perhaps it was deleted?' ) );
|
||||
|
||||
$ret = wp_update_term( $tag_ID, $taxonomy, $post_data );
|
||||
$ret = wp_update_term( $tag_ID, $taxonomy, $_POST );
|
||||
|
||||
$location = 'edit-tags.php?taxonomy=' . $taxonomy;
|
||||
if ( 'post' != $post_type )
|
||||
|
@ -169,7 +164,7 @@ break;
|
|||
|
||||
default:
|
||||
if ( ! empty($_REQUEST['_wp_http_referer']) ) {
|
||||
$location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) );
|
||||
$location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) );
|
||||
|
||||
if ( ! empty( $_REQUEST['paged'] ) )
|
||||
$location = add_query_arg( 'paged', (int) $_REQUEST['paged'] );
|
||||
|
@ -269,8 +264,8 @@ $messages[6] = __('Items deleted.');
|
|||
<div class="wrap nosubsub">
|
||||
<?php screen_icon(); ?>
|
||||
<h2><?php echo esc_html( $title );
|
||||
if ( ! empty($_REQUEST['s']) )
|
||||
printf( '<span class="subtitle">' . __('Search results for “%s”') . '</span>', esc_html( wp_unslash( $_REQUEST['s'] ) ) ); ?>
|
||||
if ( !empty($_REQUEST['s']) )
|
||||
printf( '<span class="subtitle">' . __('Search results for “%s”') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?>
|
||||
</h2>
|
||||
|
||||
<?php if ( isset($_REQUEST['message']) && ( $msg = (int) $_REQUEST['message'] ) ) : ?>
|
||||
|
|
|
@ -138,7 +138,7 @@ if ( $doaction ) {
|
|||
wp_redirect($sendback);
|
||||
exit();
|
||||
} elseif ( ! empty($_REQUEST['_wp_http_referer']) ) {
|
||||
wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
|
||||
wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ) );
|
||||
exit;
|
||||
}
|
||||
|
||||
|
|
|
@ -59,7 +59,7 @@ function wp_ajax_ajax_tag_search() {
|
|||
wp_die( 0 );
|
||||
}
|
||||
|
||||
$s = wp_unslash( $_GET['q'] );
|
||||
$s = stripslashes( $_GET['q'] );
|
||||
|
||||
$comma = _x( ',', 'tag delimiter' );
|
||||
if ( ',' !== $comma )
|
||||
|
@ -279,21 +279,19 @@ function _wp_ajax_delete_comment_response( $comment_id, $delta = -1 ) {
|
|||
*/
|
||||
|
||||
function _wp_ajax_add_hierarchical_term() {
|
||||
$post_data = wp_unslash( $_POST );
|
||||
|
||||
$action = $post_data['action'];
|
||||
$action = $_POST['action'];
|
||||
$taxonomy = get_taxonomy(substr($action, 4));
|
||||
check_ajax_referer( $action, '_ajax_nonce-add-' . $taxonomy->name );
|
||||
if ( !current_user_can( $taxonomy->cap->edit_terms ) )
|
||||
wp_die( -1 );
|
||||
$names = explode(',', $post_data['new'.$taxonomy->name]);
|
||||
$parent = isset($post_data['new'.$taxonomy->name.'_parent']) ? (int) $post_data['new'.$taxonomy->name.'_parent'] : 0;
|
||||
$names = explode(',', $_POST['new'.$taxonomy->name]);
|
||||
$parent = isset($_POST['new'.$taxonomy->name.'_parent']) ? (int) $_POST['new'.$taxonomy->name.'_parent'] : 0;
|
||||
if ( 0 > $parent )
|
||||
$parent = 0;
|
||||
if ( $taxonomy->name == 'category' )
|
||||
$post_category = isset( $post_data['post_category'] ) ? (array) $post_data['post_category'] : array();
|
||||
$post_category = isset($_POST['post_category']) ? (array) $_POST['post_category'] : array();
|
||||
else
|
||||
$post_category = ( isset( $post_data['tax_input'] ) && isset( $post_data['tax_input'][$taxonomy->name] ) ) ? (array) $post_data['tax_input'][$taxonomy->name] : array();
|
||||
$post_category = ( isset($_POST['tax_input']) && isset($_POST['tax_input'][$taxonomy->name]) ) ? (array) $_POST['tax_input'][$taxonomy->name] : array();
|
||||
$checked_categories = array_map( 'absint', (array) $post_category );
|
||||
$popular_ids = wp_popular_terms_checklist($taxonomy->name, 0, 10, false);
|
||||
|
||||
|
@ -561,7 +559,7 @@ function wp_ajax_add_link_category( $action ) {
|
|||
check_ajax_referer( $action );
|
||||
if ( !current_user_can( 'manage_categories' ) )
|
||||
wp_die( -1 );
|
||||
$names = explode( ',', wp_unslash( $_POST['newcat'] ) );
|
||||
$names = explode(',', $_POST['newcat']);
|
||||
$x = new WP_Ajax_Response();
|
||||
foreach ( $names as $cat_name ) {
|
||||
$cat_name = trim($cat_name);
|
||||
|
@ -574,7 +572,7 @@ function wp_ajax_add_link_category( $action ) {
|
|||
continue;
|
||||
else if ( is_array( $cat_id ) )
|
||||
$cat_id = $cat_id['term_id'];
|
||||
$cat_name = esc_html( wp_unslash( $cat_name ) );
|
||||
$cat_name = esc_html(stripslashes($cat_name));
|
||||
$x->add( array(
|
||||
'what' => 'link-category',
|
||||
'id' => $cat_id,
|
||||
|
@ -588,11 +586,9 @@ function wp_ajax_add_link_category( $action ) {
|
|||
function wp_ajax_add_tag() {
|
||||
global $wp_list_table;
|
||||
|
||||
$post_data = wp_unslash( $_POST );
|
||||
|
||||
check_ajax_referer( 'add-tag', '_wpnonce_add-tag' );
|
||||
$post_type = !empty($post_data['post_type']) ? $post_data['post_type'] : 'post';
|
||||
$taxonomy = !empty($post_data['taxonomy']) ? $post_data['taxonomy'] : 'post_tag';
|
||||
$post_type = !empty($_POST['post_type']) ? $_POST['post_type'] : 'post';
|
||||
$taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag';
|
||||
$tax = get_taxonomy($taxonomy);
|
||||
|
||||
if ( !current_user_can( $tax->cap->edit_terms ) )
|
||||
|
@ -600,7 +596,7 @@ function wp_ajax_add_tag() {
|
|||
|
||||
$x = new WP_Ajax_Response();
|
||||
|
||||
$tag = wp_insert_term( $post_data['tag-name'], $taxonomy, $post_data );
|
||||
$tag = wp_insert_term($_POST['tag-name'], $taxonomy, $_POST );
|
||||
|
||||
if ( !$tag || is_wp_error($tag) || (!$tag = get_term( $tag['term_id'], $taxonomy )) ) {
|
||||
$message = __('An error has occurred. Please reload the page and try again.');
|
||||
|
@ -614,7 +610,7 @@ function wp_ajax_add_tag() {
|
|||
$x->send();
|
||||
}
|
||||
|
||||
$wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $post_data['screen'] ) );
|
||||
$wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $_POST['screen'] ) );
|
||||
|
||||
$level = 0;
|
||||
if ( is_taxonomy_hierarchical($taxonomy) ) {
|
||||
|
@ -732,10 +728,10 @@ function wp_ajax_replyto_comment( $action ) {
|
|||
$user = wp_get_current_user();
|
||||
if ( $user->exists() ) {
|
||||
$user_ID = $user->ID;
|
||||
$comment_author = $user->display_name;
|
||||
$comment_author_email = $user->user_email;
|
||||
$comment_author_url = $user->user_url;
|
||||
$comment_content = trim( wp_unslash( $_POST['content'] ) );
|
||||
$comment_author = $wpdb->escape($user->display_name);
|
||||
$comment_author_email = $wpdb->escape($user->user_email);
|
||||
$comment_author_url = $wpdb->escape($user->user_url);
|
||||
$comment_content = trim($_POST['content']);
|
||||
if ( current_user_can( 'unfiltered_html' ) ) {
|
||||
if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {
|
||||
kses_remove_filters(); // start with a clean slate
|
||||
|
@ -961,8 +957,8 @@ function wp_ajax_add_meta() {
|
|||
) );
|
||||
} else { // Update?
|
||||
$mid = (int) key( $_POST['meta'] );
|
||||
$key = wp_unslash( $_POST['meta'][$mid]['key'] );
|
||||
$value = wp_unslash( $_POST['meta'][$mid]['value'] );
|
||||
$key = stripslashes( $_POST['meta'][$mid]['key'] );
|
||||
$value = stripslashes( $_POST['meta'][$mid]['value'] );
|
||||
if ( '' == trim($key) )
|
||||
wp_die( __( 'Please provide a custom field name.' ) );
|
||||
if ( '' == trim($value) )
|
||||
|
@ -1231,7 +1227,7 @@ function wp_ajax_wp_link_ajax() {
|
|||
$args = array();
|
||||
|
||||
if ( isset( $_POST['search'] ) )
|
||||
$args['s'] = wp_unslash( $_POST['search'] );
|
||||
$args['s'] = stripslashes( $_POST['search'] );
|
||||
$args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1;
|
||||
|
||||
require(ABSPATH . WPINC . '/class-wp-editor.php');
|
||||
|
@ -1332,6 +1328,7 @@ function wp_ajax_inline_save() {
|
|||
$data = &$_POST;
|
||||
|
||||
$post = get_post( $post_ID, ARRAY_A );
|
||||
$post = add_magic_quotes($post); //since it is from db
|
||||
|
||||
$data['content'] = $post['post_content'];
|
||||
$data['excerpt'] = $post['post_excerpt'];
|
||||
|
@ -1380,9 +1377,7 @@ function wp_ajax_inline_save_tax() {
|
|||
|
||||
check_ajax_referer( 'taxinlineeditnonce', '_inline_edit' );
|
||||
|
||||
$post_data = wp_unslash( $_POST );
|
||||
|
||||
$taxonomy = sanitize_key( $post_data['taxonomy'] );
|
||||
$taxonomy = sanitize_key( $_POST['taxonomy'] );
|
||||
$tax = get_taxonomy( $taxonomy );
|
||||
if ( ! $tax )
|
||||
wp_die( 0 );
|
||||
|
@ -1392,13 +1387,13 @@ function wp_ajax_inline_save_tax() {
|
|||
|
||||
$wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) );
|
||||
|
||||
if ( ! isset($post_data['tax_ID']) || ! ( $id = (int) $post_data['tax_ID'] ) )
|
||||
if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) )
|
||||
wp_die( -1 );
|
||||
|
||||
$tag = get_term( $id, $taxonomy );
|
||||
$post_data['description'] = $tag->description;
|
||||
$_POST['description'] = $tag->description;
|
||||
|
||||
$updated = wp_update_term($id, $taxonomy, $post_data );
|
||||
$updated = wp_update_term($id, $taxonomy, $_POST);
|
||||
if ( $updated && !is_wp_error($updated) ) {
|
||||
$tag = get_term( $updated['term_id'], $taxonomy );
|
||||
if ( !$tag || is_wp_error( $tag ) ) {
|
||||
|
@ -1430,7 +1425,7 @@ function wp_ajax_find_posts() {
|
|||
$post_types = get_post_types( array( 'public' => true ), 'objects' );
|
||||
unset( $post_types['attachment'] );
|
||||
|
||||
$s = wp_unslash( $_POST['ps'] );
|
||||
$s = stripslashes( $_POST['ps'] );
|
||||
$searchand = $search = '';
|
||||
$args = array(
|
||||
'post_type' => array_keys( $post_types ),
|
||||
|
@ -1601,7 +1596,7 @@ function wp_ajax_upload_attachment() {
|
|||
$post_id = null;
|
||||
}
|
||||
|
||||
$post_data = isset( $_REQUEST['post_data'] ) ? wp_unslash( $_REQUEST['post_data'] ) : array();
|
||||
$post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
|
||||
|
||||
// If the context is custom header or background, make sure the uploaded file is an image.
|
||||
if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {
|
||||
|
@ -1635,10 +1630,10 @@ function wp_ajax_upload_attachment() {
|
|||
|
||||
if ( isset( $post_data['context'] ) && isset( $post_data['theme'] ) ) {
|
||||
if ( 'custom-background' === $post_data['context'] )
|
||||
wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] );
|
||||
update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] );
|
||||
|
||||
if ( 'custom-header' === $post_data['context'] )
|
||||
wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] );
|
||||
update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] );
|
||||
}
|
||||
|
||||
if ( ! $attachment = wp_prepare_attachment_for_js( $attachment_id ) )
|
||||
|
@ -1783,7 +1778,7 @@ function wp_ajax_wp_remove_post_lock() {
|
|||
wp_die( 0 );
|
||||
|
||||
$new_lock = ( time() - apply_filters( 'wp_check_post_lock_window', AUTOSAVE_INTERVAL * 2 ) + 5 ) . ':' . $active_lock[1];
|
||||
wp_update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) );
|
||||
update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) );
|
||||
wp_die( 1 );
|
||||
}
|
||||
|
||||
|
@ -1878,7 +1873,7 @@ function wp_ajax_save_attachment() {
|
|||
if ( ! current_user_can( 'edit_post', $id ) )
|
||||
wp_send_json_error();
|
||||
|
||||
$changes = wp_unslash( $_REQUEST['changes'] );
|
||||
$changes = $_REQUEST['changes'];
|
||||
$post = get_post( $id, ARRAY_A );
|
||||
|
||||
if ( 'attachment' != $post['post_type'] )
|
||||
|
@ -1895,10 +1890,10 @@ function wp_ajax_save_attachment() {
|
|||
|
||||
if ( isset( $changes['alt'] ) ) {
|
||||
$alt = get_post_meta( $id, '_wp_attachment_image_alt', true );
|
||||
$new_alt = $changes['alt'];
|
||||
$new_alt = stripslashes( $changes['alt'] );
|
||||
if ( $alt != $new_alt ) {
|
||||
$new_alt = wp_strip_all_tags( $new_alt, true );
|
||||
wp_update_post_meta( $id, '_wp_attachment_image_alt', $new_alt );
|
||||
update_post_meta( $id, '_wp_attachment_image_alt', addslashes( $new_alt ) );
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1920,7 +1915,7 @@ function wp_ajax_save_attachment_compat() {
|
|||
|
||||
if ( empty( $_REQUEST['attachments'] ) || empty( $_REQUEST['attachments'][ $id ] ) )
|
||||
wp_send_json_error();
|
||||
$attachment_data = wp_unslash( $_REQUEST['attachments'][ $id ] );
|
||||
$attachment_data = $_REQUEST['attachments'][ $id ];
|
||||
|
||||
check_ajax_referer( 'update-post_' . $id, 'nonce' );
|
||||
|
||||
|
@ -1964,7 +1959,7 @@ function wp_ajax_save_attachment_order() {
|
|||
|
||||
check_ajax_referer( 'update-post_' . $post_id, 'nonce' );
|
||||
|
||||
$attachments = wp_unslash( $_REQUEST['attachments'] );
|
||||
$attachments = $_REQUEST['attachments'];
|
||||
|
||||
if ( ! current_user_can( 'edit_post', $post_id ) )
|
||||
wp_send_json_error();
|
||||
|
@ -1995,7 +1990,7 @@ function wp_ajax_save_attachment_order() {
|
|||
function wp_ajax_send_attachment_to_editor() {
|
||||
check_ajax_referer( 'media-send-to-editor', 'nonce' );
|
||||
|
||||
$attachment = wp_unslash( $_POST['attachment'] );
|
||||
$attachment = stripslashes_deep( $_POST['attachment'] );
|
||||
|
||||
$id = intval( $attachment['id'] );
|
||||
|
||||
|
@ -2050,7 +2045,7 @@ function wp_ajax_send_attachment_to_editor() {
|
|||
function wp_ajax_send_link_to_editor() {
|
||||
check_ajax_referer( 'media-send-to-editor', 'nonce' );
|
||||
|
||||
if ( ! $src = wp_unslash( $_POST['src'] ) )
|
||||
if ( ! $src = stripslashes( $_POST['src'] ) )
|
||||
wp_send_json_error();
|
||||
|
||||
if ( ! strpos( $src, '://' ) )
|
||||
|
@ -2059,7 +2054,7 @@ function wp_ajax_send_link_to_editor() {
|
|||
if ( ! $src = esc_url_raw( $src ) )
|
||||
wp_send_json_error();
|
||||
|
||||
if ( ! $title = trim( wp_unslash( $_POST['title'] ) ) )
|
||||
if ( ! $title = trim( stripslashes( $_POST['title'] ) ) )
|
||||
$title = wp_basename( $src );
|
||||
|
||||
$html = '';
|
||||
|
@ -2088,7 +2083,7 @@ function wp_ajax_heartbeat() {
|
|||
$screen_id = 'site';
|
||||
|
||||
if ( ! empty($_POST['data']) ) {
|
||||
$data = wp_unslash( (array) $_POST['data'] );
|
||||
$data = (array) $_POST['data'];
|
||||
// todo: how much to sanitize and preset and what to leave to be accessed from $data or $_POST..?
|
||||
$user = wp_get_current_user();
|
||||
$data['user_id'] = $user->exists() ? $user->ID : 0;
|
||||
|
@ -2119,7 +2114,7 @@ function wp_ajax_nopriv_heartbeat() {
|
|||
$screen_id = 'site';
|
||||
|
||||
if ( ! empty($_POST['data']) ) {
|
||||
$data = wp_unslash( (array) $_POST['data'] );
|
||||
$data = stripslashes_deep( (array) $_POST['data'] );
|
||||
$response = apply_filters( 'heartbeat_nopriv_received', $response, $data, $screen_id );
|
||||
}
|
||||
|
||||
|
|
|
@ -39,9 +39,9 @@ function edit_link( $link_id = 0 ) {
|
|||
|
||||
if ( !empty( $link_id ) ) {
|
||||
$_POST['link_id'] = $link_id;
|
||||
return wp_update_link( wp_unslash( $_POST ) );
|
||||
return wp_update_link( $_POST );
|
||||
} else {
|
||||
return wp_insert_link( wp_unslash( $_POST ) );
|
||||
return wp_insert_link( $_POST );
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -55,12 +55,12 @@ function edit_link( $link_id = 0 ) {
|
|||
function get_default_link_to_edit() {
|
||||
$link = new stdClass;
|
||||
if ( isset( $_GET['linkurl'] ) )
|
||||
$link->link_url = esc_url( wp_unslash( $_GET['linkurl'] ) );
|
||||
$link->link_url = esc_url( $_GET['linkurl'] );
|
||||
else
|
||||
$link->link_url = '';
|
||||
|
||||
if ( isset( $_GET['name'] ) )
|
||||
$link->link_name = esc_attr( wp_unslash( $_GET['name'] ) );
|
||||
$link->link_name = esc_attr( $_GET['name'] );
|
||||
else
|
||||
$link->link_name = '';
|
||||
|
||||
|
@ -137,7 +137,7 @@ function wp_insert_link( $linkdata, $wp_error = false ) {
|
|||
$linkdata = wp_parse_args( $linkdata, $defaults );
|
||||
$linkdata = sanitize_bookmark( $linkdata, 'db' );
|
||||
|
||||
extract( $linkdata, EXTR_SKIP );
|
||||
extract( stripslashes_deep( $linkdata ), EXTR_SKIP );
|
||||
|
||||
$update = false;
|
||||
|
||||
|
@ -250,6 +250,9 @@ function wp_update_link( $linkdata ) {
|
|||
|
||||
$link = get_bookmark( $link_id, ARRAY_A );
|
||||
|
||||
// Escape data pulled from DB.
|
||||
$link = add_magic_quotes( $link );
|
||||
|
||||
// Passed link category list overwrites existing category list if not empty.
|
||||
if ( isset( $linkdata['link_category'] ) && is_array( $linkdata['link_category'] )
|
||||
&& 0 != count( $linkdata['link_category'] ) )
|
||||
|
|
|
@ -170,7 +170,7 @@ class WP_Comments_List_Table extends WP_List_Table {
|
|||
/*
|
||||
// I toyed with this, but decided against it. Leaving it in here in case anyone thinks it is a good idea. ~ Mark
|
||||
if ( !empty( $_REQUEST['s'] ) )
|
||||
$link = add_query_arg( 's', esc_attr( wp_unslash( $_REQUEST['s'] ) ), $link );
|
||||
$link = add_query_arg( 's', esc_attr( stripslashes( $_REQUEST['s'] ) ), $link );
|
||||
*/
|
||||
$status_links[$status] = "<a href='$link'$class>" . sprintf(
|
||||
translate_nooped_plural( $label, $num_comments->$status ),
|
||||
|
|
|
@ -29,7 +29,7 @@ class WP_MS_Sites_List_Table extends WP_List_Table {
|
|||
|
||||
$pagenum = $this->get_pagenum();
|
||||
|
||||
$s = isset( $_REQUEST['s'] ) ? wp_unslash( trim( $_REQUEST[ 's' ] ) ) : '';
|
||||
$s = isset( $_REQUEST['s'] ) ? stripslashes( trim( $_REQUEST[ 's' ] ) ) : '';
|
||||
$wild = '';
|
||||
if ( false !== strpos($s, '*') ) {
|
||||
$wild = '%';
|
||||
|
|
|
@ -126,7 +126,7 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
|
|||
function _search_callback( $theme ) {
|
||||
static $term;
|
||||
if ( is_null( $term ) )
|
||||
$term = wp_unslash( $_REQUEST['s'] );
|
||||
$term = stripslashes( $_REQUEST['s'] );
|
||||
|
||||
foreach ( array( 'Name', 'Description', 'Author', 'Author', 'AuthorURI' ) as $field ) {
|
||||
// Don't mark up; Do translate.
