diff --git a/wp-admin/admin.php b/wp-admin/admin.php index 1b58b4bafe..4e739c3c8d 100644 --- a/wp-admin/admin.php +++ b/wp-admin/admin.php @@ -43,7 +43,7 @@ if ( get_option('db_upgraded') ) { do_action('after_db_upgrade'); } elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) { if ( !is_multisite() ) { - wp_redirect(admin_url('upgrade.php?_wp_http_referer=' . urlencode(stripslashes($_SERVER['REQUEST_URI'])))); + wp_redirect( admin_url( 'upgrade.php?_wp_http_referer=' . urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ); exit; } elseif ( apply_filters( 'do_mu_upgrade', true ) ) { /** @@ -82,7 +82,7 @@ wp_enqueue_script( 'common' ); $editing = false; if ( isset($_GET['page']) ) { - $plugin_page = stripslashes($_GET['page']); + $plugin_page = wp_unslash( $_GET['page'] ); $plugin_page = plugin_basename($plugin_page); } diff --git a/wp-admin/edit-comments.php b/wp-admin/edit-comments.php index 174cd9af11..f6dd19c0b3 100644 --- a/wp-admin/edit-comments.php +++ b/wp-admin/edit-comments.php @@ -20,9 +20,9 @@ if ( $doaction ) { check_admin_referer( 'bulk-comments' ); if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) { - $comment_status = $wpdb->escape( $_REQUEST['comment_status'] ); - $delete_time = $wpdb->escape( $_REQUEST['pagegen_timestamp'] ); - $comment_ids = $wpdb->get_col( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = '$comment_status' AND '$delete_time' > comment_date_gmt" ); + $comment_status = $_REQUEST['comment_status']; + $delete_time = $_REQUEST['pagegen_timestamp']; + $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) ); $doaction = 'delete'; } elseif ( isset( $_REQUEST['delete_comments'] ) ) { $comment_ids = $_REQUEST['delete_comments']; @@ -95,7 +95,7 @@ if ( $doaction ) { wp_safe_redirect( $redirect_to ); exit; } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { - wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) ); + wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); exit; } @@ -153,7 +153,7 @@ else echo __('Comments'); if ( isset($_REQUEST['s']) && $_REQUEST['s'] ) - printf( '' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( esc_html( stripslashes( $_REQUEST['s'] ) ), 50 ) ) . '' ); ?> + printf( '' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50 ) ) . '' ); ?> cap->create - + comment_ID) ?>" /> - + diff --git a/wp-admin/edit-tags.php b/wp-admin/edit-tags.php index 7250a66984..8375202df2 100644 --- a/wp-admin/edit-tags.php +++ b/wp-admin/edit-tags.php @@ -164,7 +164,7 @@ break; default: if ( ! empty($_REQUEST['_wp_http_referer']) ) { - $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ); + $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) ); if ( ! empty( $_REQUEST['paged'] ) ) $location = add_query_arg( 'paged', (int) $_REQUEST['paged'] ); @@ -265,7 +265,7 @@ $messages[6] = __('Items deleted.');

' . __('Search results for “%s”') . '', esc_html( stripslashes($_REQUEST['s']) ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( wp_unslash($_REQUEST['s']) ) ); ?>

diff --git a/wp-admin/edit.php b/wp-admin/edit.php index 507c76554d..15f9702ab6 100644 --- a/wp-admin/edit.php +++ b/wp-admin/edit.php @@ -138,7 +138,7 @@ if ( $doaction ) { wp_redirect($sendback); exit(); } elseif ( ! empty($_REQUEST['_wp_http_referer']) ) { - wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ) ); + wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) ) ); exit; } diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php index 04d7312c1a..4c864cae49 100644 --- a/wp-admin/includes/ajax-actions.php +++ b/wp-admin/includes/ajax-actions.php @@ -59,7 +59,7 @@ function wp_ajax_ajax_tag_search() { wp_die( 0 ); } - $s = stripslashes( $_GET['q'] ); + $s = wp_unslash( $_GET['q'] ); $comma = _x( ',', 'tag delimiter' ); if ( ',' !