|
||||
|
|
|
@ -173,10 +173,10 @@ class WP_MS_Users_List_Table extends WP_List_Table {
|
|||
|
||||
case 'username':
|
||||
$avatar = get_avatar( $user->user_email, 32 );
|
||||
$edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) );
|
||||
$edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) );
|
||||
|
||||
echo "<td $attributes>"; ?>
|
||||
<?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo $user->user_login; ?></a><?php
|
||||
<?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo stripslashes( $user->user_login ); ?></a><?php
|
||||
if ( in_array( $user->user_login, $super_admins ) )
|
||||
echo ' - ' . __( 'Super Admin' );
|
||||
?></strong>
|
||||
|
@ -186,7 +186,7 @@ class WP_MS_Users_List_Table extends WP_List_Table {
|
|||
$actions['edit'] = '<a href="' . $edit_link . '">' . __( 'Edit' ) . '</a>';
|
||||
|
||||
if ( current_user_can( 'delete_user', $user->ID ) && ! in_array( $user->user_login, $super_admins ) ) {
|
||||
$actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&action=deleteuser&id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>';
|
||||
$actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&action=deleteuser&id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>';
|
||||
}
|
||||
|
||||
$actions = apply_filters( 'ms_user_row_actions', $actions, $user );
|
||||
|
|
|
@ -48,8 +48,8 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
|
|||
|
||||
switch ( $tab ) {
|
||||
case 'search':
|
||||
$type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
|
||||
$term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : '';
|
||||
$type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
|
||||
$term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : '';
|
||||
|
||||
switch ( $type ) {
|
||||
case 'tag':
|
||||
|
@ -73,7 +73,7 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
|
|||
break;
|
||||
|
||||
case 'favorites':
|
||||
$user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
|
||||
$user = isset( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
|
||||
update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
|
||||
if ( $user )
|
||||
$args['user'] = $user;
|
||||
|
|
|
@ -22,7 +22,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
|
|||
$status = $_REQUEST['plugin_status'];
|
||||
|
||||
if ( isset($_REQUEST['s']) )
|
||||
$_SERVER['REQUEST_URI'] = add_query_arg('s', wp_unslash($_REQUEST['s']) );
|
||||
$_SERVER['REQUEST_URI'] = add_query_arg('s', stripslashes($_REQUEST['s']) );
|
||||
|
||||
$page = $this->get_pagenum();
|
||||
}
|
||||
|
@ -140,7 +140,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
|
|||
function _search_callback( $plugin ) {
|
||||
static $term;
|
||||
if ( is_null( $term ) )
|
||||
$term = wp_unslash( $_REQUEST['s'] );
|
||||
$term = stripslashes( $_REQUEST['s'] );
|
||||
|
||||
foreach ( $plugin as $value )
|
||||
if ( stripos( $value, $term ) !== false )
|
||||
|
|
|
@ -52,7 +52,7 @@ class WP_Terms_List_Table extends WP_List_Table {
|
|||
$tags_per_page = apply_filters( 'edit_categories_per_page', $tags_per_page ); // Old filter
|
||||
}
|
||||
|
||||
$search = !empty( $_REQUEST['s'] ) ? trim( wp_unslash( $_REQUEST['s'] ) ) : '';
|
||||
$search = !empty( $_REQUEST['s'] ) ? trim( stripslashes( $_REQUEST['s'] ) ) : '';
|
||||
|
||||
$args = array(
|
||||
'search' => $search,
|
||||
|
@ -61,10 +61,10 @@ class WP_Terms_List_Table extends WP_List_Table {
|
|||
);
|
||||
|
||||
if ( !empty( $_REQUEST['orderby'] ) )
|
||||
$args['orderby'] = trim( wp_unslash( $_REQUEST['orderby'] ) );
|
||||
$args['orderby'] = trim( stripslashes( $_REQUEST['orderby'] ) );
|
||||
|
||||
if ( !empty( $_REQUEST['order'] ) )
|
||||
$args['order'] = trim( wp_unslash( $_REQUEST['order'] ) );
|
||||
$args['order'] = trim( stripslashes( $_REQUEST['order'] ) );
|
||||
|
||||
$this->callback_args = $args;
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table {
|
|||
$search_terms = array();
|
||||
$search_string = '';
|
||||
if ( ! empty( $_REQUEST['s'] ) ){
|
||||
$search_string = strtolower( wp_unslash( $_REQUEST['s'] ) );
|
||||
$search_string = strtolower( stripslashes( $_REQUEST['s'] ) );
|
||||
$search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', $search_string ) ) ) );
|
||||
}
|
||||
|
||||
|
@ -59,7 +59,7 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table {
|
|||
|
||||
switch ( $tab ) {
|
||||
case 'search':
|
||||
$type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
|
||||
$type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
|
||||
switch ( $type ) {
|
||||
case 'tag':
|
||||
$args['tag'] = array_map( 'sanitize_key', $search_terms );
|
||||
|
|
|
@ -28,7 +28,7 @@ class WP_Themes_List_Table extends WP_List_Table {
|
|||
$themes = wp_get_themes( array( 'allowed' => true ) );
|
||||
|
||||
if ( ! empty( $_REQUEST['s'] ) )
|
||||
$this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( wp_unslash( $_REQUEST['s'] ) ) ) ) ) );
|
||||
$this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( stripslashes( $_REQUEST['s'] ) ) ) ) ) );
|
||||
|
||||
if ( ! empty( $_REQUEST['features'] ) )
|
||||
$this->features = $_REQUEST['features'];
|
||||
|
@ -235,7 +235,7 @@ class WP_Themes_List_Table extends WP_List_Table {
|
|||
* @uses _pagination_args['total_pages']
|
||||
*/
|
||||
function _js_vars( $extra_args = array() ) {
|
||||
$search_string = isset( $_REQUEST['s'] ) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : '';
|
||||
$search_string = isset( $_REQUEST['s'] ) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : '';
|
||||
|
||||
$args = array(
|
||||
'search' => $search_string,
|
||||
|
|
|
@ -1427,7 +1427,7 @@ class Plugin_Installer_Skin extends WP_Upgrader_Skin {
|
|||
|
||||
$install_actions = array();
|
||||
|
||||
$from = isset($_GET['from']) ? wp_unslash( $_GET['from'] ) : 'plugins';
|
||||
$from = isset($_GET['from']) ? stripslashes($_GET['from']) : 'plugins';
|
||||
|
||||
if ( 'import' == $from )
|
||||
$install_actions['activate_plugin'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&from=import&plugin=' . $plugin_file, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" target="_parent">' . __('Activate Plugin & Run Importer') . '</a>';
|
||||
|
|
|
@ -241,7 +241,7 @@ class WP_Users_List_Table extends WP_List_Table {
|
|||
// Check if the user for this row is editable
|
||||
if ( current_user_can( 'list_users' ) ) {
|
||||
// Set up the user editing link
|
||||
$edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) );
|
||||
$edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) );
|
||||
|
||||
// Set up the hover actions for this user
|
||||
$actions = array();
|
||||
|
|
|
@ -19,6 +19,9 @@
|
|||
function comment_exists($comment_author, $comment_date) {
|
||||
global $wpdb;
|
||||
|
||||
$comment_author = stripslashes($comment_author);
|
||||
$comment_date = stripslashes($comment_date);
|
||||
|
||||
return $wpdb->get_var( $wpdb->prepare("SELECT comment_post_ID FROM $wpdb->comments
|
||||
WHERE comment_author = %s AND comment_date = %s", $comment_author, $comment_date) );
|
||||
}
|
||||
|
@ -30,40 +33,38 @@ function comment_exists($comment_author, $comment_date) {
|
|||
*/
|
||||
function edit_comment() {
|
||||
|
||||
$post_data = wp_unslash( $_POST );
|
||||
|
||||
if ( ! current_user_can( 'edit_comment', (int) $post_data['comment_ID'] ) )
|
||||
if ( ! current_user_can( 'edit_comment', (int) $_POST['comment_ID'] ) )
|
||||
wp_die ( __( 'You are not allowed to edit comments on this post.' ) );
|
||||
|
||||
$post_data['comment_author'] = $post_data['newcomment_author'];
|
||||
$post_data['comment_author_email'] = $post_data['newcomment_author_email'];
|
||||
$post_data['comment_author_url'] = $post_data['newcomment_author_url'];
|
||||
$post_data['comment_approved'] = $post_data['comment_status'];
|
||||
$post_data['comment_content'] = $post_data['content'];
|
||||
$post_data['comment_ID'] = (int) $post_data['comment_ID'];
|
||||
$_POST['comment_author'] = $_POST['newcomment_author'];
|
||||
$_POST['comment_author_email'] = $_POST['newcomment_author_email'];
|
||||
$_POST['comment_author_url'] = $_POST['newcomment_author_url'];
|
||||
$_POST['comment_approved'] = $_POST['comment_status'];
|
||||
$_POST['comment_content'] = $_POST['content'];
|
||||
$_POST['comment_ID'] = (int) $_POST['comment_ID'];
|
||||
|
||||
foreach ( array ('aa', 'mm', 'jj', 'hh', 'mn') as $timeunit ) {
|
||||
if ( !empty( $post_data['hidden_' . $timeunit] ) && $post_data['hidden_' . $timeunit] != $post_data[$timeunit] ) {
|
||||
if ( !empty( $_POST['hidden_' . $timeunit] ) && $_POST['hidden_' . $timeunit] != $_POST[$timeunit] ) {
|
||||
$_POST['edit_date'] = '1';
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if ( !empty ( $post_data['edit_date'] ) ) {
|
||||
$aa = $post_data['aa'];
|
||||
$mm = $post_data['mm'];
|
||||
$jj = $post_data['jj'];
|
||||
$hh = $post_data['hh'];
|
||||
$mn = $post_data['mn'];
|
||||
$ss = $post_data['ss'];
|
||||
if ( !empty ( $_POST['edit_date'] ) ) {
|
||||
$aa = $_POST['aa'];
|
||||
$mm = $_POST['mm'];
|
||||
$jj = $_POST['jj'];
|
||||
$hh = $_POST['hh'];
|
||||
$mn = $_POST['mn'];
|
||||
$ss = $_POST['ss'];
|
||||
$jj = ($jj > 31 ) ? 31 : $jj;
|
||||
$hh = ($hh > 23 ) ? $hh -24 : $hh;
|
||||
$mn = ($mn > 59 ) ? $mn -60 : $mn;
|
||||
$ss = ($ss > 59 ) ? $ss -60 : $ss;
|
||||
$post_data['comment_date'] = "$aa-$mm-$jj $hh:$mn:$ss";
|
||||
$_POST['comment_date'] = "$aa-$mm-$jj $hh:$mn:$ss";
|
||||
}
|
||||
|
||||
wp_update_comment( $post_data );
|
||||
wp_update_comment( $_POST );
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -1093,7 +1093,7 @@ function wp_dashboard_rss_control( $widget_id, $form_inputs = array() ) {
|
|||
$widget_options[$widget_id]['number'] = $number;
|
||||
|
||||
if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset($_POST['widget-rss'][$number]) ) {
|
||||
$_POST['widget-rss'][$number] = wp_unslash( $_POST['widget-rss'][$number] );
|
||||
$_POST['widget-rss'][$number] = stripslashes_deep( $_POST['widget-rss'][$number] );
|
||||
$widget_options[$widget_id] = wp_widget_rss_process( $_POST['widget-rss'][$number] );
|
||||
// title is optional. If black, fill it if possible
|
||||
if ( !$widget_options[$widget_id]['title'] && isset($_POST['widget-rss'][$number]['title']) ) {
|
||||
|
|
|
@ -472,13 +472,14 @@ class WP_User_Search {
|
|||
function WP_User_Search ($search_term = '', $page = '', $role = '') {
|
||||
_deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' );
|
||||
|
||||
$this->search_term = $search_term;
|
||||
$this->search_term = stripslashes( $search_term );
|
||||
$this->raw_page = ( '' == $page ) ? false : (int) $page;
|
||||
$this->page = (int) ( '' == $page ) ? 1 : $page;
|
||||
$this->role = $role;
|
||||
|
||||
$this->prepare_query();
|
||||
$this->query();
|
||||
$this->prepare_vars_for_template_usage();
|
||||
$this->do_paging();
|
||||
}
|
||||
|
||||
|
@ -549,7 +550,9 @@ class WP_User_Search {
|
|||
* @since 2.1.0
|
||||
* @access public
|
||||
*/
|
||||
function prepare_vars_for_template_usage() {}
|
||||
function prepare_vars_for_template_usage() {
|
||||
$this->search_term = stripslashes($this->search_term); // done with DB, from now on we want slashes gone
|
||||
}
|
||||
|
||||
/**
|
||||
* {@internal Missing Short Description}}
|
||||
|
|
|
@ -901,13 +901,13 @@ function request_filesystem_credentials($form_post, $type = '', $error = false,
|
|||
$credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => ''));
|
||||
|
||||
// If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option)
|
||||
$credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? wp_unslash( $_POST['hostname'] ) : $credentials['hostname']);
|
||||
$credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? wp_unslash( $_POST['username'] ) : $credentials['username']);
|
||||
$credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? wp_unslash( $_POST['password'] ) : '');
|
||||
$credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? stripslashes($_POST['hostname']) : $credentials['hostname']);
|
||||
$credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? stripslashes($_POST['username']) : $credentials['username']);
|
||||
$credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? stripslashes($_POST['password']) : '');
|
||||
|
||||
// Check to see if we are setting the public/private keys for ssh
|
||||
$credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? wp_unslash( $_POST['public_key'] ) : '');
|
||||
$credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? wp_unslash( $_POST['private_key'] ) : '');
|
||||
$credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? stripslashes($_POST['public_key']) : '');
|
||||
$credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? stripslashes($_POST['private_key']) : '');
|
||||
|
||||
//sanitize the hostname, Some people might pass in odd-data:
|
||||
$credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off
|
||||
|
@ -925,7 +925,7 @@ function request_filesystem_credentials($form_post, $type = '', $error = false,
|
|||
else if ( (defined('FTP_SSL') && FTP_SSL) && 'ftpext' == $type ) //Only the FTP Extension understands SSL
|
||||
$credentials['connection_type'] = 'ftps';
|
||||
else if ( !empty($_POST['connection_type']) )
|
||||
$credentials['connection_type'] = wp_unslash( $_POST['connection_type'] );
|
||||
$credentials['connection_type'] = stripslashes($_POST['connection_type']);
|
||||
else if ( !isset($credentials['connection_type']) ) //All else fails (And it's not defaulted to something else saved), Default to FTP
|
||||
$credentials['connection_type'] = 'ftp';
|
||||
|
||||
|
@ -1050,7 +1050,7 @@ jQuery(function($){
|
|||
<?php
|
||||
foreach ( (array) $extra_fields as $field ) {
|
||||
if ( isset( $_POST[ $field ] ) )
|
||||
echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( wp_unslash( $_POST[ $field ] ) ) . '" />';
|
||||
echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( stripslashes( $_POST[ $field ] ) ) . '" />';
|
||||
}
|
||||
submit_button( __( 'Proceed' ), 'button', 'upgrade' );
|
||||
?>
|
||||
|
|
|
@ -454,7 +454,7 @@ function stream_preview_image( $post_id ) {
|
|||
if ( is_wp_error( $img ) )
|
||||
return false;
|
||||
|
||||
$changes = !empty($_REQUEST['history']) ? json_decode( wp_unslash( $_REQUEST['history'] ) ) : null;
|
||||
$changes = !empty($_REQUEST['history']) ? json_decode( stripslashes($_REQUEST['history']) ) : null;
|
||||
if ( $changes )
|
||||
$img = image_edit_apply_changes( $img, $changes );
|
||||
|
||||
|
@ -533,7 +533,7 @@ function wp_restore_image($post_id) {
|
|||
}
|
||||
}
|
||||
|
||||
if ( !wp_update_attachment_metadata($post_id, $meta) || !wp_update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes) ) {
|
||||
if ( !wp_update_attachment_metadata($post_id, $meta) || !update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes) ) {
|
||||
$msg->error = __('Cannot save image metadata.');
|
||||
return $msg;
|
||||
}
|
||||
|
@ -587,7 +587,7 @@ function wp_save_image( $post_id ) {
|
|||
return $return;
|
||||
}
|
||||
} elseif ( !empty($_REQUEST['history']) ) {
|
||||
$changes = json_decode( wp_unslash( $_REQUEST['history'] ) );
|
||||
$changes = json_decode( stripslashes($_REQUEST['history']) );
|
||||
if ( $changes )
|
||||
$img = image_edit_apply_changes($img, $changes);
|
||||
} else {
|
||||
|
@ -699,7 +699,7 @@ function wp_save_image( $post_id ) {
|
|||
|
||||
if ( $success ) {
|
||||
wp_update_attachment_metadata( $post_id, $meta );
|
||||
wp_update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes);
|
||||
update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes);
|
||||
|
||||
if ( $target == 'thumbnail' || $target == 'all' || $target == 'full' ) {
|
||||
// Check if it's an image edit from attachment edit screen
|
||||
|
|
|
@ -444,8 +444,6 @@ function media_upload_form_handler() {
|
|||
}
|
||||
|
||||
if ( !empty($_POST['attachments']) ) foreach ( $_POST['attachments'] as $attachment_id => $attachment ) {
|
||||
$attachment = wp_unslash( $attachment );
|
||||
|
||||
$post = $_post = get_post($attachment_id, ARRAY_A);
|
||||
$post_type_object = get_post_type_object( $post[ 'post_type' ] );
|
||||
|
||||
|
@ -470,9 +468,10 @@ function media_upload_form_handler() {
|
|||
|
||||
if ( isset($attachment['image_alt']) ) {
|
||||
$image_alt = get_post_meta($attachment_id, '_wp_attachment_image_alt', true);
|
||||
if ( $image_alt != $attachment['image_alt'] ) {
|
||||
$image_alt = wp_strip_all_tags( $attachment['image_alt'], true );
|
||||
wp_update_post_meta( $attachment_id, '_wp_attachment_image_alt', $image_alt );
|
||||
if ( $image_alt != stripslashes($attachment['image_alt']) ) {
|
||||
$image_alt = wp_strip_all_tags( stripslashes($attachment['image_alt']), true );
|
||||
// update_meta expects slashed
|
||||
update_post_meta( $attachment_id, '_wp_attachment_image_alt', addslashes($image_alt) );
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -502,7 +501,7 @@ function media_upload_form_handler() {
|
|||
}
|
||||
|
||||
if ( isset($send_id) ) {
|
||||
$attachment = wp_unslash( $_POST['attachments'][$send_id] );
|
||||
$attachment = stripslashes_deep( $_POST['attachments'][$send_id] );
|
||||
|
||||
$html = isset( $attachment['post_title'] ) ? $attachment['post_title'] : '';
|
||||
if ( !empty($attachment['url']) ) {
|
||||
|
@ -547,7 +546,7 @@ function wp_media_upload_handler() {
|
|||
$src = "http://$src";
|
||||
|
||||
if ( isset( $_POST['media_type'] ) && 'image' != $_POST['media_type'] ) {
|
||||
$title = esc_html( wp_unslash( $_POST['title'] ) );
|
||||
$title = esc_html( stripslashes( $_POST['title'] ) );
|
||||
if ( empty( $title ) )
|
||||
$title = esc_html( basename( $src ) );
|
||||
|
||||
|
@ -562,9 +561,9 @@ function wp_media_upload_handler() {
|
|||
$html = apply_filters( $type . '_send_to_editor_url', $html, esc_url_raw( $src ), $title );
|
||||
} else {
|
||||
$align = '';
|
||||
$alt = esc_attr( wp_unslash( $_POST['alt'] ) );
|
||||
$alt = esc_attr( stripslashes( $_POST['alt'] ) );
|
||||
if ( isset($_POST['align']) ) {
|
||||
$align = esc_attr( wp_unslash( $_POST['align'] ) );
|
||||
$align = esc_attr( stripslashes( $_POST['align'] ) );
|
||||
$class = " class='align$align'";
|
||||
}
|
||||
if ( !empty($src) )
|
||||
|
|
|
@ -220,7 +220,7 @@ add_action( 'update_option_page_on_front', 'update_home_siteurl', 10, 2 );
|
|||
* @return string
|
||||
*/
|
||||
function url_shorten( $url ) {
|
||||
$short_url = str_replace( 'http://', '', $url );
|
||||
$short_url = str_replace( 'http://', '', stripslashes( $url ));
|
||||
$short_url = str_replace( 'www.', '', $short_url );
|
||||
$short_url = untrailingslashit( $short_url );
|
||||
if ( strlen( $short_url ) > 35 )
|
||||
|
@ -248,9 +248,9 @@ function wp_reset_vars( $vars ) {
|
|||
if ( empty( $_GET[$var] ) )
|
||||
$$var = '';
|
||||
else
|
||||
$$var = wp_unslash( $_GET[$var] );
|
||||
$$var = $_GET[$var];
|
||||
} else {
|
||||
$$var = wp_unslash( $_POST[$var] );
|
||||
$$var = $_POST[$var];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -323,8 +323,8 @@ function set_screen_options() {
|
|||
|
||||
if ( !$user = wp_get_current_user() )
|
||||
return;
|
||||
$option = wp_unslash( $_POST['wp_screen_options']['option'] );
|
||||
$value = wp_unslash( $_POST['wp_screen_options']['value'] );
|
||||
$option = $_POST['wp_screen_options']['option'];
|
||||
$value = $_POST['wp_screen_options']['value'];
|
||||
|
||||
if ( $option != sanitize_key( $option ) )
|
||||
return;
|
||||
|
|
|
@ -116,8 +116,8 @@ add_action('install_plugins_dashboard', 'install_dashboard');
|
|||
* @since 2.7.0
|
||||
*/
|
||||
function install_search_form( $type_selector = true ) {
|
||||
$type = isset($_REQUEST['type']) ? wp_unslash( $_REQUEST['type'] ) : 'term';
|
||||
$term = isset($_REQUEST['s']) ? wp_unslash( $_REQUEST['s'] ) : '';
|
||||
$type = isset($_REQUEST['type']) ? stripslashes( $_REQUEST['type'] ) : 'term';
|
||||
$term = isset($_REQUEST['s']) ? stripslashes( $_REQUEST['s'] ) : '';
|
||||
|
||||
?><form id="search-plugins" method="get" action="">
|
||||
<input type="hidden" name="tab" value="search" />
|
||||
|
@ -160,7 +160,7 @@ add_action('install_plugins_upload', 'install_plugins_upload', 10, 1);
|
|||
*
|
||||
*/
|
||||
function install_plugins_favorites_form() {
|
||||
$user = ! empty( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
|
||||
$user = ! empty( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
|
||||
?>
|
||||
<p class="install-help"><?php _e( 'If you have marked plugins as favorites on WordPress.org, you can browse them here.' ); ?></p>
|
||||
<form method="get" action="">
|
||||
|
@ -251,7 +251,7 @@ function install_plugin_install_status($api, $loop = false) {
|
|||
}
|
||||
}
|
||||
if ( isset($_GET['from']) )
|
||||
$url .= '&from=' . urlencode( wp_unslash( $_GET['from'] ) );
|
||||
$url .= '&from=' . urlencode(stripslashes($_GET['from']));
|
||||
|
||||
return compact('status', 'url', 'version');
|
||||
}
|
||||
|
@ -264,7 +264,7 @@ function install_plugin_install_status($api, $loop = false) {
|
|||
function install_plugin_information() {
|
||||
global $tab;
|
||||
|
||||
$api = plugins_api('plugin_information', array('slug' => wp_unslash( $_REQUEST['plugin'] ) ));
|
||||
$api = plugins_api('plugin_information', array('slug' => stripslashes( $_REQUEST['plugin'] ) ));
|
||||
|
||||
if ( is_wp_error($api) )
|
||||
wp_die($api);
|
||||
|
@ -295,7 +295,7 @@ function install_plugin_information() {
|
|||
$api->$key = wp_kses( $api->$key, $plugins_allowedtags );
|
||||
}
|
||||
|
||||
$section = isset($_REQUEST['section']) ? wp_unslash( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English.
|
||||
$section = isset($_REQUEST['section']) ? stripslashes( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English.
|
||||
if ( empty($section) || ! isset($api->sections[ $section ]) )
|
||||
$section = array_shift( $section_titles = array_keys((array)$api->sections) );
|
||||
|
||||
|
|
|
@ -149,8 +149,8 @@ function _wp_translate_postdata( $update = false, $post_data = null ) {
|
|||
*/
|
||||
function edit_post( $post_data = null ) {
|
||||
|
||||
if ( empty( $post_data ) )
|
||||
$post_data = wp_unslash( $_POST );
|
||||
if ( empty($post_data) )
|
||||
$post_data = &$_POST;
|
||||
|
||||
// Clear out any data in internal vars.
|
||||
unset( $post_data['filter'] );
|
||||
|
@ -236,9 +236,10 @@ function edit_post( $post_data = null ) {
|
|||
if ( 'attachment' == $post_data['post_type'] ) {
|
||||
if ( isset( $post_data[ '_wp_attachment_image_alt' ] ) ) {
|
||||
$image_alt = get_post_meta( $post_ID, '_wp_attachment_image_alt', true );
|
||||
if ( $image_alt != $post_data['_wp_attachment_image_alt'] ) {
|
||||
$image_alt = wp_strip_all_tags( $post_data['_wp_attachment_image_alt'], true );
|
||||
wp_update_post_meta( $post_ID, '_wp_attachment_image_alt', $image_alt );
|
||||
if ( $image_alt != stripslashes( $post_data['_wp_attachment_image_alt'] ) ) {
|
||||
$image_alt = wp_strip_all_tags( stripslashes( $post_data['_wp_attachment_image_alt'] ), true );
|
||||
// update_meta expects slashed
|
||||
update_post_meta( $post_ID, '_wp_attachment_image_alt', addslashes( $image_alt ) );
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -248,7 +249,7 @@ function edit_post( $post_data = null ) {
|
|||
|
||||
add_meta( $post_ID );
|
||||
|
||||
wp_update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
|
||||
update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
|
||||
|
||||
wp_update_post( $post_data );
|
||||
|
||||
|
@ -429,15 +430,15 @@ function get_default_post_to_edit( $post_type = 'post', $create_in_db = false )
|
|||
|
||||
$post_title = '';
|
||||
if ( !empty( $_REQUEST['post_title'] ) )
|
||||
$post_title = esc_html( wp_unslash( $_REQUEST['post_title'] ));
|
||||
$post_title = esc_html( stripslashes( $_REQUEST['post_title'] ));
|
||||
|
||||
$post_content = '';
|
||||
if ( !empty( $_REQUEST['content'] ) )
|
||||
$post_content = esc_html( wp_unslash( $_REQUEST['content'] ));
|
||||
$post_content = esc_html( stripslashes( $_REQUEST['content'] ));
|
||||
|
||||
$post_excerpt = '';
|
||||
if ( !empty( $_REQUEST['excerpt'] ) )
|
||||
$post_excerpt = esc_html( wp_unslash( $_REQUEST['excerpt'] ));
|
||||
$post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] ));
|
||||
|
||||
if ( $create_in_db ) {
|
||||
$post_id = wp_insert_post( array( 'post_title' => __( 'Auto Draft' ), 'post_type' => $post_type, 'post_status' => 'auto-draft' ) );
|
||||
|
@ -486,9 +487,9 @@ function get_default_post_to_edit( $post_type = 'post', $create_in_db = false )
|
|||
function post_exists($title, $content = '', $date = '') {
|
||||
global $wpdb;
|
||||
|
||||
$post_title = sanitize_post_field( 'post_title', $title, 0, 'db' );
|
||||
$post_content = sanitize_post_field( 'post_content', $content, 0, 'db' );
|
||||
$post_date = sanitize_post_field( 'post_date', $date, 0, 'db' );
|
||||
$post_title = stripslashes( sanitize_post_field( 'post_title', $title, 0, 'db' ) );
|
||||
$post_content = stripslashes( sanitize_post_field( 'post_content', $content, 0, 'db' ) );
|
||||
$post_date = stripslashes( sanitize_post_field( 'post_date', $date, 0, 'db' ) );
|
||||
|
||||
$query = "SELECT ID FROM $wpdb->posts WHERE 1=1";
|
||||
$args = array();
|
||||
|
@ -566,7 +567,7 @@ function wp_write_post() {
|
|||
}
|
||||
|
||||
// Create the post.
|
||||
$post_ID = wp_insert_post( wp_unslash( $_POST ) );
|
||||
$post_ID = wp_insert_post( $_POST );
|
||||
if ( is_wp_error( $post_ID ) )
|
||||
return $post_ID;
|
||||
|
||||
|
@ -575,7 +576,7 @@ function wp_write_post() {
|
|||
|
||||
add_meta( $post_ID );
|
||||
|
||||
wp_add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
|
||||
add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
|
||||
|
||||
// Now that we have an ID we can fix any attachment anchor hrefs
|
||||
_fix_attachment_links( $post_ID );
|
||||
|
@ -619,9 +620,9 @@ function add_meta( $post_ID ) {
|
|||
global $wpdb;
|
||||
$post_ID = (int) $post_ID;
|
||||
|
||||
$metakeyselect = isset($_POST['metakeyselect']) ? wp_unslash( trim( $_POST['metakeyselect'] ) ) : '';
|
||||
$metakeyinput = isset($_POST['metakeyinput']) ? wp_unslash( trim( $_POST['metakeyinput'] ) ) : '';
|
||||
$metavalue = isset($_POST['metavalue']) ? wp_unslash( trim( $_POST['metavalue'] ) ) : '';
|
||||
$metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
|
||||
$metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
|
||||
$metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : '';
|
||||
if ( is_string( $metavalue ) )
|
||||
$metavalue = trim( $metavalue );
|
||||
|
||||
|
@ -638,7 +639,9 @@ function add_meta( $post_ID ) {
|
|||
if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) )
|
||||
return false;
|
||||
|
||||
return wp_add_post_meta( $post_ID, $metakey, $metavalue );
|
||||
$metakey = esc_sql( $metakey );
|
||||
|
||||
return add_post_meta( $post_ID, $metakey, $metavalue );
|
||||
}
|
||||
|
||||
return false;
|
||||
|
@ -711,11 +714,14 @@ function has_meta( $postid ) {
|
|||
* @since 1.2.0
|
||||
*
|
||||
* @param unknown_type $meta_id
|
||||
* @param unknown_type $meta_key
|
||||
* @param unknown_type $meta_value
|
||||
* @param unknown_type $meta_key Expect Slashed
|
||||
* @param unknown_type $meta_value Expect Slashed
|
||||
* @return unknown
|
||||
*/
|
||||
function update_meta( $meta_id, $meta_key, $meta_value ) {
|
||||
$meta_key = stripslashes( $meta_key );
|
||||
$meta_value = stripslashes_deep( $meta_value );
|
||||
|
||||
return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key );
|
||||
}
|
||||
|
||||
|
@ -769,6 +775,8 @@ function _fix_attachment_links( $post_ID ) {
|
|||
|
||||
if ( $replace ) {
|
||||
$post['post_content'] = $content;
|
||||
// Escape data pulled from DB.
|
||||
$post = add_magic_quotes($post);
|
||||
|
||||
return wp_update_post($post);
|
||||
}
|
||||
|
@ -1179,7 +1187,7 @@ function wp_set_post_lock( $post_id ) {
|
|||
$now = time();
|
||||
$lock = "$now:$user_id";
|
||||
|
||||
wp_update_post_meta( $post->ID, '_edit_lock', $lock );
|
||||
update_post_meta( $post->ID, '_edit_lock', $lock );
|
||||
return array( $now, $user_id );
|
||||
}
|
||||
|
||||
|
@ -1230,14 +1238,14 @@ function wp_create_post_autosave( $post_id ) {
|
|||
|
||||
// Only store one autosave. If there is already an autosave, overwrite it.
|
||||
if ( $old_autosave = wp_get_post_autosave( $post_id ) ) {
|
||||
$new_autosave = _wp_post_revision_fields( wp_unslash( $_POST ), true );
|
||||
$new_autosave = _wp_post_revision_fields( $_POST, true );
|
||||
$new_autosave['ID'] = $old_autosave->ID;
|
||||
$new_autosave['post_author'] = get_current_user_id();
|
||||
return wp_update_post( $new_autosave );
|
||||
}
|
||||
|
||||
// _wp_put_post_revision() expects unescaped.
|
||||
$_POST = wp_unslash( $_POST );
|
||||
$_POST = stripslashes_deep($_POST);
|
||||
|
||||
// Otherwise create the new autosave as a special post revision
|
||||
return _wp_put_post_revision( $_POST, true );
|
||||
|
|
|
@ -505,11 +505,13 @@ function populate_options() {
|
|||
else
|
||||
$autoload = 'yes';
|
||||
|
||||
$option = $wpdb->escape($option);
|
||||
if ( is_array($value) )
|
||||
$value = serialize($value);
|
||||
$value = $wpdb->escape($value);
|
||||
if ( !empty($insert) )
|
||||
$insert .= ', ';
|
||||
$insert .= $wpdb->prepare( "(%s, %s, %s)", $option, $value, $autoload );
|
||||
$insert .= "('$option', '$value', '$autoload')";
|
||||
}
|
||||
|
||||
if ( !empty($insert) )
|
||||
|
@ -919,11 +921,13 @@ We hope you enjoy your new site. Thanks!
|
|||
|
||||
$insert = '';
|
||||
foreach ( $sitemeta as $meta_key => $meta_value ) {
|
||||
$meta_key = $wpdb->escape( $meta_key );
|
||||
if ( is_array( $meta_value ) )
|
||||
$meta_value = serialize( $meta_value );
|
||||
$meta_value = $wpdb->escape( $meta_value );
|
||||
if ( !empty( $insert ) )
|
||||
$insert .= ', ';
|
||||
$insert .= $wpdb->prepare( "( %d, %s, %s)", $network_id, $meta_key, $meta_value );
|
||||
$insert .= "( $network_id, '$meta_key', '$meta_value')";
|
||||
}
|
||||
$wpdb->query( "INSERT INTO $wpdb->sitemeta ( site_id, meta_key, meta_value ) VALUES " . $insert );
|
||||
|
||||
|
|
|
@ -157,6 +157,9 @@ function wp_update_category($catarr) {
|
|||
// First, get all of the original fields
|
||||
$category = get_category($cat_ID, ARRAY_A);
|
||||
|
||||
// Escape data pulled from DB.
|
||||
$category = add_magic_quotes($category);
|
||||
|
||||
// Merge old and new fields with new fields overwriting old ones.
|
||||
$catarr = array_merge($category, $catarr);
|
||||
|
||||
|
|
|
@ -1333,7 +1333,7 @@ function _draft_or_post_title( $post = 0 ) {
|
|||
*
|
||||
*/
|
||||
function _admin_search_query() {
|
||||
echo isset($_REQUEST['s']) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : '';
|
||||
echo isset($_REQUEST['s']) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : '';
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -50,8 +50,8 @@ function install_themes_feature_list() {
|
|||
* @since 2.8.0
|
||||
*/
|
||||
function install_theme_search_form( $type_selector = true ) {
|
||||
$type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
|
||||
$term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : '';
|
||||
$type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
|
||||
$term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : '';
|
||||
if ( ! $type_selector )
|
||||
echo '<p class="install-help">' . __( 'Search for themes by keyword.' ) . '</p>';
|
||||
?>
|
||||
|
@ -179,7 +179,7 @@ add_action('install_themes_updated', 'display_themes');
|
|||
function install_theme_information() {
|
||||
global $tab, $themes_allowedtags, $wp_list_table;
|
||||
|
||||
$theme = themes_api( 'theme_information', array( 'slug' => wp_unslash( $_REQUEST['theme'] ) ) );
|
||||
$theme = themes_api( 'theme_information', array( 'slug' => stripslashes( $_REQUEST['theme'] ) ) );
|
||||
|
||||
if ( is_wp_error( $theme ) )
|
||||
wp_die( $theme );
|
||||
|
|
|
@ -132,7 +132,7 @@ function wp_install_defaults($user_id) {
|
|||
$first_post = get_site_option( 'first_post' );
|
||||
|
||||
if ( empty($first_post) )
|
||||
$first_post = __( 'Welcome to <a href="SITE_URL">SITE_NAME</a>. This is your first post. Edit or delete it, then start blogging!' );
|
||||
$first_post = stripslashes( __( 'Welcome to <a href="SITE_URL">SITE_NAME</a>. This is your first post. Edit or delete it, then start blogging!' ) );
|
||||
|
||||
$first_post = str_replace( "SITE_URL", esc_url( network_home_url() ), $first_post );
|
||||
$first_post = str_replace( "SITE_NAME", $current_site->site_name, $first_post );
|
||||
|
@ -636,23 +636,23 @@ function upgrade_160() {
|
|||
$users = $wpdb->get_results("SELECT * FROM $wpdb->users");
|
||||
foreach ( $users as $user ) :
|
||||
if ( !empty( $user->user_firstname ) )
|
||||
update_user_meta( $user->ID, 'first_name', $user->user_firstname );
|
||||
update_user_meta( $user->ID, 'first_name', $wpdb->escape($user->user_firstname) );
|
||||
if ( !empty( $user->user_lastname ) )
|
||||
update_user_meta( $user->ID, 'last_name', $user->user_lastname );
|
||||
update_user_meta( $user->ID, 'last_name', $wpdb->escape($user->user_lastname) );
|
||||
if ( !empty( $user->user_nickname ) )
|
||||
update_user_meta( $user->ID, 'nickname', $user->user_nickname );
|
||||
update_user_meta( $user->ID, 'nickname', $wpdb->escape($user->user_nickname) );
|
||||
if ( !empty( $user->user_level ) )
|
||||
update_user_meta( $user->ID, $wpdb->prefix . 'user_level', $user->user_level );
|
||||
if ( !empty( $user->user_icq ) )
|
||||
update_user_meta( $user->ID, 'icq', $user->user_icq );
|
||||
update_user_meta( $user->ID, 'icq', $wpdb->escape($user->user_icq) );
|
||||
if ( !empty( $user->user_aim ) )
|
||||
update_user_meta( $user->ID, 'aim', $user->user_aim );
|
||||
update_user_meta( $user->ID, 'aim', $wpdb->escape($user->user_aim) );
|
||||
if ( !empty( $user->user_msn ) )
|
||||
update_user_meta( $user->ID, 'msn', $user->user_msn );
|
||||
update_user_meta( $user->ID, 'msn', $wpdb->escape($user->user_msn) );
|
||||
if ( !empty( $user->user_yim ) )
|
||||
update_user_meta( $user->ID, 'yim', $user->user_icq );
|
||||
update_user_meta( $user->ID, 'yim', $wpdb->escape($user->user_icq) );
|
||||
if ( !empty( $user->user_description ) )
|
||||
update_user_meta( $user->ID, 'description', $user->user_description );
|
||||
update_user_meta( $user->ID, 'description', $wpdb->escape($user->user_description) );
|
||||
|
||||
if ( isset( $user->user_idmode ) ):
|
||||
$idmode = $user->user_idmode;
|
||||
|
@ -854,7 +854,7 @@ function upgrade_230() {
|
|||
foreach ( $link_cats as $category) {
|
||||
$cat_id = (int) $category->cat_id;
|
||||
$term_id = 0;
|
||||
$name = $category->cat_name;
|
||||
$name = $wpdb->escape($category->cat_name);
|
||||
$slug = sanitize_title($name);
|
||||
$term_group = 0;
|
||||
|
||||
|
|
|
@ -34,25 +34,22 @@ function edit_user( $user_id = 0 ) {
|
|||
$update = true;
|
||||
$user->ID = (int) $user_id;
|
||||
$userdata = get_userdata( $user_id );
|
||||
$user->user_login = $userdata->user_login;
|
||||
$user->user_login = $wpdb->escape( $userdata->user_login );
|
||||
} else {
|
||||
$update = false;
|
||||
}
|
||||
|
||||
// get clean data before we get started.
|
||||
$post_data = wp_unslash( $_POST );
|
||||
|
||||
if ( !$update && isset( $post_data['user_login'] ) )
|
||||
$user->user_login = sanitize_user($post_data['user_login'], true);
|
||||
if ( !$update && isset( $_POST['user_login'] ) )
|
||||
$user->user_login = sanitize_user($_POST['user_login'], true);
|
||||
|
||||
$pass1 = $pass2 = '';
|
||||
if ( isset( $post_data['pass1'] ))
|
||||
$pass1 = $post_data['pass1'];
|
||||
if ( isset( $post_data['pass2'] ))
|
||||
$pass2 = $post_data['pass2'];
|
||||
if ( isset( $_POST['pass1'] ))
|
||||
$pass1 = $_POST['pass1'];
|
||||
if ( isset( $_POST['pass2'] ))
|
||||
$pass2 = $_POST['pass2'];
|
||||
|
||||
if ( isset( $post_data['role'] ) && current_user_can( 'edit_users' ) ) {
|
||||
$new_role = sanitize_text_field( $post_data['role'] );
|
||||
if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) {
|
||||
$new_role = sanitize_text_field( $_POST['role'] );
|
||||
$potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false;
|
||||
// Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
|
||||
// Multisite super admins can freely edit their blog roles -- they possess all caps.