== $comma ) @@ -572,7 +572,7 @@ function wp_ajax_add_link_category( $action ) { continue; else if ( is_array( $cat_id ) ) $cat_id = $cat_id['term_id']; - $cat_name = esc_html(stripslashes($cat_name)); + $cat_name = esc_html(wp_unslash($cat_name)); $x->add( array( 'what' => 'link-category', 'id' => $cat_id, @@ -957,8 +957,8 @@ function wp_ajax_add_meta() { ) ); } else { // Update? $mid = (int) key( $_POST['meta'] ); - $key = stripslashes( $_POST['meta'][$mid]['key'] ); - $value = stripslashes( $_POST['meta'][$mid]['value'] ); + $key = wp_unslash( $_POST['meta'][$mid]['key'] ); + $value = wp_unslash( $_POST['meta'][$mid]['value'] ); if ( '' == trim($key) ) wp_die( __( 'Please provide a custom field name.' ) ); if ( '' == trim($value) ) @@ -1227,7 +1227,7 @@ function wp_ajax_wp_link_ajax() { $args = array(); if ( isset( $_POST['search'] ) ) - $args['s'] = stripslashes( $_POST['search'] ); + $args['s'] = wp_unslash( $_POST['search'] ); $args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1; require(ABSPATH . WPINC . '/class-wp-editor.php'); @@ -1328,7 +1328,7 @@ function wp_ajax_inline_save() { $data = &$_POST; $post = get_post( $post_ID, ARRAY_A ); - $post = add_magic_quotes($post); //since it is from db + $post = wp_slash($post); //since it is from db $data['content'] = $post['post_content']; $data['excerpt'] = $post['post_excerpt']; @@ -1425,7 +1425,7 @@ function wp_ajax_find_posts() { $post_types = get_post_types( array( 'public' => true ), 'objects' ); unset( $post_types['attachment'] ); - $s = stripslashes( $_POST['ps'] ); + $s = wp_unslash( $_POST['ps'] ); $searchand = $search = ''; $args = array( 'post_type' => array_keys( $post_types ), @@ -1890,7 +1890,7 @@ function wp_ajax_save_attachment() { if ( isset( $changes['alt'] ) ) { $alt = get_post_meta( $id, '_wp_attachment_image_alt', true ); - $new_alt = stripslashes( $changes['alt'] ); + $new_alt = wp_unslash( $changes['alt'] ); if ( $alt != $new_alt ) { $new_alt = wp_strip_all_tags( $new_alt, true ); update_post_meta( $id, '_wp_attachment_image_alt', addslashes( $new_alt ) ); @@ -1990,7 +1990,7 @@ function wp_ajax_save_attachment_order() { function wp_ajax_send_attachment_to_editor() { check_ajax_referer( 'media-send-to-editor', 'nonce' ); - $attachment = stripslashes_deep( $_POST['attachment'] ); + $attachment = wp_unslash( $_POST['attachment'] ); $id = intval( $attachment['id'] ); @@ -2045,7 +2045,7 @@ function wp_ajax_send_attachment_to_editor() { function wp_ajax_send_link_to_editor() { check_ajax_referer( 'media-send-to-editor', 'nonce' ); - if ( ! $src = stripslashes( $_POST['src'] ) ) + if ( ! $src = wp_unslash( $_POST['src'] ) ) wp_send_json_error(); if ( ! strpos( $src, '://' ) ) @@ -2054,7 +2054,7 @@ function wp_ajax_send_link_to_editor() { if ( ! $src = esc_url_raw( $src ) ) wp_send_json_error(); - if ( ! $title = trim( stripslashes( $_POST['title'] ) ) ) + if ( ! $title = trim( wp_unslash( $_POST['title'] ) ) ) $title = wp_basename( $src ); $html = ''; @@ -2114,7 +2114,7 @@ function wp_ajax_nopriv_heartbeat() { $screen_id = 'site'; if ( ! empty($_POST['data']) ) { - $data = stripslashes_deep( (array) $_POST['data'] ); + $data = wp_unslash( (array) $_POST['data'] ); $response = apply_filters( 'heartbeat_nopriv_received', $response, $data, $screen_id ); } diff --git a/wp-admin/includes/bookmark.php b/wp-admin/includes/bookmark.php index 4d240b775c..0897fdc5a4 100644 --- a/wp-admin/includes/bookmark.php +++ b/wp-admin/includes/bookmark.php @@ -55,12 +55,12 @@ function edit_link( $link_id = 0 ) { function get_default_link_to_edit() { $link = new stdClass; if ( isset( $_GET['linkurl'] ) ) - $link->link_url = esc_url( $_GET['linkurl'] ); + $link->link_url = esc_url( wp_unslash( $_GET['linkurl'] ) ); else $link->link_url = ''; if ( isset( $_GET['name'] ) ) - $link->link_name = esc_attr( $_GET['name'] ); + $link->link_name = esc_attr( wp_unslash( $_GET['name'] ) ); else $link->link_name = ''; @@ -137,7 +137,7 @@ function wp_insert_link( $linkdata, $wp_error = false ) { $linkdata = wp_parse_args( $linkdata, $defaults ); $linkdata = sanitize_bookmark( $linkdata, 'db' ); - extract( stripslashes_deep( $linkdata ), EXTR_SKIP ); + extract( wp_unslash( $linkdata ), EXTR_SKIP ); $update = false; @@ -251,7 +251,7 @@ function wp_update_link( $linkdata ) { $link = get_bookmark( $link_id, ARRAY_A ); // Escape data pulled from DB. - $link = add_magic_quotes( $link ); + $link = wp_slash( $link ); // Passed link category list overwrites existing category list if not empty. if ( isset( $linkdata['link_category'] ) && is_array( $linkdata['link_category'] ) diff --git a/wp-admin/includes/class-wp-comments-list-table.php b/wp-admin/includes/class-wp-comments-list-table.php index cf0ab88a82..bd04f09be1 100644 --- a/wp-admin/includes/class-wp-comments-list-table.php +++ b/wp-admin/includes/class-wp-comments-list-table.php @@ -170,7 +170,7 @@ class WP_Comments_List_Table extends WP_List_Table { /* // I toyed with this, but decided against it. Leaving it in here in case anyone thinks it is a good idea. ~ Mark if ( !empty( $_REQUEST['s'] ) ) - $link = add_query_arg( 's', esc_attr( stripslashes( $_REQUEST['s'] ) ), $link ); + $link = add_query_arg( 's', esc_attr( wp_unslash( $_REQUEST['s'] ) ), $link ); */ $status_links[$status] = "" . sprintf( translate_nooped_plural( $label, $num_comments->$status ), diff --git a/wp-admin/includes/class-wp-ms-sites-list-table.php b/wp-admin/includes/class-wp-ms-sites-list-table.php index 371901a638..b9d68a1f35 100644 --- a/wp-admin/includes/class-wp-ms-sites-list-table.php +++ b/wp-admin/includes/class-wp-ms-sites-list-table.php @@ -29,7 +29,7 @@ class WP_MS_Sites_List_Table extends WP_List_Table { $pagenum = $this->get_pagenum(); - $s = isset( $_REQUEST['s'] ) ? stripslashes( trim( $_REQUEST[ 's' ] ) ) : ''; + $s = isset( $_REQUEST['s'] ) ? wp_unslash( trim( $_REQUEST[ 's' ] ) ) : ''; $wild = ''; if ( false !== strpos($s, '*') ) { $wild = '%'; diff --git a/wp-admin/includes/class-wp-ms-themes-list-table.php b/wp-admin/includes/class-wp-ms-themes-list-table.php index d4190249bf..df9db5e892 100644 --- a/wp-admin/includes/class-wp-ms-themes-list-table.php +++ b/wp-admin/includes/class-wp-ms-themes-list-table.php @@ -126,7 +126,7 @@ class WP_MS_Themes_List_Table extends WP_List_Table { function _search_callback( $theme ) { static $term; if ( is_null( $term ) ) - $term = stripslashes( $_REQUEST['s'] ); + $term = wp_unslash( $_REQUEST['s'] ); foreach ( array( 'Name', 'Description', 'Author', 'Author', 'AuthorURI' ) as $field ) { // Don't mark up; Do translate. diff --git a/wp-admin/includes/class-wp-ms-users-list-table.php b/wp-admin/includes/class-wp-ms-users-list-table.php index 6a4268f6ae..ab1ee3620e 100644 --- a/wp-admin/includes/class-wp-ms-users-list-table.php +++ b/wp-admin/includes/class-wp-ms-users-list-table.php @@ -173,10 +173,10 @@ class WP_MS_Users_List_Table extends WP_List_Table { case 'username': $avatar = get_avatar( $user->user_email, 32 ); - $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) ); + $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) ); echo ""; ?> - user_login ); ?>user_login; ?>user_login, $super_admins ) ) echo ' - ' . __( 'Super Admin' ); ?> @@ -186,7 +186,7 @@ class WP_MS_Users_List_Table extends WP_List_Table { $actions['edit'] = '' . __( 'Edit' ) . ''; if ( current_user_can( 'delete_user', $user->ID ) && ! in_array( $user->user_login, $super_admins ) ) { - $actions['delete'] = '' . __( 'Delete' ) . ''; + $actions['delete'] = '' . __( 'Delete' ) . ''; } $actions = apply_filters( 'ms_user_row_actions', $actions, $user ); diff --git a/wp-admin/includes/class-wp-plugin-install-list-table.php b/wp-admin/includes/class-wp-plugin-install-list-table.php index aa7cffe4c9..76ef2ce2c1 100644 --- a/wp-admin/includes/class-wp-plugin-install-list-table.php +++ b/wp-admin/includes/class-wp-plugin-install-list-table.php @@ -48,8 +48,8 @@ class WP_Plugin_Install_List_Table extends WP_List_Table { switch ( $tab ) { case 'search': - $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term'; - $term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : ''; + $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term'; + $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : ''; switch ( $type ) { case 'tag': @@ -73,7 +73,7 @@ class WP_Plugin_Install_List_Table extends WP_List_Table { break; case 'favorites': - $user = isset( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); + $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); update_user_meta( get_current_user_id(), 'wporg_favorites', $user ); if ( $user ) $args['user'] = $user; diff --git a/wp-admin/includes/class-wp-plugins-list-table.php b/wp-admin/includes/class-wp-plugins-list-table.php index ec60afdfe6..64086d8d49 100644 --- a/wp-admin/includes/class-wp-plugins-list-table.php +++ b/wp-admin/includes/class-wp-plugins-list-table.php @@ -22,7 +22,7 @@ class WP_Plugins_List_Table extends WP_List_Table { $status = $_REQUEST['plugin_status']; if ( isset($_REQUEST['s']) ) - $_SERVER['REQUEST_URI'] = add_query_arg('s', stripslashes($_REQUEST['s']) ); + $_SERVER['REQUEST_URI'] = add_query_arg('s', wp_unslash($_REQUEST['s']) ); $page = $this->get_pagenum(); } @@ -140,7 +140,7 @@ class WP_Plugins_List_Table extends WP_List_Table { function _search_callback( $plugin ) { static $term; if ( is_null( $term ) ) - $term = stripslashes( $_REQUEST['s'] ); + $term = wp_unslash( $_REQUEST['s'] ); foreach ( $plugin as $value ) if ( stripos( $value, $term ) !== false ) diff --git a/wp-admin/includes/class-wp-terms-list-table.php b/wp-admin/includes/class-wp-terms-list-table.php index 85010105cd..de8d8d32c1 100644 --- a/wp-admin/includes/class-wp-terms-list-table.php +++ b/wp-admin/includes/class-wp-terms-list-table.php @@ -52,7 +52,7 @@ class WP_Terms_List_Table extends WP_List_Table { $tags_per_page = apply_filters( 'edit_categories_per_page', $tags_per_page ); // Old filter } - $search = !empty( $_REQUEST['s'] ) ? trim( stripslashes( $_REQUEST['s'] ) ) : ''; + $search = !empty( $_REQUEST['s'] ) ? trim( wp_unslash( $_REQUEST['s'] ) ) : ''; $args = array( 'search' => $search, @@ -61,10 +61,10 @@ class WP_Terms_List_Table extends WP_List_Table { ); if ( !empty( $_REQUEST['orderby'] ) ) - $args['orderby'] = trim( stripslashes( $_REQUEST['orderby'] ) ); + $args['orderby'] = trim( wp_unslash( $_REQUEST['orderby'] ) ); if ( !empty( $_REQUEST['order'] ) ) - $args['order'] = trim( stripslashes( $_REQUEST['order'] ) ); + $args['order'] = trim( wp_unslash( $_REQUEST['order'] ) ); $this->callback_args = $args; diff --git a/wp-admin/includes/class-wp-theme-install-list-table.php b/wp-admin/includes/class-wp-theme-install-list-table.php index 8aa892929d..5bc80502f6 100644 --- a/wp-admin/includes/class-wp-theme-install-list-table.php +++ b/wp-admin/includes/class-wp-theme-install-list-table.php @@ -24,7 +24,7 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table { $search_terms = array(); $search_string = ''; if ( ! empty( $_REQUEST['s'] ) ){ - $search_string = strtolower( stripslashes( $_REQUEST['s'] ) ); + $search_string = strtolower( wp_unslash( $_REQUEST['s'] ) ); $search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', $search_string ) ) ) ); } @@ -59,7 +59,7 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table { switch ( $tab ) { case 'search': - $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term'; + $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term'; switch ( $type ) { case 'tag': $args['tag'] = array_map( 'sanitize_key', $search_terms ); diff --git a/wp-admin/includes/class-wp-themes-list-table.php b/wp-admin/includes/class-wp-themes-list-table.php index 420495efe3..684bd8be00 100644 --- a/wp-admin/includes/class-wp-themes-list-table.php +++ b/wp-admin/includes/class-wp-themes-list-table.php @@ -28,7 +28,7 @@ class WP_Themes_List_Table extends WP_List_Table { $themes = wp_get_themes( array( 'allowed' => true ) ); if ( ! empty( $_REQUEST['s'] ) ) - $this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( stripslashes( $_REQUEST['s'] ) ) ) ) ) ); + $this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( wp_unslash( $_REQUEST['s'] ) ) ) ) ) ); if ( ! empty( $_REQUEST['features'] ) ) $this->features = $_REQUEST['features']; @@ -235,7 +235,7 @@ class WP_Themes_List_Table extends WP_List_Table { * @uses _pagination_args['total_pages'] */ function _js_vars( $extra_args = array() ) { - $search_string = isset( $_REQUEST['s'] ) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : ''; + $search_string = isset( $_REQUEST['s'] ) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : ''; $args = array( 'search' => $search_string, diff --git a/wp-admin/includes/class-wp-upgrader.php b/wp-admin/includes/class-wp-upgrader.php index c9bfec3dc4..a42ab3fdfd 100644 --- a/wp-admin/includes/class-wp-upgrader.php +++ b/wp-admin/includes/class-wp-upgrader.php @@ -1427,7 +1427,7 @@ class Plugin_Installer_Skin extends WP_Upgrader_Skin { $install_actions = array(); - $from = isset($_GET['from']) ? stripslashes($_GET['from']) : 'plugins'; + $from = isset($_GET['from']) ? wp_unslash( $_GET['from'] ) : 'plugins'; if ( 'import' == $from ) $install_actions['activate_plugin'] = '' . __('Activate Plugin & Run Importer') . ''; diff --git a/wp-admin/includes/class-wp-users-list-table.php b/wp-admin/includes/class-wp-users-list-table.php index 10802c110c..3071fa97af 100644 --- a/wp-admin/includes/class-wp-users-list-table.php +++ b/wp-admin/includes/class-wp-users-list-table.php @@ -241,7 +241,7 @@ class WP_Users_List_Table extends WP_List_Table { // Check if the user for this row is editable if ( current_user_can( 'list_users' ) ) { // Set up the user editing link - $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) ); + $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) ); // Set up the hover actions for this user $actions = array(); diff --git a/wp-admin/includes/dashboard.php b/wp-admin/includes/dashboard.php index ee41d53e7b..5576d510b0 100644 --- a/wp-admin/includes/dashboard.php +++ b/wp-admin/includes/dashboard.php @@ -1093,7 +1093,7 @@ function wp_dashboard_rss_control( $widget_id, $form_inputs = array() ) { $widget_options[$widget_id]['number'] = $number; if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset($_POST['widget-rss'][$number]) ) { - $_POST['widget-rss'][$number] = stripslashes_deep( $_POST['widget-rss'][$number] ); + $_POST['widget-rss'][$number] = wp_unslash( $_POST['widget-rss'][$number] ); $widget_options[$widget_id] = wp_widget_rss_process( $_POST['widget-rss'][$number] ); // title is optional. If black, fill it if possible if ( !