|
||||
|
@ -65,44 +62,44 @@ function edit_user( $user_id = 0 ) {
|
|||
wp_die(__('You can’t give users that role.'));
|
||||
}
|
||||
|
||||
if ( isset( $post_data['email'] ))
|
||||
$user->user_email = sanitize_text_field( $post_data['email'] );
|
||||
if ( isset( $post_data['url'] ) ) {
|
||||
if ( empty ( $post_data['url'] ) || $post_data['url'] == 'http://' ) {
|
||||
if ( isset( $_POST['email'] ))
|
||||
$user->user_email = sanitize_text_field( $_POST['email'] );
|
||||
if ( isset( $_POST['url'] ) ) {
|
||||
if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) {
|
||||
$user->user_url = '';
|
||||
} else {
|
||||
$user->user_url = esc_url_raw( $post_data['url'] );
|
||||
$user->user_url = esc_url_raw( $_POST['url'] );
|
||||
$protocols = implode( '|', array_map( 'preg_quote', wp_allowed_protocols() ) );
|
||||
$user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url;
|
||||
}
|
||||
}
|
||||
if ( isset( $post_data['first_name'] ) )
|
||||
$user->first_name = sanitize_text_field( $post_data['first_name'] );
|
||||
if ( isset( $post_data['last_name'] ) )
|
||||
$user->last_name = sanitize_text_field( $post_data['last_name'] );
|
||||
if ( isset( $post_data['nickname'] ) )
|
||||
$user->nickname = sanitize_text_field( $post_data['nickname'] );
|
||||
if ( isset( $post_data['display_name'] ) )
|
||||
$user->display_name = sanitize_text_field( $post_data['display_name'] );
|
||||
if ( isset( $_POST['first_name'] ) )
|
||||
$user->first_name = sanitize_text_field( $_POST['first_name'] );
|
||||
if ( isset( $_POST['last_name'] ) )
|
||||
$user->last_name = sanitize_text_field( $_POST['last_name'] );
|
||||
if ( isset( $_POST['nickname'] ) )
|
||||
$user->nickname = sanitize_text_field( $_POST['nickname'] );
|
||||
if ( isset( $_POST['display_name'] ) )
|
||||
$user->display_name = sanitize_text_field( $_POST['display_name'] );
|
||||
|
||||
if ( isset( $post_data['description'] ) )
|
||||
$user->description = trim( $post_data['description'] );
|
||||
if ( isset( $_POST['description'] ) )
|
||||
$user->description = trim( $_POST['description'] );
|
||||
|
||||
foreach ( _wp_get_user_contactmethods( $user ) as $method => $name ) {
|
||||
if ( isset( $post_data[$method] ))
|
||||
$user->$method = sanitize_text_field( $post_data[$method] );
|
||||
if ( isset( $_POST[$method] ))
|
||||
$user->$method = sanitize_text_field( $_POST[$method] );
|
||||
}
|
||||
|
||||
if ( $update ) {
|
||||
$user->rich_editing = isset( $post_data['rich_editing'] ) && 'false' == $post_data['rich_editing'] ? 'false' : 'true';
|
||||
$user->admin_color = isset( $post_data['admin_color'] ) ? sanitize_text_field( $post_data['admin_color'] ) : 'fresh';
|
||||
$user->show_admin_bar_front = isset( $post_data['admin_bar_front'] ) ? 'true' : 'false';
|
||||
$user->rich_editing = isset( $_POST['rich_editing'] ) && 'false' == $_POST['rich_editing'] ? 'false' : 'true';
|
||||
$user->admin_color = isset( $_POST['admin_color'] ) ? sanitize_text_field( $_POST['admin_color'] ) : 'fresh';
|
||||
$user->show_admin_bar_front = isset( $_POST['admin_bar_front'] ) ? 'true' : 'false';
|
||||
}
|
||||
|
||||
$user->comment_shortcuts = isset( $post_data['comment_shortcuts'] ) && 'true' == $post_data['comment_shortcuts'] ? 'true' : '';
|
||||
$user->comment_shortcuts = isset( $_POST['comment_shortcuts'] ) && 'true' == $_POST['comment_shortcuts'] ? 'true' : '';
|
||||
|
||||
$user->use_ssl = 0;
|
||||
if ( !empty($post_data['use_ssl']) )
|
||||
if ( !empty($_POST['use_ssl']) )
|
||||
$user->use_ssl = 1;
|
||||
|
||||
$errors = new WP_Error();
|
||||
|
@ -127,7 +124,7 @@ function edit_user( $user_id = 0 ) {
|
|||
}
|
||||
|
||||
/* Check for "\" in password */
|
||||
if ( false !== strpos( $pass1, "\\" ) )
|
||||
if ( false !== strpos( stripslashes($pass1), "\\" ) )
|
||||
$errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) );
|
||||
|
||||
/* checking the password has been typed twice the same */
|
||||
|
@ -137,7 +134,7 @@ function edit_user( $user_id = 0 ) {
|
|||
if ( !empty( $pass1 ) )
|
||||
$user->user_pass = $pass1;
|
||||
|
||||
if ( !$update && isset( $post_data['user_login'] ) && !validate_username( $post_data['user_login'] ) )
|
||||
if ( !$update && isset( $_POST['user_login'] ) && !validate_username( $_POST['user_login'] ) )
|
||||
$errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ));
|
||||
|
||||
if ( !$update && username_exists( $user->user_login ) )
|
||||
|
@ -162,7 +159,7 @@ function edit_user( $user_id = 0 ) {
|
|||
$user_id = wp_update_user( $user );
|
||||
} else {
|
||||
$user_id = wp_insert_user( $user );
|
||||
wp_new_user_notification( $user_id, isset($post_data['send_password']) ? $pass1 : '' );
|
||||
wp_new_user_notification( $user_id, isset($_POST['send_password']) ? $pass1 : '' );
|
||||
}
|
||||
return $user_id;
|
||||
}
|
||||
|
|
|
@ -84,10 +84,10 @@ function display_setup_form( $error = null ) {
|
|||
if ( ! empty( $_POST ) )
|
||||
$blog_public = isset( $_POST['blog_public'] );
|
||||
|
||||
$weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : '';
|
||||
$user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin';
|
||||
$admin_password = isset($_POST['admin_password']) ? trim( wp_unslash( $_POST['admin_password'] ) ) : '';
|
||||
$admin_email = isset( $_POST['admin_email'] ) ? trim( wp_unslash( $_POST['admin_email'] ) ) : '';
|
||||
$weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';
|
||||
$user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';
|
||||
$admin_password = isset($_POST['admin_password']) ? trim( stripslashes( $_POST['admin_password'] ) ) : '';
|
||||
$admin_email = isset( $_POST['admin_email'] ) ? trim( stripslashes( $_POST['admin_email'] ) ) : '';
|
||||
|
||||
if ( ! is_null( $error ) ) {
|
||||
?>
|
||||
|
@ -189,11 +189,11 @@ switch($step) {
|
|||
|
||||
display_header();
|
||||
// Fill in the data we gathered
|
||||
$weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : '';
|
||||
$user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin';
|
||||
$admin_password = isset($_POST['admin_password']) ? wp_unslash( $_POST['admin_password'] ) : '';
|
||||
$admin_password_check = isset($_POST['admin_password2']) ? wp_unslash( $_POST['admin_password2'] ) : '';
|
||||
$admin_email = isset( $_POST['admin_email'] ) ?trim( wp_unslash( $_POST['admin_email'] ) ) : '';
|
||||
$weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';
|
||||
$user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';
|
||||
$admin_password = isset($_POST['admin_password']) ? $_POST['admin_password'] : '';
|
||||
$admin_password_check = isset($_POST['admin_password2']) ? $_POST['admin_password2'] : '';
|
||||
$admin_email = isset( $_POST['admin_email'] ) ?trim( stripslashes( $_POST['admin_email'] ) ) : '';
|
||||
$public = isset( $_POST['blog_public'] ) ? (int) $_POST['blog_public'] : 0;
|
||||
// check e-mail address
|
||||
$error = false;
|
||||
|
|
|
@ -31,7 +31,7 @@ if ( $doaction && isset( $_REQUEST['linkcheck'] ) ) {
|
|||
exit;
|
||||
}
|
||||
} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
|
||||
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
|
||||
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
|
||||
exit;
|
||||
}
|
||||
|
||||
|
@ -72,7 +72,7 @@ if ( ! current_user_can('manage_links') )
|
|||
<?php screen_icon(); ?>
|
||||
<h2><?php echo esc_html( $title ); ?> <a href="link-add.php" class="add-new-h2"><?php echo esc_html_x('Add New', 'link'); ?></a> <?php
|
||||
if ( !empty($_REQUEST['s']) )
|
||||
printf( '<span class="subtitle">' . __('Search results for “%s”') . '</span>', esc_html( wp_unslash($_REQUEST['s']) ) ); ?>
|
||||
printf( '<span class="subtitle">' . __('Search results for “%s”') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?>
|
||||
</h2>
|
||||
|
||||
<?php
|
||||
|
|
|
@ -93,7 +93,7 @@ switch ( $action ) {
|
|||
if ( ! is_wp_error( $parent_object ) ) {
|
||||
$parent_data = (array) $parent_object;
|
||||
$menu_item_data['menu_item_parent'] = $parent_data['menu_item_parent'];
|
||||
wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
|
||||
update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
|
||||
|
||||
}
|
||||
|
||||
|
@ -103,7 +103,7 @@ switch ( $action ) {
|
|||
$menu_item_data['menu_order'] = $menu_item_data['menu_order'] + 1;
|
||||
|
||||
$menu_item_data['menu_item_parent'] = $next_item_data['ID'];
|
||||
wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
|
||||
update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
|
||||
|
||||
wp_update_post($menu_item_data);
|
||||
wp_update_post($next_item_data);
|
||||
|
@ -115,7 +115,7 @@ switch ( $action ) {
|
|||
in_array( $menu_item_data['menu_item_parent'], $orders_to_dbids )
|
||||
) {
|
||||
$menu_item_data['menu_item_parent'] = (int) get_post_meta( $menu_item_data['menu_item_parent'], '_menu_item_menu_item_parent', true);
|
||||
wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
|
||||
update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -190,7 +190,7 @@ switch ( $action ) {
|
|||
$menu_item_data['menu_order'] = $menu_item_data['menu_order'] - 1;
|
||||
|
||||
// save changes
|
||||
wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
|
||||
update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
|
||||
wp_update_post($menu_item_data);
|
||||
wp_update_post($parent_data);
|
||||
}
|
||||
|
@ -205,7 +205,7 @@ switch ( $action ) {
|
|||
) {
|
||||
// just make it a child of the previous; keep the order
|
||||
$menu_item_data['menu_item_parent'] = (int) $orders_to_dbids[$dbids_to_orders[$menu_item_id] - 1];
|
||||
wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
|
||||
update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
|
||||
wp_update_post($menu_item_data);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -520,7 +520,7 @@ if ( $_POST ) {
|
|||
$base = parse_url( trailingslashit( get_option( 'home' ) ), PHP_URL_PATH );
|
||||
$subdomain_install = allow_subdomain_install() ? !empty( $_POST['subdomain_install'] ) : false;
|
||||
if ( ! network_domain_check() ) {
|
||||
$result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), wp_unslash( $_POST['sitename'] ), $base, $subdomain_install );
|
||||
$result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), stripslashes( $_POST['sitename'] ), $base, $subdomain_install );
|
||||
if ( is_wp_error( $result ) ) {
|
||||
if ( 1 == count( $result->get_error_codes() ) && 'no_wildcard_dns' == $result->get_error_code() )
|
||||
network_step2( $result );
|
||||
|
|
|
@ -61,7 +61,7 @@ if ( $_POST ) {
|
|||
foreach ( $options as $option_name ) {
|
||||
if ( ! isset($_POST[$option_name]) )
|
||||
continue;
|
||||
$value = wp_unslash( $_POST[$option_name] );
|
||||
$value = stripslashes_deep( $_POST[$option_name] );
|
||||
update_site_option( $option_name, $value );
|
||||
}
|
||||
|
||||
|
@ -181,7 +181,7 @@ if ( isset( $_GET['updated'] ) ) {
|
|||
<th scope="row"><label for="welcome_email"><?php _e( 'Welcome Email' ) ?></label></th>
|
||||
<td>
|
||||
<textarea name="welcome_email" id="welcome_email" rows="5" cols="45" class="large-text">
|
||||
<?php echo esc_textarea( get_site_option( 'welcome_email' ) ) ?></textarea>
|
||||
<?php echo esc_textarea( stripslashes( get_site_option( 'welcome_email' ) ) ) ?></textarea>
|
||||
<br />
|
||||
<?php _e( 'The welcome email sent to new site owners.' ) ?>
|
||||
</td>
|
||||
|
@ -190,7 +190,7 @@ if ( isset( $_GET['updated'] ) ) {
|
|||
<th scope="row"><label for="welcome_user_email"><?php _e( 'Welcome User Email' ) ?></label></th>
|
||||
<td>
|
||||
<textarea name="welcome_user_email" id="welcome_user_email" rows="5" cols="45" class="large-text">
|
||||
<?php echo esc_textarea( get_site_option( 'welcome_user_email' ) ) ?></textarea>
|
||||
<?php echo esc_textarea( stripslashes( get_site_option( 'welcome_user_email' ) ) ) ?></textarea>
|
||||
<br />
|
||||
<?php _e( 'The welcome email sent to new users.' ) ?>
|
||||
</td>
|
||||
|
@ -199,7 +199,7 @@ if ( isset( $_GET['updated'] ) ) {
|
|||
<th scope="row"><label for="first_post"><?php _e( 'First Post' ) ?></label></th>
|
||||
<td>
|
||||
<textarea name="first_post" id="first_post" rows="5" cols="45" class="large-text">
|
||||
<?php echo esc_textarea( get_site_option( 'first_post' ) ) ?></textarea>
|
||||
<?php echo esc_textarea( stripslashes( get_site_option( 'first_post' ) ) ) ?></textarea>
|
||||
<br />
|
||||
<?php _e( 'The first post on a new site.' ) ?>
|
||||
</td>
|
||||
|
@ -208,7 +208,7 @@ if ( isset( $_GET['updated'] ) ) {
|
|||
<th scope="row"><label for="first_page"><?php _e( 'First Page' ) ?></label></th>
|
||||
<td>
|
||||
<textarea name="first_page" id="first_page" rows="5" cols="45" class="large-text">
|
||||
<?php echo esc_textarea( get_site_option( 'first_page' ) ) ?></textarea>
|
||||
<?php echo esc_textarea( stripslashes( get_site_option('first_page') ) ) ?></textarea>
|
||||
<br />
|
||||
<?php _e( 'The first page on a new site.' ) ?>
|
||||
</td>
|
||||
|
@ -217,7 +217,7 @@ if ( isset( $_GET['updated'] ) ) {
|
|||
<th scope="row"><label for="first_comment"><?php _e( 'First Comment' ) ?></label></th>
|
||||
<td>
|
||||
<textarea name="first_comment" id="first_comment" rows="5" cols="45" class="large-text">
|
||||
<?php echo esc_textarea( get_site_option( 'first_comment' ) ) ?></textarea>
|
||||
<?php echo esc_textarea( stripslashes( get_site_option('first_comment') ) ) ?></textarea>
|
||||
<br />
|
||||
<?php _e( 'The first comment on a new site.' ) ?>
|
||||
</td>
|
||||
|
|
|
@ -62,7 +62,7 @@ if ( isset($_REQUEST['action']) && 'update-site' == $_REQUEST['action'] ) {
|
|||
delete_option( 'rewrite_rules' );
|
||||
|
||||
// update blogs table
|
||||
$blog_data = wp_unslash( $_POST['blog'] );
|
||||
$blog_data = stripslashes_deep( $_POST['blog'] );
|
||||
$existing_details = get_blog_details( $id, false );
|
||||
$blog_data_checkboxes = array( 'public', 'archived', 'spam', 'mature', 'deleted' );
|
||||
foreach ( $blog_data_checkboxes as $c ) {
|
||||
|
|
|
@ -38,7 +38,7 @@ if ( isset($_REQUEST['action']) && 'add-site' == $_REQUEST['action'] ) {
|
|||
|
||||
if ( ! is_array( $_POST['blog'] ) )
|
||||
wp_die( __( 'Can’t create an empty site.' ) );
|
||||
$blog = wp_unslash( $_POST['blog'] );
|
||||
$blog = $_POST['blog'];
|
||||
$domain = '';
|
||||
if ( preg_match( '|^([a-zA-Z0-9-])+$|', $blog['domain'] ) )
|
||||
$domain = strtolower( $blog['domain'] );
|
||||
|
@ -88,7 +88,7 @@ if ( isset($_REQUEST['action']) && 'add-site' == $_REQUEST['action'] ) {
|
|||
$content_mail = sprintf( __( 'New site created by %1$s
|
||||
|
||||
Address: %2$s
|
||||
Name: %3$s' ), $current_user->user_login , get_site_url( $id ), $title );
|
||||
Name: %3$s' ), $current_user->user_login , get_site_url( $id ), stripslashes( $title ) );
|
||||
wp_mail( get_site_option('admin_email'), sprintf( __( '[%s] New Site Created' ), $current_site->site_name ), $content_mail, 'From: "Site Admin" <' . get_site_option( 'admin_email' ) . '>' );
|
||||
wpmu_welcome_notification( $id, $user_id, $password, $title, array( 'public' => 1 ) );
|
||||
wp_redirect( add_query_arg( array( 'update' => 'added', 'id' => $id ), 'site-new.php' ) );
|
||||
|
|
|
@ -53,14 +53,12 @@ if ( isset($_REQUEST['action']) && 'update-site' == $_REQUEST['action'] && is_ar
|
|||
$count = count( $_POST['option'] );
|
||||
$skip_options = array( 'allowedthemes' ); // Don't update these options since they are handled elsewhere in the form.
|
||||
foreach ( (array) $_POST['option'] as $key => $val ) {
|
||||
$key = wp_unslash( $key );
|
||||
$val = wp_unslash( $val );
|
||||
if ( $key === 0 || is_array( $val ) || in_array($key, $skip_options) )
|
||||
continue; // Avoids "0 is a protected WP option and may not be modified" error when edit blog options
|
||||
if ( $c == $count )
|
||||
update_option( $key, $val );
|
||||
update_option( $key, stripslashes( $val ) );
|
||||
else
|
||||
update_option( $key, $val, false ); // no need to refresh blog details yet
|
||||
update_option( $key, stripslashes( $val ), false ); // no need to refresh blog details yet
|
||||
$c++;
|
||||
}
|
||||
|
||||
|
|
|
@ -79,7 +79,7 @@ if ( isset( $_GET['action'] ) ) {
|
|||
<input type="hidden" name="id" value="<?php echo esc_attr( $id ); ?>" />
|
||||
<input type="hidden" name="_wp_http_referer" value="<?php echo esc_attr( wp_get_referer() ); ?>" />
|
||||
<?php wp_nonce_field( $_GET['action2'], '_wpnonce', false ); ?>
|
||||
<p><?php echo esc_html( wp_unslash( $_GET['msg'] ) ); ?></p>
|
||||
<p><?php echo esc_html( stripslashes( $_GET['msg'] ) ); ?></p>
|
||||
<?php submit_button( __('Confirm'), 'button' ); ?>
|
||||
</form>
|
||||
</body>
|
||||
|
|
|
@ -2,7 +2,8 @@
|
|||
/**
|
||||
* WordPress Options Header.
|
||||
*
|
||||
* Displays updated message, if updated variable is part of the URL query.
|
||||
* Resets variables: 'action', 'standalone', and 'option_group_id'. Displays
|
||||
* updated message, if updated variable is part of the URL query.
|
||||
*
|
||||
* @package WordPress
|
||||
* @subpackage Administration
|
||||
|
|
|
@ -120,16 +120,16 @@ if ( 'update' == $action ) {
|
|||
if ( 'options' == $option_page ) {
|
||||
if ( is_multisite() && ! is_super_admin() )
|
||||
wp_die( __( 'You do not have sufficient permissions to modify unregistered settings for this site.' ) );
|
||||
$options = explode( ',', wp_unslash( $_POST[ 'page_options' ] ) );
|
||||
$options = explode( ',', stripslashes( $_POST[ 'page_options' ] ) );
|
||||
} else {
|
||||
$options = $whitelist_options[ $option_page ];
|
||||
}
|
||||
|
||||
// Handle custom date/time formats
|
||||
if ( 'general' == $option_page ) {
|
||||
if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['date_format'] ) )
|
||||
if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['date_format'] ) )
|
||||
$_POST['date_format'] = $_POST['date_format_custom'];
|
||||
if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['time_format'] ) )
|
||||
if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['time_format'] ) )
|
||||
$_POST['time_format'] = $_POST['time_format_custom'];
|
||||
// Map UTC+- timezones to gmt_offsets and set timezone_string to empty.
|
||||
if ( !empty($_POST['timezone_string']) && preg_match('/^UTC[+-]/', $_POST['timezone_string']) ) {
|
||||
|
@ -150,7 +150,7 @@ if ( 'update' == $action ) {
|
|||
$value = $_POST[ $option ];
|
||||
if ( ! is_array( $value ) )
|
||||
$value = trim( $value );
|
||||
$value = wp_unslash( $value );
|
||||
$value = stripslashes_deep( $value );
|
||||
}
|
||||
update_option( $option, $value );
|
||||
}
|
||||
|
|
|
@ -28,7 +28,7 @@ if ( empty($plugins) )
|
|||
wp_die( __('There are no plugins installed on this site.') );
|
||||
|
||||
if ( isset($_REQUEST['file']) )
|
||||
$plugin = wp_unslash($_REQUEST['file']);
|
||||
$plugin = stripslashes($_REQUEST['file']);
|
||||
|
||||
if ( empty($plugin) ) {
|
||||
$plugin = array_keys($plugins);
|
||||
|
@ -39,6 +39,8 @@ $plugin_files = get_plugin_files($plugin);
|
|||
|
||||
if ( empty($file) )
|
||||
$file = $plugin_files[0];
|
||||
else
|
||||
$file = stripslashes($file);
|
||||
|
||||
$file = validate_file_to_edit($file, $plugin_files);
|
||||
$real_file = WP_PLUGIN_DIR . '/' . $file;
|
||||
|
@ -50,7 +52,7 @@ case 'update':
|
|||
|
||||
check_admin_referer('edit-plugin_' . $file);
|
||||
|
||||
$newcontent = wp_unslash( $_POST['newcontent'] );
|
||||
$newcontent = stripslashes($_POST['newcontent']);
|
||||
if ( is_writeable($real_file) ) {
|
||||
$f = fopen($real_file, 'w+');
|
||||
fwrite($f, $newcontent);
|
||||
|
|
|
@ -91,11 +91,11 @@ if ( isset($_REQUEST['action']) && 'post' == $_REQUEST['action'] ) {
|
|||
}
|
||||
|
||||
// Set Variables
|
||||
$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( wp_unslash( $_GET['t'] ) , ENT_QUOTES) ) ) : '';
|
||||
$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( stripslashes( $_GET['t'] ) , ENT_QUOTES) ) ) : '';
|
||||
|
||||
$selection = '';
|
||||
if ( !empty($_GET['s']) ) {
|
||||
$selection = str_replace(''', "'", wp_unslash($_GET['s']));
|
||||
$selection = str_replace(''', "'", stripslashes($_GET['s']));
|
||||
$selection = trim( htmlspecialchars( html_entity_decode($selection, ENT_QUOTES) ) );
|
||||
}
|
||||
|
||||
|
|
|
@ -164,7 +164,7 @@ switch($step) {
|
|||
|
||||
case 2:
|
||||
foreach ( array( 'dbname', 'uname', 'pwd', 'dbhost', 'prefix' ) as $key )
|
||||
$$key = trim( wp_unslash( $_POST[ $key ] ) );
|
||||
$$key = trim( stripslashes( $_POST[ $key ] ) );
|
||||
|
||||
$tryagain_link = '</p><p class="step"><a href="setup-config.php?step=1" onclick="javascript:history.go(-1);return false;" class="button button-large">' . __( 'Try again' ) . '</a>';
|
||||
|
||||
|
|
|
@ -68,7 +68,7 @@ if ( empty( $file ) ) {
|
|||
$relative_file = 'style.css';
|
||||
$file = $allowed_files['style.css'];
|
||||
} else {
|
||||
$relative_file = $file;
|
||||
$relative_file = stripslashes( $file );
|
||||
$file = $theme->get_stylesheet_directory() . '/' . $relative_file;
|
||||
}
|
||||
|
||||
|
@ -78,7 +78,7 @@ $scrollto = isset( $_REQUEST['scrollto'] ) ? (int) $_REQUEST['scrollto'] : 0;
|
|||
switch( $action ) {
|
||||
case 'update':
|
||||
check_admin_referer( 'edit-theme_' . $file . $stylesheet );
|
||||
$newcontent = wp_unslash( $_POST['newcontent'] );
|
||||
$newcontent = stripslashes( $_POST['newcontent'] );
|
||||
$location = 'theme-editor.php?file=' . urlencode( $relative_file ) . '&theme=' . urlencode( $stylesheet ) . '&scrollto=' . $scrollto;
|
||||
if ( is_writeable( $file ) ) {
|
||||
//is_writable() not always reliable, check return value. see comments @ http://uk.php.net/is_writable
|
||||
|
|
|
@ -26,7 +26,7 @@ if ( isset($_GET['action']) ) {
|
|||
check_admin_referer( 'bulk-update-plugins' );
|
||||
|
||||
if ( isset( $_GET['plugins'] ) )
|
||||
$plugins = explode( ',', wp_unslash($_GET['plugins']) );
|
||||
$plugins = explode( ',', stripslashes($_GET['plugins']) );
|
||||
elseif ( isset( $_POST['checked'] ) )
|
||||
$plugins = (array) $_POST['checked'];
|
||||
else
|
||||
|
@ -109,7 +109,7 @@ if ( isset($_GET['action']) ) {
|
|||
$nonce = 'install-plugin_' . $plugin;
|
||||
$url = 'update.php?action=install-plugin&plugin=' . $plugin;
|
||||
if ( isset($_GET['from']) )
|
||||
$url .= '&from=' . urlencode( wp_unslash( $_GET['from'] ) );
|
||||
$url .= '&from=' . urlencode(stripslashes($_GET['from']));
|
||||
|
||||
$type = 'web'; //Install plugin type, From Web or an Upload.
|
||||
|
||||
|
@ -173,7 +173,7 @@ if ( isset($_GET['action']) ) {
|
|||
check_admin_referer( 'bulk-update-themes' );
|
||||
|
||||
if ( isset( $_GET['themes'] ) )
|
||||
$themes = explode( ',', wp_unslash( $_GET['themes'] ) );
|
||||
$themes = explode( ',', stripslashes($_GET['themes']) );
|
||||
elseif ( isset( $_POST['checked'] ) )
|
||||
$themes = (array) $_POST['checked'];
|
||||
else
|
||||
|
|
|
@ -77,7 +77,7 @@ else
|
|||
<?php else :
|
||||
switch ( $step ) :
|
||||
case 0:
|
||||
$goback = wp_get_referer();
|
||||
$goback = stripslashes( wp_get_referer() );
|
||||
$goback = esc_url_raw( $goback );
|
||||
$goback = urlencode( $goback );
|
||||
?>
|
||||
|
@ -90,7 +90,7 @@ switch ( $step ) :
|
|||
case 1:
|
||||
wp_upgrade();
|
||||
|
||||
$backto = !empty($_GET['backto']) ? wp_unslash( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/';
|
||||
$backto = !empty($_GET['backto']) ? stripslashes( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/';
|
||||
$backto = esc_url( $backto );
|
||||
$backto = wp_validate_redirect($backto, __get_option( 'home' ) . '/');
|
||||
?>
|
||||
|
|
|
@ -132,7 +132,7 @@ if ( $doaction ) {
|
|||
wp_redirect( $location );
|
||||
exit;
|
||||
} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
|
||||
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
|
||||
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
|
||||
exit;
|
||||
}
|
||||
|
||||
|
|
|
@ -54,7 +54,7 @@ get_current_screen()->set_help_sidebar(
|
|||
'<p>' . __('<a href="http://wordpress.org/support/" target="_blank">Support Forums</a>') . '</p>'
|
||||
);
|
||||
|
||||
$wp_http_referer = remove_query_arg(array('update', 'delete_count'), $wp_http_referer );
|
||||
$wp_http_referer = remove_query_arg(array('update', 'delete_count'), stripslashes($wp_http_referer));
|
||||
|
||||
$user_can_edit = current_user_can( 'edit_posts' ) || current_user_can( 'edit_pages' );
|
||||
|
||||
|
|
|
@ -112,15 +112,15 @@ Please click the following link to confirm the invite:
|
|||
}
|
||||
} else {
|
||||
// Adding a new user to this blog
|
||||
$user_details = wpmu_validate_user_signup( wp_unslash( $_REQUEST[ 'user_login' ] ), wp_unslash( $_REQUEST[ 'email' ] ) );
|
||||
$user_details = wpmu_validate_user_signup( $_REQUEST[ 'user_login' ], $_REQUEST[ 'email' ] );
|
||||
if ( is_wp_error( $user_details[ 'errors' ] ) && !empty( $user_details[ 'errors' ]->errors ) ) {
|
||||
$add_user_errors = $user_details[ 'errors' ];
|
||||
} else {
|
||||
$new_user_login = apply_filters('pre_user_login', sanitize_user( wp_unslash( $_REQUEST['user_login'] ), true ) );
|
||||
$new_user_login = apply_filters('pre_user_login', sanitize_user(stripslashes($_REQUEST['user_login']), true));
|
||||
if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
|
||||
add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email
|
||||
}
|
||||
wpmu_signup_user( $new_user_login, wp_unslash( $_REQUEST[ 'email' ] ), array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) );
|
||||
wpmu_signup_user( $new_user_login, $_REQUEST[ 'email' ], array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) );
|
||||
if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
|
||||
$key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $_REQUEST[ 'email' ] ) );
|
||||
wpmu_activate_signup( $key );
|
||||
|
@ -309,7 +309,7 @@ foreach ( array( 'user_login' => 'login', 'first_name' => 'firstname', 'last_nam
|
|||
$var = "new_user_$var";
|
||||
if( isset( $_POST['createuser'] ) ) {
|
||||
if ( ! isset($$var) )
|
||||
$$var = isset( $_POST[$post_field] ) ? wp_unslash( $_POST[$post_field] ) : '';
|
||||
$$var = isset( $_POST[$post_field] ) ? stripslashes( $_POST[$post_field] ) : '';
|
||||
} else {
|
||||
$$var = false;
|
||||
}
|
||||
|
|
|
@ -64,9 +64,9 @@ get_current_screen()->set_help_sidebar(
|
|||
);
|
||||
|
||||
if ( empty($_REQUEST) ) {
|
||||
$referer = '<input type="hidden" name="wp_http_referer" value="'. esc_attr( wp_unslash( $_SERVER['REQUEST_URI'] ) ) . '" />';
|
||||
$referer = '<input type="hidden" name="wp_http_referer" value="'. esc_attr(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
|
||||
} elseif ( isset($_REQUEST['wp_http_referer']) ) {
|
||||
$redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), wp_unslash( $_REQUEST['wp_http_referer'] ) );
|
||||
$redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), stripslashes($_REQUEST['wp_http_referer']));
|
||||
$referer = '<input type="hidden" name="wp_http_referer" value="' . esc_attr($redirect) . '" />';
|
||||
} else {
|
||||
$redirect = 'users.php';
|
||||
|
@ -357,7 +357,7 @@ break;
|
|||
default:
|
||||
|
||||
if ( !empty($_GET['_wp_http_referer']) ) {
|
||||
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
|
||||
wp_redirect(remove_query_arg(array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI'])));
|
||||
exit;
|
||||
}
|
||||
|
||||
|
@ -381,7 +381,7 @@ default:
|
|||
case 'add':
|
||||
if ( isset( $_GET['id'] ) && ( $user_id = $_GET['id'] ) && current_user_can( 'edit_user', $user_id ) ) {
|
||||
$messages[] = '<div id="message" class="updated"><p>' . sprintf( __( 'New user created. <a href="%s">Edit user</a>' ),
|
||||
esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ),
|
||||
esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ),
|
||||
self_admin_url( 'user-edit.php?user_id=' . $user_id ) ) ) ) . '</p></div>';
|
||||
} else {
|
||||
$messages[] = '<div id="message" class="updated"><p>' . __( 'New user created.' ) . '</p></div>';
|
||||
|
|
|
@ -17,9 +17,7 @@ require( dirname(__FILE__) . '/wp-load.php' );
|
|||
|
||||
nocache_headers();
|
||||
|
||||
$post_data = wp_unslash( $_POST );
|
||||
|
||||
$comment_post_ID = isset($post_data['comment_post_ID']) ? (int) $post_data['comment_post_ID'] : 0;
|
||||
$comment_post_ID = isset($_POST['comment_post_ID']) ? (int) $_POST['comment_post_ID'] : 0;
|
||||
|
||||
$post = get_post($comment_post_ID);
|
||||
|
||||
|
@ -49,21 +47,21 @@ if ( !comments_open($comment_post_ID) ) {
|
|||
do_action('pre_comment_on_post', $comment_post_ID);
|
||||
}
|
||||
|
||||
$comment_author = ( isset( $post_data['author'] ) ) ? trim( strip_tags( $post_data['author'] ) ) : null;
|
||||
$comment_author_email = ( isset( $post_data['email'] ) ) ? trim( $post_data['email'] ) : null;
|
||||
$comment_author_url = ( isset( $post_data['url'] ) ) ? trim( $post_data['url'] ) : null;
|
||||
$comment_content = ( isset( $post_data['comment'] ) ) ? trim( $post_data['comment'] ) : null;
|
||||
$comment_author = ( isset($_POST['author']) ) ? trim(strip_tags($_POST['author'])) : null;
|
||||
$comment_author_email = ( isset($_POST['email']) ) ? trim($_POST['email']) : null;
|
||||
$comment_author_url = ( isset($_POST['url']) ) ? trim($_POST['url']) : null;
|
||||
$comment_content = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null;
|
||||
|
||||
// If the user is logged in
|
||||
$user = wp_get_current_user();
|
||||
if ( $user->exists() ) {
|
||||
if ( empty( $user->display_name ) )
|
||||
$user->display_name = $user->user_login;
|
||||
$comment_author = $user->display_name;
|
||||
$comment_author_email = $user->user_email;
|
||||
$comment_author_url = $user->user_url;
|
||||
$user->display_name=$user->user_login;
|
||||
$comment_author = $wpdb->escape($user->display_name);
|
||||
$comment_author_email = $wpdb->escape($user->user_email);
|
||||
$comment_author_url = $wpdb->escape($user->user_url);
|
||||
if ( current_user_can('unfiltered_html') ) {
|
||||
if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $post_data['_wp_unfiltered_html_comment'] ) {
|
||||
if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
|
||||
kses_remove_filters(); // start with a clean slate
|
||||
kses_init_filters(); // set up the filters
|
||||
}
|
||||
|
@ -85,7 +83,7 @@ if ( get_option('require_name_email') && !$user->exists() ) {
|
|||
if ( '' == $comment_content )
|
||||
wp_die( __('<strong>ERROR</strong>: please type a comment.') );
|
||||
|
||||
$comment_parent = isset($post_data['comment_parent']) ? absint($post_data['comment_parent']) : 0;
|
||||
$comment_parent = isset($_POST['comment_parent']) ? absint($_POST['comment_parent']) : 0;
|
||||
|
||||
$commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type', 'comment_parent', 'user_ID');
|
||||
|
||||
|
@ -94,7 +92,7 @@ $comment_id = wp_new_comment( $commentdata );
|
|||
$comment = get_comment($comment_id);
|
||||
do_action('set_comment_cookies', $comment, $user);
|
||||
|
||||
$location = empty($post_data['redirect_to']) ? get_comment_link($comment_id) : $post_data['redirect_to'] . '#comment-' . $comment_id;
|
||||
$location = empty($_POST['redirect_to']) ? get_comment_link($comment_id) : $_POST['redirect_to'] . '#comment-' . $comment_id;
|
||||
$location = apply_filters('comment_post_redirect', $location, $comment);
|
||||
|
||||
wp_safe_redirect( $location );
|
||||
|
|
|
@ -310,7 +310,7 @@ final class WP_Customize_Manager {
|
|||
public function post_value( $setting ) {
|
||||
if ( ! isset( $this->_post_values ) ) {
|
||||
if ( isset( $_POST['customized'] ) )
|
||||
$this->_post_values = json_decode( wp_unslash( $_POST['customized'] ), true );
|
||||
$this->_post_values = json_decode( stripslashes( $_POST['customized'] ), true );
|
||||
else
|
||||
$this->_post_values = false;
|
||||
}
|
||||
|
|
|
@ -144,7 +144,7 @@ class WP_Customize_Setting {
|
|||
* @return mixed Null if an input isn't valid, otherwise the sanitized value.
|
||||
*/
|
||||
public function sanitize( $value ) {
|
||||
$value = wp_unslash( $value );
|
||||
$value = stripslashes_deep( $value );
|
||||
return apply_filters( "customize_sanitize_{$this->id}", $value, $this );
|
||||
}
|
||||
|
||||
|
|
|
@ -280,15 +280,17 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
$meta['id'] = (int) $meta['id'];
|
||||
$pmeta = get_metadata_by_mid( 'post', $meta['id'] );
|
||||
if ( isset($meta['key']) ) {
|
||||
$meta['key'] = stripslashes( $meta['key'] );
|
||||
if ( $meta['key'] != $pmeta->meta_key )
|
||||
continue;
|
||||
$meta['value'] = stripslashes_deep( $meta['value'] );
|
||||
if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) )
|
||||
update_metadata_by_mid( 'post', $meta['id'], $meta['value'] );
|
||||
} elseif ( current_user_can( 'delete_post_meta', $post_id, $pmeta->meta_key ) ) {
|
||||
delete_metadata_by_mid( 'post', $meta['id'] );
|
||||
}
|
||||
} elseif ( current_user_can( 'add_post_meta', $post_id, $meta['key'] ) ) {
|
||||
wp_add_post_meta( $post_id, $meta['key'], $meta['value'] );
|
||||
} elseif ( current_user_can( 'add_post_meta', $post_id, stripslashes( $meta['key'] ) ) ) {
|
||||
add_post_meta( $post_id, $meta['key'], $meta['value'] );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -460,6 +462,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
return $this->blogger_getUsersBlogs( $args );
|
||||
}
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$username = $args[0];
|
||||
$password = $args[1];
|
||||
|
||||
|
@ -951,6 +955,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 4 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -1233,6 +1239,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 5 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -1266,6 +1274,7 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
else
|
||||
$post['post_date_gmt'] = $this->_convert_date( $post['post_date_gmt'] );
|
||||
|
||||
$this->escape( $post );
|
||||
$merged_content_struct = array_merge( $post, $content_struct );
|
||||
|
||||
$retval = $this->_insert_post( $user, $merged_content_struct );
|
||||
|
@ -1292,6 +1301,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 4 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -1366,6 +1377,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 4 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -1421,6 +1434,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 3 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -1514,6 +1529,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 4 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -1599,6 +1616,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 5 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -1689,6 +1708,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 5 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -1754,6 +1775,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 5 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -1805,6 +1828,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 4 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -1878,6 +1903,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 4 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -1920,6 +1947,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 3 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -1987,6 +2016,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 4 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2038,6 +2069,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 3 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2104,6 +2137,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 3 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2149,6 +2184,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 4 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2212,6 +2249,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function wp_getPage($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$page_id = (int) $args[1];
|
||||
$username = $args[2];
|
||||
|
@ -2253,6 +2292,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function wp_getPages($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2295,8 +2336,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return unknown
|
||||
*/
|
||||
function wp_newPage($args) {
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
// Items not escaped here will be escaped in newPost.
|
||||
$username = $this->escape($args[1]);
|
||||
$password = $this->escape($args[2]);
|
||||
$page = $args[3];
|
||||
$publish = $args[4];
|
||||
|
||||
|
@ -2321,6 +2363,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return bool True, if success.
|
||||
*/
|
||||
function wp_deletePage($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2360,10 +2404,11 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return unknown
|
||||
*/
|
||||
function wp_editPage($args) {
|
||||
// Items not escaped here will be escaped in editPost.
|
||||
$blog_id = (int) $args[0];
|
||||
$page_id = (int) $args[1];
|
||||
$username = $args[2];
|
||||
$password = $args[3];
|
||||
$page_id = (int) $this->escape($args[1]);
|
||||
$username = $this->escape($args[2]);
|
||||
$password = $this->escape($args[3]);
|
||||
$content = $args[4];
|
||||
$publish = $args[5];
|
||||
|
||||
|
@ -2408,6 +2453,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
function wp_getPageList($args) {
|
||||
global $wpdb;
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2456,6 +2503,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function wp_getAuthors($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2489,6 +2539,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function wp_getTags( $args ) {
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2528,6 +2580,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return int Category ID.
|
||||
*/
|
||||
function wp_newCategory($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2587,6 +2641,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return mixed See {@link wp_delete_term()} for return info.
|
||||
*/
|
||||
function wp_deleteCategory($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2617,6 +2673,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function wp_suggestCategories($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2652,6 +2710,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function wp_getComment($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2691,6 +2751,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array. Contains a collection of comments. See {@link wp_xmlrpc_server::wp_getComment()} for a description of each item contents
|
||||
*/
|
||||
function wp_getComments($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2749,6 +2811,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return mixed {@link wp_delete_comment()}
|
||||
*/
|
||||
function wp_deleteComment($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2801,6 +2865,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return bool True, on success.