$widget_options[$widget_id]['title'] && isset($_POST['widget-rss'][$number]['title']) ) { diff --git a/wp-admin/includes/deprecated.php b/wp-admin/includes/deprecated.php index 8513cada32..55f5d2a8fc 100644 --- a/wp-admin/includes/deprecated.php +++ b/wp-admin/includes/deprecated.php @@ -472,7 +472,7 @@ class WP_User_Search { function WP_User_Search ($search_term = '', $page = '', $role = '') { _deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' ); - $this->search_term = stripslashes( $search_term ); + $this->search_term = wp_unslash( $search_term ); $this->raw_page = ( '' == $page ) ? false : (int) $page; $this->page = (int) ( '' == $page ) ? 1 : $page; $this->role = $role; @@ -551,7 +551,7 @@ class WP_User_Search { * @access public */ function prepare_vars_for_template_usage() { - $this->search_term = stripslashes($this->search_term); // done with DB, from now on we want slashes gone + $this->search_term = wp_unslash($this->search_term); // done with DB, from now on we want slashes gone } /** diff --git a/wp-admin/includes/file.php b/wp-admin/includes/file.php index 05eaf82527..eac8ab53a5 100644 --- a/wp-admin/includes/file.php +++ b/wp-admin/includes/file.php @@ -901,13 +901,13 @@ function request_filesystem_credentials($form_post, $type = '', $error = false, $credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => '')); // If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option) - $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? stripslashes($_POST['hostname']) : $credentials['hostname']); - $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? stripslashes($_POST['username']) : $credentials['username']); - $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? stripslashes($_POST['password']) : ''); + $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? wp_unslash( $_POST['hostname'] ) : $credentials['hostname']); + $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? wp_unslash( $_POST['username'] ) : $credentials['username']); + $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? wp_unslash( $_POST['password'] ) : ''); // Check to see if we are setting the public/private keys for ssh - $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? stripslashes($_POST['public_key']) : ''); - $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? stripslashes($_POST['private_key']) : ''); + $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? wp_unslash( $_POST['public_key'] ) : ''); + $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? wp_unslash( $_POST['private_key'] ) : ''); //sanitize the hostname, Some people might pass in odd-data: $credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off @@ -925,7 +925,7 @@ function request_filesystem_credentials($form_post, $type = '', $error = false, else if ( (defined('FTP_SSL') && FTP_SSL) && 'ftpext' == $type ) //Only the FTP Extension understands SSL $credentials['connection_type'] = 'ftps'; else if ( !empty($_POST['connection_type']) ) - $credentials['connection_type'] = stripslashes($_POST['connection_type']); + $credentials['connection_type'] = wp_unslash( $_POST['connection_type'] ); else if ( !isset($credentials['connection_type']) ) //All else fails (And it's not defaulted to something else saved), Default to FTP $credentials['connection_type'] = 'ftp'; @@ -1050,7 +1050,7 @@ jQuery(function($){ '; + echo ''; } submit_button( __( 'Proceed' ), 'button', 'upgrade' ); ?