|
||||
*/
|
||||
function wp_editComment($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2876,6 +2942,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
function wp_newComment($args) {
|
||||
global $wpdb;
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2910,9 +2978,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
$comment['comment_post_ID'] = $post_id;
|
||||
|
||||
if ( $logged_in ) {
|
||||
$comment['comment_author'] = $user->display_name;
|
||||
$comment['comment_author_email'] = $user->user_email;
|
||||
$comment['comment_author_url'] = $user->user_url;
|
||||
$comment['comment_author'] = $wpdb->escape( $user->display_name );
|
||||
$comment['comment_author_email'] = $wpdb->escape( $user->user_email );
|
||||
$comment['comment_author_url'] = $wpdb->escape( $user->user_url );
|
||||
$comment['user_ID'] = $user->ID;
|
||||
} else {
|
||||
$comment['comment_author'] = '';
|
||||
|
@ -2959,6 +3027,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function wp_getCommentStatusList($args) {
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -2983,6 +3053,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function wp_getCommentCount( $args ) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -3014,6 +3086,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function wp_getPostStatusList( $args ) {
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -3038,6 +3112,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function wp_getPageStatusList( $args ) {
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -3062,6 +3138,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function wp_getPageTemplates( $args ) {
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -3087,6 +3165,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function wp_getOptions( $args ) {
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -3135,6 +3215,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return unknown
|
||||
*/
|
||||
function wp_setOptions( $args ) {
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -3182,6 +3264,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* - 'metadata'
|
||||
*/
|
||||
function wp_getMediaItem($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -3225,6 +3309,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array. Contains a collection of media items. See {@link wp_xmlrpc_server::wp_getMediaItem()} for a description of each item contents
|
||||
*/
|
||||
function wp_getMediaLibrary($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -3265,6 +3351,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function wp_getPostFormats( $args ) {
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -3323,6 +3411,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 4 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -3367,6 +3457,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 3 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -3419,6 +3511,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 4 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -3483,6 +3577,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( ! $this->minimum_args( $args, 3 ) )
|
||||
return $this->error;
|
||||
|
||||
$this->escape( $args );
|
||||
|
||||
$blog_id = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -3532,6 +3628,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( is_multisite() )
|
||||
return $this->_multisite_getUsersBlogs($args);
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
||||
|
@ -3593,6 +3691,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function blogger_getUserInfo($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
||||
|
@ -3624,6 +3725,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function blogger_getPost($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$post_ID = (int) $args[1];
|
||||
$username = $args[2];
|
||||
$password = $args[3];
|
||||
|
@ -3642,9 +3746,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
|
||||
$categories = implode(',', wp_get_post_categories($post_ID));
|
||||
|
||||
$content = '<title>'.$post_data['post_title'].'</title>';
|
||||
$content = '<title>'.stripslashes($post_data['post_title']).'</title>';
|
||||
$content .= '<category>'.$categories.'</category>';
|
||||
$content .= $post_data['post_content'];
|
||||
$content .= stripslashes($post_data['post_content']);
|
||||
|
||||
$struct = array(
|
||||
'userid' => $post_data['post_author'],
|
||||
|
@ -3665,6 +3769,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function blogger_getRecentPosts($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
// $args[0] = appkey - ignored
|
||||
$blog_ID = (int) $args[1]; /* though we don't use it yet */
|
||||
$username = $args[2];
|
||||
|
@ -3693,9 +3800,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
$post_date = $this->_convert_date( $entry['post_date'] );
|
||||
$categories = implode(',', wp_get_post_categories($entry['ID']));
|
||||
|
||||
$content = '<title>'.$entry['post_title'].'</title>';
|
||||
$content = '<title>'.stripslashes($entry['post_title']).'</title>';
|
||||
$content .= '<category>'.$categories.'</category>';
|
||||
$content .= $entry['post_content'];
|
||||
$content .= stripslashes($entry['post_content']);
|
||||
|
||||
$struct[] = array(
|
||||
'userid' => $entry['post_author'],
|
||||
|
@ -3743,6 +3850,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return int
|
||||
*/
|
||||
function blogger_newPost($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$blog_ID = (int) $args[1]; /* though we don't use it yet */
|
||||
$username = $args[2];
|
||||
$password = $args[3];
|
||||
|
@ -3794,6 +3904,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return bool true when done.
|
||||
*/
|
||||
function blogger_editPost($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$post_ID = (int) $args[1];
|
||||
$username = $args[2];
|
||||
$password = $args[3];
|
||||
|
@ -3810,6 +3923,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
if ( !$actual_post || $actual_post['post_type'] != 'post' )
|
||||
return new IXR_Error(404, __('Sorry, no such post.'));
|
||||
|
||||
$this->escape($actual_post);
|
||||
|
||||
if ( !current_user_can('edit_post', $post_ID) )
|
||||
return new IXR_Error(401, __('Sorry, you do not have the right to edit this post.'));
|
||||
|
||||
|
@ -3845,6 +3960,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return bool True when post is deleted.
|
||||
*/
|
||||
function blogger_deletePost($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$post_ID = (int) $args[1];
|
||||
$username = $args[2];
|
||||
$password = $args[3];
|
||||
|
@ -3913,6 +4030,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return int
|
||||
*/
|
||||
function mw_newPost($args) {
|
||||
$this->escape($args);
|
||||
|
||||
$blog_ID = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -4197,7 +4316,7 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
}
|
||||
}
|
||||
if (!$found)
|
||||
wp_add_post_meta( $post_ID, 'enclosure', $encstring );
|
||||
add_post_meta( $post_ID, 'enclosure', $encstring );
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -4231,6 +4350,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return bool True on success.
|
||||
*/
|
||||
function mw_editPost($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$post_ID = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -4269,6 +4391,7 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
}
|
||||
}
|
||||
|
||||
$this->escape($postdata);
|
||||
extract($postdata, EXTR_SKIP);
|
||||
|
||||
// Let WordPress manage slug if none was provided.
|
||||
|
@ -4496,6 +4619,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function mw_getPost($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$post_ID = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -4617,6 +4743,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function mw_getRecentPosts($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$blog_ID = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -4729,6 +4858,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function mw_getCategories($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$blog_ID = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -4776,8 +4908,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
global $wpdb;
|
||||
|
||||
$blog_ID = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
$username = $wpdb->escape($args[1]);
|
||||
$password = $wpdb->escape($args[2]);
|
||||
$data = $args[3];
|
||||
|
||||
$name = sanitize_file_name( $data['name'] );
|
||||
|
@ -4865,6 +4997,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function mt_getRecentPostTitles($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$blog_ID = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -4922,6 +5057,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function mt_getCategoryList($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$blog_ID = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -4957,6 +5095,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function mt_getPostCategories($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$post_ID = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -4997,6 +5138,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return bool True on success.
|
||||
*/
|
||||
function mt_setPostCategories($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$post_ID = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -5106,6 +5250,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return int
|
||||
*/
|
||||
function mt_publishPost($args) {
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$post_ID = (int) $args[0];
|
||||
$username = $args[1];
|
||||
$password = $args[2];
|
||||
|
@ -5127,6 +5274,7 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
// retain old cats
|
||||
$cats = wp_get_post_categories($post_ID);
|
||||
$postdata['post_category'] = $cats;
|
||||
$this->escape($postdata);
|
||||
|
||||
$result = wp_update_post($postdata);
|
||||
|
||||
|
@ -5150,6 +5298,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
|
||||
do_action('xmlrpc_call', 'pingback.ping');
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$pagelinkedfrom = $args[0];
|
||||
$pagelinkedto = $args[1];
|
||||
|
||||
|
@ -5285,15 +5435,15 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
$pagelinkedfrom = str_replace('&', '&', $pagelinkedfrom);
|
||||
|
||||
$context = '[...] ' . esc_html( $excerpt ) . ' [...]';
|
||||
$pagelinkedfrom = $pagelinkedfrom;
|
||||
$pagelinkedfrom = $wpdb->escape( $pagelinkedfrom );
|
||||
|
||||
$comment_post_ID = (int) $post_ID;
|
||||
$comment_author = $title;
|
||||
$comment_author_email = '';
|
||||
$comment_author;
|
||||
$this->escape($comment_author);
|
||||
$comment_author_url = $pagelinkedfrom;
|
||||
$comment_content = $context;
|
||||
$comment_content;
|
||||
$this->escape($comment_content);
|
||||
$comment_type = 'pingback';
|
||||
|
||||
$commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_url', 'comment_author_email', 'comment_content', 'comment_type');
|
||||
|
@ -5315,10 +5465,13 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||
* @return array
|
||||
*/
|
||||
function pingback_extensions_getPingbacks($args) {
|
||||
|
||||
global $wpdb;
|
||||
|
||||
do_action('xmlrpc_call', 'pingback.extensions.getPingbacks');
|
||||
|
||||
$this->escape($args);
|
||||
|
||||
$url = $args;
|
||||
|
||||
$post_ID = url_to_postid($url);
|
||||
|
|
|
@ -142,15 +142,15 @@ class WP {
|
|||
$this->did_permalink = true;
|
||||
|
||||
if ( isset($_SERVER['PATH_INFO']) )
|
||||
$pathinfo = wp_unslash( $_SERVER['PATH_INFO'] );
|
||||
$pathinfo = $_SERVER['PATH_INFO'];
|
||||
else
|
||||
$pathinfo = '';
|
||||
$pathinfo_array = explode('?', $pathinfo);
|
||||
$pathinfo = str_replace("%", "%25", $pathinfo_array[0]);
|
||||
$req_uri = wp_unslash( $_SERVER['REQUEST_URI'] );
|
||||
$req_uri = $_SERVER['REQUEST_URI'];
|
||||
$req_uri_array = explode('?', $req_uri);
|
||||
$req_uri = $req_uri_array[0];
|
||||
$self = wp_unslash( $_SERVER['PHP_SELF'] );
|
||||
$self = $_SERVER['PHP_SELF'];
|
||||
$home_path = parse_url(home_url());
|
||||
if ( isset($home_path['path']) )
|
||||
$home_path = $home_path['path'];
|
||||
|
@ -255,9 +255,9 @@ class WP {
|
|||
if ( isset( $this->extra_query_vars[$wpvar] ) )
|
||||
$this->query_vars[$wpvar] = $this->extra_query_vars[$wpvar];
|
||||
elseif ( isset( $_POST[$wpvar] ) )
|
||||
$this->query_vars[$wpvar] = wp_unslash( $_POST[$wpvar] );
|
||||
$this->query_vars[$wpvar] = $_POST[$wpvar];
|
||||
elseif ( isset( $_GET[$wpvar] ) )
|
||||
$this->query_vars[$wpvar] = wp_unslash( $_GET[$wpvar] );
|
||||
$this->query_vars[$wpvar] = $_GET[$wpvar];
|
||||
elseif ( isset( $perma_query_vars[$wpvar] ) )
|
||||
$this->query_vars[$wpvar] = $perma_query_vars[$wpvar];
|
||||
|
||||
|
@ -356,7 +356,7 @@ class WP {
|
|||
|
||||
// Support for Conditional GET
|
||||
if (isset($_SERVER['HTTP_IF_NONE_MATCH']))
|
||||
$client_etag = stripslashes( wp_unslash( $_SERVER['HTTP_IF_NONE_MATCH'] ) ); // Retain extra strip. See #2597
|
||||
$client_etag = stripslashes(stripslashes($_SERVER['HTTP_IF_NONE_MATCH']));
|
||||
else $client_etag = false;
|
||||
|
||||
$client_last_modified = empty($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? '' : trim($_SERVER['HTTP_IF_MODIFIED_SINCE']);
|
||||
|
|
|
@ -633,22 +633,22 @@ function wp_set_comment_cookies($comment, $user) {
|
|||
*/
|
||||
function sanitize_comment_cookies() {
|
||||
if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
|
||||
$comment_author = wp_unslash( $_COOKIE['comment_author_'.COOKIEHASH] );
|
||||
$comment_author = apply_filters('pre_comment_author_name', $comment_author);
|
||||
$comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
|
||||
$comment_author = stripslashes($comment_author);
|
||||
$comment_author = esc_attr($comment_author);
|
||||
$_COOKIE['comment_author_'.COOKIEHASH] = $comment_author;
|
||||
}
|
||||
|
||||
if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
|
||||
$comment_author_email = wp_unslash( $_COOKIE['comment_author_email_'.COOKIEHASH] );
|
||||
$comment_author_email = apply_filters('pre_comment_author_email', $comment_author_email);
|
||||
$comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
|
||||
$comment_author_email = stripslashes($comment_author_email);
|
||||
$comment_author_email = esc_attr($comment_author_email);
|
||||
$_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email;
|
||||
}
|
||||
|
||||
if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
|
||||
$comment_author_url = wp_unslash( $_COOKIE['comment_author_url_'.COOKIEHASH] );
|
||||
$comment_author_url = apply_filters('pre_comment_author_url', $comment_author_url);
|
||||
$comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
|
||||
$comment_author_url = stripslashes($comment_author_url);
|
||||
$_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
|
||||
}
|
||||
}
|
||||
|
@ -670,10 +670,11 @@ function wp_allow_comment($commentdata) {
|
|||
extract($commentdata, EXTR_SKIP);
|
||||
|
||||
// Simple duplicate check
|
||||
$dupe = $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_parent = %s AND comment_approved != 'trash' AND ( comment_author = %s ", $comment_post_ID, $comment_parent, $comment_author );
|
||||
// expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content)
|
||||
$dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_parent = '$comment_parent' AND comment_approved != 'trash' AND ( comment_author = '$comment_author' ";
|
||||
if ( $comment_author_email )
|
||||
$dupe .= $wpdb->prepare( "OR comment_author_email = %s ", $comment_author_email );
|
||||
$dupe .= $wpdb->prepare( ") AND comment_content = %s LIMIT 1", $comment_content );
|
||||
$dupe .= "OR comment_author_email = '$comment_author_email' ";
|
||||
$dupe .= ") AND comment_content = '$comment_content' LIMIT 1";
|
||||
if ( $wpdb->get_var($dupe) ) {
|
||||
do_action( 'comment_duplicate_trigger', $commentdata );
|
||||
if ( defined('DOING_AJAX') )
|
||||
|
@ -1261,7 +1262,7 @@ function wp_get_current_commenter() {
|
|||
*/
|
||||
function wp_insert_comment($commentdata) {
|
||||
global $wpdb;
|
||||
extract($commentdata, EXTR_SKIP);
|
||||
extract(stripslashes_deep($commentdata), EXTR_SKIP);
|
||||
|
||||
if ( ! isset($comment_author_IP) )
|
||||
$comment_author_IP = '';
|
||||
|
@ -1490,6 +1491,9 @@ function wp_update_comment($commentarr) {
|
|||
// First, get all of the original fields
|
||||
$comment = get_comment($commentarr['comment_ID'], ARRAY_A);
|
||||
|
||||
// Escape data pulled from DB.
|
||||
$comment = esc_sql($comment);
|
||||
|
||||
$old_status = $comment['comment_approved'];
|
||||
|
||||
// Merge old and new fields with new fields overwriting old ones.
|
||||
|
@ -1498,7 +1502,7 @@ function wp_update_comment($commentarr) {
|
|||
$commentarr = wp_filter_comment( $commentarr );
|
||||
|
||||
// Now extract the merged array.
|
||||
extract($commentarr, EXTR_SKIP);
|
||||
extract(stripslashes_deep($commentarr), EXTR_SKIP);
|
||||
|
||||
$comment_content = apply_filters('comment_save_pre', $comment_content);
|
||||
|
||||
|
|
|
@ -230,7 +230,7 @@ function spawn_cron( $gmt_time = 0 ) {
|
|||
set_transient( 'doing_cron', $doing_wp_cron );
|
||||
|
||||
ob_start();
|
||||
wp_redirect( add_query_arg( 'doing_wp_cron', $doing_wp_cron, wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
|
||||
wp_redirect( add_query_arg('doing_wp_cron', $doing_wp_cron, stripslashes($_SERVER['REQUEST_URI'])) );
|
||||
echo ' ';
|
||||
|
||||
// flush any buffers and send the headers
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
// Strip, trim, kses, special chars for string saves
|
||||
foreach ( array( 'pre_term_name', 'pre_comment_author_name', 'pre_link_name', 'pre_link_target', 'pre_link_rel', 'pre_user_display_name', 'pre_user_first_name', 'pre_user_last_name', 'pre_user_nickname' ) as $filter ) {
|
||||
add_filter( $filter, 'sanitize_text_field' );
|
||||
add_filter( $filter, 'wp_kses_data' );
|
||||
add_filter( $filter, 'wp_filter_kses' );
|
||||
add_filter( $filter, '_wp_specialchars', 30 );
|
||||
}
|
||||
|
||||
|
@ -31,7 +31,7 @@ foreach ( array( 'term_name', 'comment_author_name', 'link_name', 'link_target',
|
|||
|
||||
// Kses only for textarea saves
|
||||
foreach ( array( 'pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description' ) as $filter ) {
|
||||
add_filter( $filter, 'wp_kses_data' );
|
||||
add_filter( $filter, 'wp_filter_kses' );
|
||||
}
|
||||
|
||||
// Kses only for textarea admin displays
|
||||
|
@ -46,7 +46,7 @@ if ( is_admin() ) {
|
|||
foreach ( array( 'pre_comment_author_email', 'pre_user_email' ) as $filter ) {
|
||||
add_filter( $filter, 'trim' );
|
||||
add_filter( $filter, 'sanitize_email' );
|
||||
add_filter( $filter, 'wp_kses_data' );
|
||||
add_filter( $filter, 'wp_filter_kses' );
|
||||
}
|
||||
|
||||
// Email admin display
|
||||
|
|
|
@ -413,7 +413,7 @@ class WP_Widget_Text extends WP_Widget {
|
|||
if ( current_user_can('unfiltered_html') )
|
||||
$instance['text'] = $new_instance['text'];
|
||||
else
|
||||
$instance['text'] = wp_kses_post( $new_instance['text'] );
|
||||
$instance['text'] = stripslashes( wp_filter_post_kses( addslashes($new_instance['text']) ) ); // wp_filter_post_kses() expects slashed
|
||||
$instance['filter'] = isset($new_instance['filter']);
|
||||
return $instance;
|
||||
}
|
||||
|
@ -1057,8 +1057,8 @@ class WP_Widget_Tag_Cloud extends WP_Widget {
|
|||
}
|
||||
|
||||
function update( $new_instance, $old_instance ) {
|
||||
$instance['title'] = strip_tags( $new_instance['title'] );
|
||||
$instance['taxonomy'] = $new_instance['taxonomy'];
|
||||
$instance['title'] = strip_tags(stripslashes($new_instance['title']));
|
||||
$instance['taxonomy'] = stripslashes($new_instance['taxonomy']);
|
||||
return $instance;
|
||||
}
|
||||
|
||||
|
@ -1119,7 +1119,7 @@ class WP_Widget_Tag_Cloud extends WP_Widget {
|
|||
}
|
||||
|
||||
function update( $new_instance, $old_instance ) {
|
||||
$instance['title'] = strip_tags( $new_instance['title'] );
|
||||
$instance['title'] = strip_tags( stripslashes($new_instance['title']) );
|
||||
$instance['nav_menu'] = (int) $new_instance['nav_menu'];
|
||||
return $instance;
|
||||
}
|
||||
|
|
|
@ -2383,7 +2383,7 @@ function update_usermeta( $user_id, $meta_key, $meta_value ) {
|
|||
|
||||
/** @todo Might need fix because usermeta data is assumed to be already escaped */
|
||||
if ( is_string($meta_value) )
|
||||
$meta_value = $meta_value;
|
||||
$meta_value = stripslashes($meta_value);
|
||||
$meta_value = maybe_serialize($meta_value);
|
||||
|
||||
if (empty($meta_value)) {
|
||||
|
|
|
@ -488,7 +488,7 @@ function prep_atom_text_construct($data) {
|
|||
*/
|
||||
function self_link() {
|
||||
$host = @parse_url(home_url());
|
||||
echo esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
|
||||
echo esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . stripslashes( $_SERVER['REQUEST_URI'] ) ) ) );
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -1716,7 +1716,10 @@ function _split_str_by_whitespace( $string, $goal ) {
|
|||
* @return string Converted content.
|
||||
*/
|
||||
function wp_rel_nofollow( $text ) {
|
||||
// This is a pre save filter, so text is already escaped.
|
||||
$text = stripslashes($text);
|
||||
$text = preg_replace_callback('|<a (.+?)>|i', 'wp_rel_nofollow_callback', $text);
|
||||
$text = esc_sql($text);
|
||||
return $text;
|
||||
}
|
||||
|
||||
|
@ -3339,53 +3342,3 @@ function sanitize_trackback_urls( $to_ping ) {
|
|||
$urls_to_ping = implode( "\n", $urls_to_ping );
|
||||
return apply_filters( 'sanitize_trackback_urls', $urls_to_ping, $to_ping );
|
||||
}
|
||||
|
||||
/**
|
||||
* Conditionally add slashes to a string or array of strings. When GPCS
|
||||
* slashing is turned on, slashes are added. When GPCS slashing is turned off,
|
||||
* slashes are not added.
|
||||
*
|
||||
* This should be used when preparing data for core API that deal directly with GPCS data.
|
||||
* Outside of unit tests, this should be rare. At a future date GPCS will no longer
|
||||
* be slashed and this function will noop. Do not use it in situations where adding slashes
|
||||
* is always required regardless of whether GPCS is slashed.
|
||||
*
|
||||
* @since 3.6.0
|
||||
*
|
||||
* @param string|array $value String or array of strings to slash.
|
||||
* @return string|array Slashed $value
|
||||
*/
|
||||
function wp_slash( $value ) {
|
||||
if ( is_array( $value ) ) {
|
||||
foreach ( $value as $k => $v ) {
|
||||
if ( is_array( $v ) ) {
|
||||
$value[$k] = wp_slash( $v );
|
||||
} else {
|
||||
$value[$k] = addslashes( $v );
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$value = addslashes( $value );
|
||||
}
|
||||
|
||||
return $value;
|
||||
}
|
||||
|
||||
/**
|
||||
* Conditionally removes slashes from a string or array of strings. When GPCS
|
||||
* slashing is turned on, slashes are stripped. When GPCS slashing is turned off,
|
||||
* slashes are not stripped.
|
||||
*
|
||||
* This should be used for GPCS data before passing it along to core API. At a future
|
||||
* date GPCS will no longer be slashed and this function will noop. Do not use it
|
||||
* in situations where slash stripping is always required regardless of whether GPCS
|
||||
* is slashed.
|
||||
*
|
||||
* @since 3.6.0
|
||||
*
|
||||
* @param string|array $value String or array of strings to unslash.
|
||||
* @return string|array Unslashed $value
|
||||
*/
|
||||
function wp_unslash( $value ) {
|
||||
return stripslashes_deep( $value );
|
||||
}
|
||||
|
|
|
@ -468,7 +468,7 @@ function do_enclose( $content, $post_ID ) {
|
|||
}
|
||||
|
||||
if ( in_array( substr( $type, 0, strpos( $type, "/" ) ), $allowed_types ) ) {
|
||||
wp_add_post_meta( $post_ID, 'enclosure', "$url\n$len\n$mime\n" );
|
||||
add_post_meta( $post_ID, 'enclosure', "$url\n$len\n$mime\n" );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1257,9 +1257,9 @@ function wp_referer_field( $echo = true ) {
|
|||
* @return string Original referer field.
|
||||
*/
|
||||
function wp_original_referer_field( $echo = true, $jump_back_to = 'current' ) {
|
||||
$jump_back_to = ( 'previous' == $jump_back_to ) ? wp_get_referer() : wp_unslash( $_SERVER['REQUEST_URI'] );
|
||||
$jump_back_to = ( 'previous' == $jump_back_to ) ? wp_get_referer() : $_SERVER['REQUEST_URI'];
|
||||
$ref = ( wp_get_original_referer() ) ? wp_get_original_referer() : $jump_back_to;
|
||||
$orig_referer_field = '<input type="hidden" name="_wp_original_http_referer" value="' . esc_attr( $ref ) . '" />';
|
||||
$orig_referer_field = '<input type="hidden" name="_wp_original_http_referer" value="' . esc_attr( stripslashes( $ref ) ) . '" />';
|
||||
if ( $echo )
|
||||
echo $orig_referer_field;
|
||||
return $orig_referer_field;
|
||||
|
@ -1278,11 +1278,11 @@ function wp_original_referer_field( $echo = true, $jump_back_to = 'current' ) {
|
|||
function wp_get_referer() {
|
||||
$ref = false;
|
||||
if ( ! empty( $_REQUEST['_wp_http_referer'] ) )
|
||||
$ref = wp_unslash( $_REQUEST['_wp_http_referer'] );
|
||||
$ref = $_REQUEST['_wp_http_referer'];
|
||||
else if ( ! empty( $_SERVER['HTTP_REFERER'] ) )
|
||||
$ref = wp_unslash( $_SERVER['HTTP_REFERER'] );
|
||||
$ref = $_SERVER['HTTP_REFERER'];
|
||||
|
||||
if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) )
|
||||
if ( $ref && $ref !== $_SERVER['REQUEST_URI'] )
|
||||
return $ref;
|
||||
return false;
|
||||
}
|
||||
|
@ -1298,7 +1298,7 @@ function wp_get_referer() {
|
|||
*/
|
||||
function wp_get_original_referer() {
|
||||
if ( !empty( $_REQUEST['_wp_original_http_referer'] ) )
|
||||
return wp_unslash( $_REQUEST['_wp_original_http_referer'] );
|
||||
return $_REQUEST['_wp_original_http_referer'];
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
@ -1326,18 +1326,18 @@ function wp_filter_nohtml_kses( $data ) {
|
|||
*/
|
||||
function kses_init_filters() {
|
||||
// Normal filtering
|
||||
add_filter('title_save_pre', 'wp_kses_data');
|
||||
add_filter('title_save_pre', 'wp_filter_kses');
|
||||
|
||||
// Comment filtering
|
||||
if ( current_user_can( 'unfiltered_html' ) )
|
||||
add_filter( 'pre_comment_content', 'wp_kses_post' );
|
||||
add_filter( 'pre_comment_content', 'wp_filter_post_kses' );
|
||||
else
|
||||
add_filter( 'pre_comment_content', 'wp_kses_data' );
|
||||
add_filter( 'pre_comment_content', 'wp_filter_kses' );
|
||||
|
||||
// Post filtering
|
||||
add_filter('content_save_pre', 'wp_kses_post');
|
||||
add_filter('excerpt_save_pre', 'wp_kses_post');
|
||||
add_filter('content_filtered_save_pre', 'wp_kses_post');
|
||||
add_filter('content_save_pre', 'wp_filter_post_kses');
|
||||
add_filter('excerpt_save_pre', 'wp_filter_post_kses');
|
||||
add_filter('content_filtered_save_pre', 'wp_filter_post_kses');
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1354,16 +1354,16 @@ function kses_init_filters() {
|
|||
*/
|
||||
function kses_remove_filters() {
|
||||
// Normal filtering
|
||||
remove_filter('title_save_pre', 'wp_kses_data');
|
||||
remove_filter('title_save_pre', 'wp_filter_kses');
|
||||
|
||||
// Comment filtering
|
||||
remove_filter( 'pre_comment_content', 'wp_kses_post' );
|
||||
remove_filter( 'pre_comment_content', 'wp_kses_data' );
|
||||
remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
|
||||
remove_filter( 'pre_comment_content', 'wp_filter_kses' );
|
||||
|
||||
// Post filtering
|
||||
remove_filter('content_save_pre', 'wp_kses_post');
|
||||
remove_filter('excerpt_save_pre', 'wp_kses_post');
|
||||
remove_filter('content_filtered_save_pre', 'wp_kses_post');
|
||||
remove_filter('content_save_pre', 'wp_filter_post_kses');
|
||||
remove_filter('excerpt_save_pre', 'wp_filter_post_kses');
|
||||
remove_filter('content_filtered_save_pre', 'wp_filter_post_kses');
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -746,7 +746,7 @@ function get_search_link( $query = '' ) {
|
|||
if ( empty($query) )
|
||||
$search = get_search_query( false );
|
||||
else
|
||||
$search = $query;
|
||||
$search = stripslashes($query);
|
||||
|
||||
$permastruct = $wp_rewrite->get_search_permastruct();
|
||||
|
||||
|
|
|
@ -42,6 +42,9 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
|
|||
|
||||
$column = esc_sql($meta_type . '_id');
|
||||
|
||||
// expected_slashed ($meta_key)
|
||||
$meta_key = stripslashes($meta_key);
|
||||
$meta_value = stripslashes_deep($meta_value);
|
||||
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
|
||||
|
||||
$check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
|
||||
|
@ -110,7 +113,10 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v
|
|||
$column = esc_sql($meta_type . '_id');
|
||||
$id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
|
||||
|
||||
// expected_slashed ($meta_key)
|
||||
$meta_key = stripslashes($meta_key);
|
||||
$passed_value = $meta_value;
|
||||
$meta_value = stripslashes_deep($meta_value);
|
||||
$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
|
||||
|
||||
$check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
|
||||
|
@ -189,6 +195,9 @@ function delete_metadata($meta_type, $object_id, $meta_key, $meta_value = '', $d
|
|||
|
||||
$type_column = esc_sql($meta_type . '_id');
|
||||
$id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
|
||||
// expected_slashed ($meta_key)
|
||||
$meta_key = stripslashes($meta_key);
|
||||
$meta_value = stripslashes_deep($meta_value);
|
||||
|
||||
$check = apply_filters( "delete_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $delete_all );
|
||||
if ( null !== $check )
|
||||
|
|
|
@ -58,7 +58,7 @@ header( 'ETag: ' . $etag );
|
|||
header( 'Expires: ' . gmdate( 'D, d M Y H:i:s', time() + 100000000 ) . ' GMT' );
|
||||
|
||||
// Support for Conditional GET
|
||||
$client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? wp_unslash( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false;
|
||||
$client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false;
|
||||
|
||||
if( ! isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) )
|
||||
$_SERVER['HTTP_IF_MODIFIED_SINCE'] = false;
|
||||
|
|
|
@ -279,6 +279,9 @@ function remove_user_from_blog($user_id, $blog_id = '', $reassign = '') {
|
|||
* @return int The ID of the newly created blog
|
||||
*/
|
||||
function create_empty_blog( $domain, $path, $weblog_title, $site_id = 1 ) {
|
||||
$domain = addslashes( $domain );
|
||||
$weblog_title = addslashes( $weblog_title );
|
||||
|
||||
if ( empty($path) )
|
||||
$path = '/';
|
||||
|
||||
|
@ -579,7 +582,7 @@ function wpmu_validate_blog_signup($blogname, $blog_title, $user = '') {
|
|||
|
||||
$blogname = apply_filters( 'newblogname', $blogname );
|
||||
|
||||
$blog_title = $blog_title;
|
||||
$blog_title = stripslashes( $blog_title );
|
||||
|
||||
if ( empty( $blog_title ) )
|
||||
$errors->add('blog_title', __( 'Please enter a site title.' ) );
|
||||
|
@ -632,7 +635,10 @@ function wpmu_signup_blog($domain, $path, $title, $user, $user_email, $meta = ''
|
|||
global $wpdb;
|
||||
|
||||
$key = substr( md5( time() . rand() . $domain ), 0, 16 );
|
||||
$meta = serialize( $meta );
|
||||
$meta = serialize($meta);
|
||||
$domain = $wpdb->escape($domain);
|
||||
$path = $wpdb->escape($path);
|
||||
$title = $wpdb->escape($title);
|
||||
|
||||
$wpdb->insert( $wpdb->signups, array(
|
||||
'domain' => $domain,
|
||||
|
@ -645,7 +651,7 @@ function wpmu_signup_blog($domain, $path, $title, $user, $user_email, $meta = ''
|
|||
'meta' => $meta
|
||||
) );
|
||||
|
||||
wpmu_signup_blog_notification( $domain, $path, $title, $user, $user_email, $key, $meta );
|
||||
wpmu_signup_blog_notification($domain, $path, $title, $user, $user_email, $key, $meta);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -834,8 +840,8 @@ function wpmu_activate_signup($key) {
|
|||
}
|
||||
|
||||
$meta = maybe_unserialize($signup->meta);
|
||||
$user_login = $signup->user_login;
|
||||
$user_email = $signup->user_email;
|
||||
$user_login = $wpdb->escape($signup->user_login);
|
||||
$user_email = $wpdb->escape($signup->user_email);
|
||||
$password = wp_generate_password( 12, false );
|
||||
|
||||
$user_id = username_exists($user_login);
|
||||
|
@ -1151,7 +1157,7 @@ function install_blog($blog_id, $blog_title = '') {
|
|||
else
|
||||
update_option( 'upload_path', get_blog_option( $current_site->blog_id, 'upload_path' ) );
|
||||
|
||||
update_option( 'blogname', $blog_title );
|
||||
update_option( 'blogname', stripslashes( $blog_title ) );
|
||||
update_option( 'admin_email', '' );
|
||||
|
||||
// remove all perms
|
||||
|
@ -1208,9 +1214,9 @@ function wpmu_welcome_notification($blog_id, $user_id, $password, $title, $meta
|
|||
if ( !apply_filters('wpmu_welcome_notification', $blog_id, $user_id, $password, $title, $meta) )
|
||||
return false;
|
||||
|
||||
$welcome_email = get_site_option( 'welcome_email' );
|
||||
$welcome_email = stripslashes( get_site_option( 'welcome_email' ) );
|
||||
if ( $welcome_email == false )
|
||||
$welcome_email = __( 'Dear User,
|
||||
$welcome_email = stripslashes( __( 'Dear User,
|
||||
|
||||
Your new SITE_NAME site has been successfully set up at:
|
||||
BLOG_URL
|
||||
|
@ -1222,7 +1228,7 @@ Log in here: BLOG_URLwp-login.php
|
|||
|
||||
We hope you enjoy your new site. Thanks!
|
||||
|
||||
--The Team @ SITE_NAME' );
|
||||
--The Team @ SITE_NAME' ) );
|
||||
|
||||
$url = get_blogaddress_by_id($blog_id);
|
||||
$user = get_userdata( $user_id );
|
||||
|
@ -1246,7 +1252,7 @@ We hope you enjoy your new site. Thanks!
|
|||
if ( empty( $current_site->site_name ) )
|
||||
$current_site->site_name = 'WordPress';
|
||||
|
||||
$subject = apply_filters( 'update_welcome_subject', sprintf(__('New %1$s Site: %2$s'), $current_site->site_name, $title ) );
|
||||
$subject = apply_filters( 'update_welcome_subject', sprintf(__('New %1$s Site: %2$s'), $current_site->site_name, stripslashes( $title ) ) );
|
||||
wp_mail($user->user_email, $subject, $message, $message_headers);
|
||||
return true;
|
||||
}
|
||||
|
@ -1475,7 +1481,7 @@ function update_posts_count( $deprecated = '' ) {
|
|||
function wpmu_log_new_registrations( $blog_id, $user_id ) {
|
||||
global $wpdb;
|
||||
$user = get_userdata( (int) $user_id );
|
||||
$wpdb->insert( $wpdb->registration_log, array('email' => $user->user_email, 'IP' => preg_replace( '/[^0-9., ]/', '', wp_unslash( $_SERVER['REMOTE_ADDR'] ) ), 'blog_id' => $blog_id, 'date_registered' => current_time('mysql')) );
|
||||
$wpdb->insert( $wpdb->registration_log, array('email' => $user->user_email, 'IP' => preg_replace( '/[^0-9., ]/', '',$_SERVER['REMOTE_ADDR'] ), 'blog_id' => $blog_id, 'date_registered' => current_time('mysql')) );
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -370,20 +370,20 @@ function wp_update_nav_menu_item( $menu_id = 0, $menu_item_db_id = 0, $menu_item
|
|||
|
||||
$menu_item_db_id = (int) $menu_item_db_id;
|
||||
|
||||
wp_update_post_meta( $menu_item_db_id, '_menu_item_type', sanitize_key($args['menu-item-type']) );
|
||||
wp_update_post_meta( $menu_item_db_id, '_menu_item_menu_item_parent', strval( (int) $args['menu-item-parent-id'] ) );
|
||||
wp_update_post_meta( $menu_item_db_id, '_menu_item_object_id', strval( (int) $args['menu-item-object-id'] ) );
|
||||
wp_update_post_meta( $menu_item_db_id, '_menu_item_object', sanitize_key($args['menu-item-object']) );
|
||||
wp_update_post_meta( $menu_item_db_id, '_menu_item_target', sanitize_key($args['menu-item-target']) );
|
||||
update_post_meta( $menu_item_db_id, '_menu_item_type', sanitize_key($args['menu-item-type']) );
|
||||
update_post_meta( $menu_item_db_id, '_menu_item_menu_item_parent', strval( (int) $args['menu-item-parent-id'] ) );
|
||||
update_post_meta( $menu_item_db_id, '_menu_item_object_id', strval( (int) $args['menu-item-object-id'] ) );
|
||||
update_post_meta( $menu_item_db_id, '_menu_item_object', sanitize_key($args['menu-item-object']) );
|
||||
update_post_meta( $menu_item_db_id, '_menu_item_target', sanitize_key($args['menu-item-target']) );
|
||||
|
||||
$args['menu-item-classes'] = array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-classes'] ) );
|
||||
$args['menu-item-xfn'] = implode( ' ', array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-xfn'] ) ) );
|
||||
wp_update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] );
|
||||
wp_update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] );
|
||||
wp_update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw($args['menu-item-url']) );
|
||||
update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] );
|
||||
update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] );
|
||||
update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw($args['menu-item-url']) );
|
||||
|
||||
if ( 0 == $menu_id )
|
||||
wp_update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() );
|
||||
update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() );
|
||||
elseif ( get_post_meta( $menu_item_db_id, '_menu_item_orphaned' ) )
|
||||
delete_post_meta( $menu_item_db_id, '_menu_item_orphaned' );
|
||||
|
||||
|
|
|
@ -782,7 +782,7 @@ function auth_redirect() {
|
|||
// The cookie is no good so force login
|
||||
nocache_headers();
|
||||
|
||||
$redirect = ( strpos( $_SERVER['REQUEST_URI'], '/options.php' ) && wp_get_referer() ) ? wp_get_referer() : set_url_scheme( 'http://' . wp_unslash( $_SERVER['HTTP_HOST'] ) . wp_unslash( $_SERVER['REQUEST_URI'] ) );
|
||||
$redirect = ( strpos( $_SERVER['REQUEST_URI'], '/options.php' ) && wp_get_referer() ) ? wp_get_referer() : set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
|
||||
|
||||
$login_url = wp_login_url($redirect, true);
|
||||
|
||||
|
@ -1197,8 +1197,8 @@ if ( !function_exists('wp_new_user_notification') ) :
|
|||
function wp_new_user_notification($user_id, $plaintext_pass = '') {
|
||||
$user = get_userdata( $user_id );
|
||||
|
||||
$user_login = $user->user_login;
|
||||
$user_email = $user->user_email;
|
||||
$user_login = stripslashes($user->user_login);
|
||||
$user_email = stripslashes($user->user_email);
|
||||
|
||||
// The blogname option is escaped with esc_html on the way into the database in sanitize_option
|
||||
// we want to reverse this for the plain text arena of emails.
|
||||
|
|
|
@ -583,7 +583,7 @@ function post_password_required( $post = null ) {
|
|||
$wp_hasher = new PasswordHash(8, true);
|
||||
}
|
||||
|
||||
$hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
|
||||
$hash = stripslashes( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
|
||||
|
||||
return ! $wp_hasher->CheckPassword( $post->post_password, $hash );
|
||||
}
|
||||
|
|
|
@ -1677,41 +1677,17 @@ function get_posts($args = null) {
|
|||
* @link http://codex.wordpress.org/Function_Reference/add_post_meta
|
||||
*
|
||||
* @param int $post_id Post ID.
|
||||
* @param string $meta_key Metadata name (expected slashed).
|
||||
* @param mixed $meta_value Metadata value (expected slashed).
|
||||
* @param string $meta_key Metadata name.
|
||||
* @param mixed $meta_value Metadata value.
|
||||
* @param bool $unique Optional, default is false. Whether the same key should not be added.
|
||||
* @return bool False for failure. True for success.
|
||||
*/
|
||||
function add_post_meta( $post_id, $meta_key, $meta_value, $unique = false ) {
|
||||
//_deprecated_function( __FUNCTION__, '3.6', 'wp_add_post_meta() (expects unslashed data)' );
|
||||
|
||||
// expected slashed
|
||||
$meta_key = stripslashes( $meta_key );
|
||||
$meta_value = stripslashes_deep( $meta_value );
|
||||
|
||||
return wp_add_post_meta( $post_id, $meta_key, $meta_value, $unique );
|
||||
}
|
||||
|
||||
/**
|
||||
* Add meta data field to a post.
|
||||
*
|
||||
* Post meta data is called "Custom Fields" on the Administration Screen.
|
||||
*
|
||||
* @since 3.6.0
|
||||
* @link http://codex.wordpress.org/Function_Reference/wp_add_post_meta
|
||||
*
|
||||
* @param int $post_id Post ID.
|
||||
* @param string $meta_key Metadata name (clean, slashes already stripped).
|
||||
* @param mixed $meta_value Metadata value (clean, slashes already stripped).
|
||||
* @param bool $unique Optional, default is false. Whether the same key should not be added.
|
||||
* @return bool False for failure. True for success.
|
||||
*/
|
||||
function wp_add_post_meta( $post_id, $meta_key, $meta_value, $unique = false ) {
|
||||
function add_post_meta($post_id, $meta_key, $meta_value, $unique = false) {
|
||||
// make sure meta is added to the post, not a revision
|
||||
if ( $the_post = wp_is_post_revision( $post_id ) )
|
||||
if ( $the_post = wp_is_post_revision($post_id) )
|
||||
$post_id = $the_post;
|
||||
|
||||
return add_metadata( 'post', $post_id, $meta_key, $meta_value, $unique );
|
||||
return add_metadata('post', $post_id, $meta_key, $meta_value, $unique);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1768,45 +1744,17 @@ function get_post_meta($post_id, $key = '', $single = false) {
|
|||
* @link http://codex.wordpress.org/Function_Reference/update_post_meta
|
||||
*
|
||||
* @param int $post_id Post ID.
|
||||
* @param string $meta_key Metadata key (expected slashed).
|
||||
* @param mixed $meta_value Metadata value (expected slashed).
|
||||
* @param string $meta_key Metadata key.
|
||||
* @param mixed $meta_value Metadata value.
|
||||
* @param mixed $prev_value Optional. Previous value to check before removing.
|
||||
* @return bool False on failure, true if success.
|
||||
*/
|
||||
function update_post_meta( $post_id, $meta_key, $meta_value, $prev_value = '' ) {
|
||||
//_deprecated_function( __FUNCTION__, '3.6', 'wp_update_post_meta() (expects unslashed data)' );
|
||||
|
||||
// expected slashed
|
||||
$meta_key = stripslashes( $meta_key );
|
||||
$meta_value = stripslashes_deep( $meta_value );
|
||||
|
||||
return wp_update_post_meta( $post_id, $meta_key, $meta_value, $prev_value );
|
||||
}
|
||||
|
||||
/**
|
||||
* Update post meta field based on post ID.