> diff --git a/wp-admin/includes/image-edit.php b/wp-admin/includes/image-edit.php index 01bce7bd97..b24d4f4a4c 100644 --- a/wp-admin/includes/image-edit.php +++ b/wp-admin/includes/image-edit.php @@ -454,7 +454,7 @@ function stream_preview_image( $post_id ) { if ( is_wp_error( $img ) ) return false; - $changes = !empty($_REQUEST['history']) ? json_decode( stripslashes($_REQUEST['history']) ) : null; + $changes = !empty($_REQUEST['history']) ? json_decode( wp_unslash($_REQUEST['history']) ) : null; if ( $changes ) $img = image_edit_apply_changes( $img, $changes ); @@ -587,7 +587,7 @@ function wp_save_image( $post_id ) { return $return; } } elseif ( !empty($_REQUEST['history']) ) { - $changes = json_decode( stripslashes($_REQUEST['history']) ); + $changes = json_decode( wp_unslash($_REQUEST['history']) ); if ( $changes ) $img = image_edit_apply_changes($img, $changes); } else { diff --git a/wp-admin/includes/media.php b/wp-admin/includes/media.php index 814cae9f9e..607435a8c2 100644 --- a/wp-admin/includes/media.php +++ b/wp-admin/includes/media.php @@ -468,8 +468,8 @@ function media_upload_form_handler() { if ( isset($attachment['image_alt']) ) { $image_alt = get_post_meta($attachment_id, '_wp_attachment_image_alt', true); - if ( $image_alt != stripslashes($attachment['image_alt']) ) { - $image_alt = wp_strip_all_tags( stripslashes($attachment['image_alt']), true ); + if ( $image_alt != wp_unslash($attachment['image_alt']) ) { + $image_alt = wp_strip_all_tags( wp_unslash($attachment['image_alt']), true ); // update_meta expects slashed update_post_meta( $attachment_id, '_wp_attachment_image_alt', addslashes($image_alt) ); } @@ -501,7 +501,7 @@ function media_upload_form_handler() { } if ( isset($send_id) ) { - $attachment = stripslashes_deep( $_POST['attachments'][$send_id] ); + $attachment = wp_unslash( $_POST['attachments'][$send_id] ); $html = isset( $attachment['post_title'] ) ? $attachment['post_title'] : ''; if ( !empty($attachment['url']) ) { @@ -546,7 +546,7 @@ function wp_media_upload_handler() { $src = "http://$src"; if ( isset( $_POST['media_type'] ) && 'image' != $_POST['media_type'] ) { - $title = esc_html( stripslashes( $_POST['title'] ) ); + $title = esc_html( wp_unslash( $_POST['title'] ) ); if ( empty( $title ) ) $title = esc_html( basename( $src ) ); @@ -561,9 +561,9 @@ function wp_media_upload_handler() { $html = apply_filters( $type . '_send_to_editor_url', $html, esc_url_raw( $src ), $title ); } else { $align = ''; - $alt = esc_attr( stripslashes( $_POST['alt'] ) ); + $alt = esc_attr( wp_unslash( $_POST['alt'] ) ); if ( isset($_POST['align']) ) { - $align = esc_attr( stripslashes( $_POST['align'] ) ); + $align = esc_attr( wp_unslash( $_POST['align'] ) ); $class = " class='align$align'"; } if ( !empty($src) ) diff --git a/wp-admin/includes/misc.php b/wp-admin/includes/misc.php index b450e2c3ff..2efa458a83 100644 --- a/wp-admin/includes/misc.php +++ b/wp-admin/includes/misc.php @@ -220,7 +220,7 @@ add_action( 'update_option_page_on_front', 'update_home_siteurl', 10, 2 ); * @return string */ function url_shorten( $url ) { - $short_url = str_replace( 'http://', '', stripslashes( $url )); + $short_url = str_replace( 'http://', '', wp_unslash( $url )); $short_url = str_replace( 'www.', '', $short_url ); $short_url = untrailingslashit( $short_url ); if ( strlen( $short_url ) > 35 ) diff --git a/wp-admin/includes/plugin-install.php b/wp-admin/includes/plugin-install.php index 63a5f711f2..32b4c676cb 100644 --- a/wp-admin/includes/plugin-install.php +++ b/wp-admin/includes/plugin-install.php @@ -116,8 +116,8 @@ add_action('install_plugins_dashboard', 'install_dashboard'); * @since 2.7.0 */ function install_search_form( $type_selector = true ) { - $type = isset($_REQUEST['type']) ? stripslashes( $_REQUEST['type'] ) : 'term'; - $term = isset($_REQUEST['s']) ? stripslashes( $_REQUEST['s'] ) : ''; + $type = isset($_REQUEST['type']) ? wp_unslash( $_REQUEST['type'] ) : 'term'; + $term = isset($_REQUEST['s']) ? wp_unslash( $_REQUEST['s'] ) : ''; ?>
@@ -160,7 +160,7 @@ add_action('install_plugins_upload', 'install_plugins_upload', 10, 1); * */ function install_plugins_favorites_form() { - $user = ! empty( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); + $user = ! empty( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); ?>