|
||||
*
|
||||
* Use the $prev_value parameter to differentiate between meta fields with the
|
||||
* same key and post ID.
|
||||
*
|
||||
* If the meta field for the post does not exist, it will be added.
|
||||
*
|
||||
* @since 3.6.0
|
||||
* @uses $wpdb
|
||||
* @link http://codex.wordpress.org/Function_Reference/wp_update_post_meta
|
||||
*
|
||||
* @param int $post_id Post ID.
|
||||
* @param string $meta_key Metadata key (clean, slashes already stripped).
|
||||
* @param mixed $meta_value Metadata value (clean, slashes already stripped).
|
||||
* @param mixed $prev_value Optional. Previous value to check before removing.
|
||||
* @return bool False on failure, true if success.
|
||||
*/
|
||||
function wp_update_post_meta( $post_id, $meta_key, $meta_value, $prev_value = '' ) {
|
||||
function update_post_meta($post_id, $meta_key, $meta_value, $prev_value = '') {
|
||||
// make sure meta is added to the post, not a revision
|
||||
if ( $the_post = wp_is_post_revision( $post_id ) )
|
||||
if ( $the_post = wp_is_post_revision($post_id) )
|
||||
$post_id = $the_post;
|
||||
|
||||
return update_metadata( 'post', $post_id, $meta_key, $meta_value, $prev_value );
|
||||
return update_metadata('post', $post_id, $meta_key, $meta_value, $prev_value);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -2393,8 +2341,8 @@ function wp_trash_post($post_id = 0) {
|
|||
|
||||
do_action('wp_trash_post', $post_id);
|
||||
|
||||
wp_add_post_meta($post_id,'_wp_trash_meta_status', $post['post_status']);
|
||||
wp_add_post_meta($post_id,'_wp_trash_meta_time', time());
|
||||
add_post_meta($post_id,'_wp_trash_meta_status', $post['post_status']);
|
||||
add_post_meta($post_id,'_wp_trash_meta_time', time());
|
||||
|
||||
$post['post_status'] = 'trash';
|
||||
wp_insert_post($post);
|
||||
|
@ -2470,7 +2418,7 @@ function wp_trash_post_comments($post = null) {
|
|||
$statuses = array();
|
||||
foreach ( $comments as $comment )
|
||||
$statuses[$comment->comment_ID] = $comment->comment_approved;
|
||||
wp_add_post_meta($post_id, '_wp_trash_meta_comments_status', $statuses);
|
||||
add_post_meta($post_id, '_wp_trash_meta_comments_status', $statuses);
|
||||
|
||||
// Set status for all comments to post-trashed
|
||||
$result = $wpdb->update($wpdb->comments, array('comment_approved' => 'post-trashed'), array('comment_post_ID' => $post_id));
|
||||
|
@ -2846,8 +2794,10 @@ function wp_insert_post($postarr, $wp_error = false) {
|
|||
|
||||
$post_name = wp_unique_post_slug($post_name, $post_ID, $post_status, $post_type, $post_parent);
|
||||
|
||||
// expected_slashed (everything!)
|
||||
$data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'guid' ) );
|
||||
$data = apply_filters('wp_insert_post_data', $data, $postarr);
|
||||
$data = stripslashes_deep( $data );
|
||||
$where = array( 'ID' => $post_ID );
|
||||
|
||||
if ( $update ) {
|
||||
|
@ -2860,7 +2810,7 @@ function wp_insert_post($postarr, $wp_error = false) {
|
|||
}
|
||||
} else {
|
||||
if ( isset($post_mime_type) )
|
||||
$data['post_mime_type'] = $post_mime_type; // This isn't in the update
|
||||
$data['post_mime_type'] = stripslashes( $post_mime_type ); // This isn't in the update
|
||||
// If there is a suggested ID, use it if not already present
|
||||
if ( !empty($import_id) ) {
|
||||
$import_id = (int) $import_id;
|
||||
|
@ -2921,7 +2871,7 @@ function wp_insert_post($postarr, $wp_error = false) {
|
|||
else
|
||||
return 0;
|
||||
}
|
||||
wp_update_post_meta($post_ID, '_wp_page_template', $page_template);
|
||||
update_post_meta($post_ID, '_wp_page_template', $page_template);
|
||||
}
|
||||
|
||||
wp_transition_post_status($data['post_status'], $previous_status, $post);
|
||||
|
@ -2954,11 +2904,15 @@ function wp_update_post( $postarr = array(), $wp_error = false ) {
|
|||
if ( is_object($postarr) ) {
|
||||
// non-escaped post was passed
|
||||
$postarr = get_object_vars($postarr);
|
||||
$postarr = add_magic_quotes($postarr);
|
||||
}
|
||||
|
||||
// First, get all of the original fields
|
||||
$post = get_post($postarr['ID'], ARRAY_A);
|
||||
|
||||
// Escape data pulled from DB.
|
||||
$post = add_magic_quotes($post);
|
||||
|
||||
// Passed post category list overwrites existing category list if not empty.
|
||||
if ( isset($postarr['post_category']) && is_array($postarr['post_category'])
|
||||
&& 0 != count($postarr['post_category']) )
|
||||
|
@ -3396,7 +3350,7 @@ function trackback_url_list($tb_list, $post_id) {
|
|||
$trackback_urls = explode(',', $tb_list);
|
||||
foreach( (array) $trackback_urls as $tb_url) {
|
||||
$tb_url = trim($tb_url);
|
||||
trackback($tb_url, $post_title, $excerpt, $post_id);
|
||||
trackback($tb_url, stripslashes($post_title), $excerpt, $post_id);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -3739,6 +3693,9 @@ function get_pages($args = '') {
|
|||
if ( ! empty( $meta_key ) || ! empty( $meta_value ) ) {
|
||||
$join = " LEFT JOIN $wpdb->postmeta ON ( $wpdb->posts.ID = $wpdb->postmeta.post_id )";
|
||||
|
||||
// meta_key and meta_value might be slashed
|
||||
$meta_key = stripslashes($meta_key);
|
||||
$meta_value = stripslashes($meta_value);
|
||||
if ( ! empty( $meta_key ) )
|
||||
$where .= $wpdb->prepare(" AND $wpdb->postmeta.meta_key = %s", $meta_key);
|
||||
if ( ! empty( $meta_value ) )
|
||||
|
@ -3963,6 +3920,7 @@ function wp_insert_attachment($object, $file = false, $parent = 0) {
|
|||
else
|
||||
$post_name = sanitize_title($post_name);
|
||||
|
||||
// expected_slashed ($post_name)
|
||||
$post_name = wp_unique_post_slug($post_name, $post_ID, $post_status, $post_type, $post_parent);
|
||||
|
||||
if ( empty($post_date) )
|
||||
|
@ -4005,7 +3963,9 @@ function wp_insert_attachment($object, $file = false, $parent = 0) {
|
|||
if ( ! isset($pinged) )
|
||||
$pinged = '';
|
||||
|
||||
// expected_slashed (everything!)
|
||||
$data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'guid' ) );
|
||||
$data = stripslashes_deep( $data );
|
||||
|
||||
if ( $update ) {
|
||||
$wpdb->update( $wpdb->posts, $data, array( 'ID' => $post_ID ) );
|
||||
|
@ -4050,7 +4010,7 @@ function wp_insert_attachment($object, $file = false, $parent = 0) {
|
|||
clean_post_cache( $post_ID );
|
||||
|
||||
if ( ! empty( $context ) )
|
||||
wp_add_post_meta( $post_ID, '_wp_attachment_context', $context, true );
|
||||
add_post_meta( $post_ID, '_wp_attachment_context', $context, true );
|
||||
|
||||
if ( $update) {
|
||||
do_action('edit_attachment', $post_ID);
|
||||
|
@ -4437,7 +4397,7 @@ function wp_check_for_changed_slugs($post_id, $post, $post_before) {
|
|||
|
||||
// if we haven't added this old slug before, add it now
|
||||
if ( !empty( $post_before->post_name ) && !in_array($post_before->post_name, $old_slugs) )
|
||||
wp_add_post_meta($post_id, '_wp_old_slug', $post_before->post_name);
|
||||
add_post_meta($post_id, '_wp_old_slug', $post_before->post_name);
|
||||
|
||||
// if the new slug was used previously, delete it from the list
|
||||
if ( in_array($post->post_name, $old_slugs) )
|
||||
|
@ -4854,8 +4814,8 @@ function _publish_post_hook($post_id) {
|
|||
return;
|
||||
|
||||
if ( get_option('default_pingback_flag') )
|
||||
wp_add_post_meta( $post_id, '_pingme', '1' );
|
||||
wp_add_post_meta( $post_id, '_encloseme', '1' );
|
||||
add_post_meta( $post_id, '_pingme', '1' );
|
||||
add_post_meta( $post_id, '_encloseme', '1' );
|
||||
|
||||
wp_schedule_single_event(time(), 'do_pings');
|
||||
}
|
||||
|
@ -4933,7 +4893,7 @@ function set_post_thumbnail( $post, $thumbnail_id ) {
|
|||
$thumbnail_id = absint( $thumbnail_id );
|
||||
if ( $post && $thumbnail_id && get_post( $thumbnail_id ) ) {
|
||||
if ( $thumbnail_html = wp_get_attachment_image( $thumbnail_id, 'thumbnail' ) )
|
||||
return wp_update_post_meta( $post->ID, '_thumbnail_id', $thumbnail_id );
|
||||
return update_post_meta( $post->ID, '_thumbnail_id', $thumbnail_id );
|
||||
else
|
||||
return delete_post_meta( $post->ID, '_thumbnail_id' );
|
||||
}
|
||||
|
|
|
@ -1733,6 +1733,7 @@ class WP_Query {
|
|||
// Category stuff
|
||||
if ( !empty($q['cat']) && '0' != $q['cat'] && !$this->is_singular && $this->query_vars_changed ) {
|
||||
$q['cat'] = ''.urldecode($q['cat']).'';
|
||||
$q['cat'] = addslashes_gpc($q['cat']);
|
||||
$cat_array = preg_split('/[,\s]+/', $q['cat']);
|
||||
$q['cat'] = '';
|
||||
$req_cats = array();
|
||||
|
@ -2186,6 +2187,8 @@ class WP_Query {
|
|||
|
||||
// If a search pattern is specified, load the posts that match
|
||||
if ( !empty($q['s']) ) {
|
||||
// added slashes screw with quote grouping when done early, so done later
|
||||
$q['s'] = stripslashes($q['s']);
|
||||
if ( empty( $_GET['s'] ) && $this->is_main_query() )
|
||||
$q['s'] = urldecode($q['s']);
|
||||
if ( !empty($q['sentence']) ) {
|
||||
|
@ -2294,6 +2297,7 @@ class WP_Query {
|
|||
$whichauthor = '';
|
||||
} else {
|
||||
$q['author'] = (string)urldecode($q['author']);
|
||||
$q['author'] = addslashes_gpc($q['author']);
|
||||
if ( strpos($q['author'], '-') !== false ) {
|
||||
$eq = '!=';
|
||||
$andor = 'AND';
|
||||
|
@ -2357,6 +2361,7 @@ class WP_Query {
|
|||
$allowed_keys[] = 'meta_value_num';
|
||||
}
|
||||
$q['orderby'] = urldecode($q['orderby']);
|
||||
$q['orderby'] = addslashes_gpc($q['orderby']);
|
||||
|
||||
$orderby_array = array();
|
||||
foreach ( explode( ' ', $q['orderby'] ) as $i => $orderby ) {
|
||||
|
|
|
@ -241,6 +241,7 @@ function _wp_put_post_revision( $post = null, $autosave = false ) {
|
|||
return new WP_Error( 'post_type', __( 'Cannot create a revision of a revision' ) );
|
||||
|
||||
$post = _wp_post_revision_fields( $post, $autosave );
|
||||
$post = add_magic_quotes($post); //since data is from db
|
||||
|
||||
$revision_id = wp_insert_post( $post );
|
||||
if ( is_wp_error($revision_id) )
|
||||
|
@ -319,6 +320,8 @@ function wp_restore_post_revision( $revision_id, $fields = null ) {
|
|||
|
||||
$update['ID'] = $revision['post_parent'];
|
||||
|
||||
$update = add_magic_quotes( $update ); //since data is from db
|
||||
|
||||
$post_id = wp_update_post( $update );
|
||||
if ( is_wp_error( $post_id ) )
|
||||
return $post_id;
|
||||
|
|
|
@ -958,6 +958,8 @@ function get_term_by($field, $value, $taxonomy, $output = OBJECT, $filter = 'raw
|
|||
if ( empty($value) )
|
||||
return false;
|
||||
} else if ( 'name' == $field ) {
|
||||
// Assume already escaped
|
||||
$value = stripslashes($value);
|
||||
$field = 't.name';
|
||||
} else {
|
||||
$term = get_term( (int) $value, $taxonomy, $output, $filter);
|
||||
|
@ -1497,7 +1499,7 @@ function term_exists($term, $taxonomy = '', $parent = 0) {
|
|||
return $wpdb->get_var( $wpdb->prepare( $select . $where, $term ) );
|
||||
}
|
||||
|
||||
$term = trim( $term );
|
||||
$term = trim( stripslashes( $term ) );
|
||||
|
||||
if ( '' === $slug = sanitize_title($term) )
|
||||
return 0;
|
||||
|
@ -2059,6 +2061,10 @@ function wp_insert_term( $term, $taxonomy, $args = array() ) {
|
|||
$args = sanitize_term($args, $taxonomy, 'db');
|
||||
extract($args, EXTR_SKIP);
|
||||
|
||||
// expected_slashed ($name)
|
||||
$name = stripslashes($name);
|
||||
$description = stripslashes($description);
|
||||
|
||||
if ( empty($slug) )
|
||||
$slug = sanitize_title($name);
|
||||
|
||||
|
@ -2438,6 +2444,9 @@ function wp_update_term( $term_id, $taxonomy, $args = array() ) {
|
|||
if ( is_wp_error( $term ) )
|
||||
return $term;
|
||||
|
||||
// Escape data pulled from DB.
|
||||
$term = add_magic_quotes($term);
|
||||
|
||||
// Merge old and new args with new args overwriting old ones.
|
||||
$args = array_merge($term, $args);
|
||||
|
||||
|
@ -2446,6 +2455,10 @@ function wp_update_term( $term_id, $taxonomy, $args = array() ) {
|
|||
$args = sanitize_term($args, $taxonomy, 'db');
|
||||
extract($args, EXTR_SKIP);
|
||||
|
||||
// expected_slashed ($name)
|
||||
$name = stripslashes($name);
|
||||
$description = stripslashes($description);
|
||||
|
||||
if ( '' == trim($name) )
|
||||
return new WP_Error('empty_term_name', __('A name is required for this term'));
|
||||
|
||||
|
|
|
@ -1390,6 +1390,7 @@ function wp_insert_user( $userdata ) {
|
|||
}
|
||||
|
||||
$data = compact( 'user_pass', 'user_email', 'user_url', 'user_nicename', 'display_name', 'user_registered' );
|
||||
$data = stripslashes_deep( $data );
|
||||
|
||||
if ( $update ) {
|
||||
$wpdb->update( $wpdb->users, $data, compact( 'ID' ) );
|
||||
|
@ -1461,6 +1462,9 @@ function wp_update_user($userdata) {
|
|||
$user[ $key ] = get_user_meta( $ID, $key, true );
|
||||
}
|
||||
|
||||
// Escape data pulled from DB.
|
||||
$user = add_magic_quotes( $user );
|
||||
|
||||
// If password is changing, hash it now.
|
||||
if ( ! empty($userdata['user_pass']) ) {
|
||||
$plaintext_pass = $userdata['user_pass'];
|
||||
|
@ -1500,8 +1504,8 @@ function wp_update_user($userdata) {
|
|||
* @return int The new user's ID.
|
||||
*/
|
||||
function wp_create_user($username, $password, $email = '') {
|
||||
$user_login = $username;
|
||||
$user_email = $email;
|
||||
$user_login = esc_sql( $username );
|
||||
$user_email = esc_sql( $email );
|
||||
$user_pass = $password;
|
||||
|
||||
$userdata = compact('user_login', 'user_email', 'user_pass');
|
||||
|
|
|
@ -224,7 +224,7 @@ class WP_Widget {
|
|||
}
|
||||
|
||||
foreach ( $settings as $number => $new_instance ) {
|
||||
$new_instance = wp_unslash($new_instance);
|
||||
$new_instance = stripslashes_deep($new_instance);
|
||||
$this->_set($number);
|
||||
|
||||
$old_instance = isset($all_instances[$number]) ? $all_instances[$number] : array();
|
||||
|
|
14
wp-login.php
14
wp-login.php
|
@ -399,7 +399,7 @@ case 'postpass' :
|
|||
}
|
||||
|
||||
// 10 days
|
||||
setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH );
|
||||
setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH );
|
||||
|
||||
wp_safe_redirect( wp_get_referer() );
|
||||
exit();
|
||||
|
@ -434,7 +434,7 @@ case 'retrievepassword' :
|
|||
do_action('lost_password');
|
||||
login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '</p>', $errors);
|
||||
|
||||
$user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : '';
|
||||
$user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : '';
|
||||
|
||||
?>
|
||||
|
||||
|
@ -533,8 +533,8 @@ case 'register' :
|
|||
$user_login = '';
|
||||
$user_email = '';
|
||||
if ( $http_post ) {
|
||||
$user_login = wp_unslash( $_POST['user_login'] );
|
||||
$user_email = wp_unslash( $_POST['user_email'] );
|
||||
$user_login = $_POST['user_login'];
|
||||
$user_email = $_POST['user_email'];
|
||||
$errors = register_new_user($user_login, $user_email);
|
||||
if ( !is_wp_error($errors) ) {
|
||||
$redirect_to = !empty( $_POST['redirect_to'] ) ? $_POST['redirect_to'] : 'wp-login.php?checkemail=registered';
|
||||
|
@ -550,11 +550,11 @@ case 'register' :
|
|||
<form name="registerform" id="registerform" action="<?php echo esc_url( site_url('wp-login.php?action=register', 'login_post') ); ?>" method="post">
|
||||
<p>
|
||||
<label for="user_login"><?php _e('Username') ?><br />
|
||||
<input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" /></label>
|
||||
<input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(stripslashes($user_login)); ?>" size="20" /></label>
|
||||
</p>
|
||||
<p>
|
||||
<label for="user_email"><?php _e('E-mail') ?><br />
|
||||
<input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr( $user_email ); ?>" size="25" /></label>
|
||||
<input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(stripslashes($user_email)); ?>" size="25" /></label>
|
||||
</p>
|
||||
<?php do_action('register_form'); ?>
|
||||
<p id="reg_passmail"><?php _e('A password will be e-mailed to you.') ?></p>
|
||||
|
@ -670,7 +670,7 @@ default:
|
|||
login_header(__('Log In'), '', $errors);
|
||||
|
||||
if ( isset($_POST['log']) )
|
||||
$user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr( wp_unslash( $_POST['log'] ) ) : '';
|
||||
$user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(stripslashes($_POST['log'])) : '';
|
||||
$rememberme = ! empty( $_POST['rememberme'] );
|
||||
?>
|
||||
|
||||
|
|
|
@ -202,6 +202,7 @@ for ( $i = 1; $i <= $count; $i++ ) {
|
|||
$post_category = array(get_option('default_email_category'));
|
||||
|
||||
$post_data = compact('post_content','post_title','post_date','post_date_gmt','post_author','post_category', 'post_status');
|
||||
$post_data = add_magic_quotes($post_data);
|
||||
|
||||
$post_ID = wp_insert_post($post_data);
|
||||
if ( is_wp_error( $post_ID ) )
|
||||
|
|
|
@ -45,9 +45,9 @@ $tb_url = isset($_POST['url']) ? $_POST['url'] : '';
|
|||
$charset = isset($_POST['charset']) ? $_POST['charset'] : '';
|
||||
|
||||
// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()
|
||||
$title = isset($_POST['title']) ? wp_unslash( $_POST['title'] ) : '';
|
||||
$excerpt = isset($_POST['excerpt']) ? wp_unslash( $_POST['excerpt'] ) : '';
|
||||
$blog_name = isset($_POST['blog_name']) ? wp_unslash( $_POST['blog_name'] ) : '';
|
||||
$title = isset($_POST['title']) ? stripslashes($_POST['title']) : '';
|
||||
$excerpt = isset($_POST['excerpt']) ? stripslashes($_POST['excerpt']) : '';
|
||||
$blog_name = isset($_POST['blog_name']) ? stripslashes($_POST['blog_name']) : '';
|
||||
|
||||
if ($charset)
|
||||
$charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
|
||||
|
@ -64,6 +64,11 @@ if ( function_exists('mb_convert_encoding') ) { // For international trackbacks
|
|||
$blog_name = mb_convert_encoding($blog_name, get_option('blog_charset'), $charset);
|
||||
}
|
||||
|
||||
// Now that mb_convert_encoding() has been given a swing, we need to escape these three
|
||||
$title = $wpdb->escape($title);
|
||||
$excerpt = $wpdb->escape($excerpt);
|
||||
$blog_name = $wpdb->escape($blog_name);
|
||||
|
||||
if ( is_single() || is_page() )
|
||||
$tb_id = $posts[0]->ID;
|
||||
|
||||
|
|
Loading…
Reference in New Issue