@@ -251,7 +251,7 @@ function install_plugin_install_status($api, $loop = false) { } } if ( isset($_GET['from']) ) - $url .= '&from=' . urlencode(stripslashes($_GET['from'])); + $url .= '&from=' . urlencode( wp_unslash( $_GET['from'] ) ); return compact('status', 'url', 'version'); } @@ -264,7 +264,7 @@ function install_plugin_install_status($api, $loop = false) { function install_plugin_information() { global $tab; - $api = plugins_api('plugin_information', array('slug' => stripslashes( $_REQUEST['plugin'] ) )); + $api = plugins_api('plugin_information', array('slug' => wp_unslash( $_REQUEST['plugin'] ) )); if ( is_wp_error($api) ) wp_die($api); @@ -295,7 +295,7 @@ function install_plugin_information() { $api->$key = wp_kses( $api->$key, $plugins_allowedtags ); } - $section = isset($_REQUEST['section']) ? stripslashes( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English. + $section = isset($_REQUEST['section']) ? wp_unslash( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English. if ( empty($section) || ! isset($api->sections[ $section ]) ) $section = array_shift( $section_titles = array_keys((array)$api->sections) ); diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php index 8c45f6c63c..35b592b033 100644 --- a/wp-admin/includes/post.php +++ b/wp-admin/includes/post.php @@ -197,7 +197,7 @@ function edit_post( $post_data = null ) { } if ( isset( $post_data[ '_wp_format_url' ] ) ) { - update_post_meta( $post_ID, '_wp_format_url', addslashes( esc_url_raw( stripslashes( $post_data['_wp_format_url'] ) ) ) ); + update_post_meta( $post_ID, '_wp_format_url', addslashes( esc_url_raw( wp_unslash( $post_data['_wp_format_url'] ) ) ) ); } $format_keys = array( 'quote', 'quote_source', 'image', 'gallery', 'media' ); @@ -236,8 +236,8 @@ function edit_post( $post_data = null ) { if ( 'attachment' == $post_data['post_type'] ) { if ( isset( $post_data[ '_wp_attachment_image_alt' ] ) ) { $image_alt = get_post_meta( $post_ID, '_wp_attachment_image_alt', true ); - if ( $image_alt != stripslashes( $post_data['_wp_attachment_image_alt'] ) ) { - $image_alt = wp_strip_all_tags( stripslashes( $post_data['_wp_attachment_image_alt'] ), true ); + if ( $image_alt != wp_unslash( $post_data['_wp_attachment_image_alt'] ) ) { + $image_alt = wp_strip_all_tags( wp_unslash( $post_data['_wp_attachment_image_alt'] ), true ); // update_meta expects slashed update_post_meta( $post_ID, '_wp_attachment_image_alt', addslashes( $image_alt ) ); } @@ -430,15 +430,15 @@ function get_default_post_to_edit( $post_type = 'post', $create_in_db = false ) $post_title = ''; if ( !empty( $_REQUEST['post_title'] ) ) - $post_title = esc_html( stripslashes( $_REQUEST['post_title'] )); + $post_title = esc_html( wp_unslash( $_REQUEST['post_title'] )); $post_content = ''; if ( !empty( $_REQUEST['content'] ) ) - $post_content = esc_html( stripslashes( $_REQUEST['content'] )); + $post_content = esc_html( wp_unslash( $_REQUEST['content'] )); $post_excerpt = ''; if ( !empty( $_REQUEST['excerpt'] ) ) - $post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] )); + $post_excerpt = esc_html( wp_unslash( $_REQUEST['excerpt'] )); if ( $create_in_db ) { $post_id = wp_insert_post( array( 'post_title' => __( 'Auto Draft' ), 'post_type' => $post_type, 'post_status' => 'auto-draft' ) ); @@ -487,9 +487,9 @@ function get_default_post_to_edit( $post_type = 'post', $create_in_db = false ) function post_exists($title, $content = '', $date = '') { global $wpdb; - $post_title = stripslashes( sanitize_post_field( 'post_title', $title, 0, 'db' ) ); - $post_content = stripslashes( sanitize_post_field( 'post_content', $content, 0, 'db' ) ); - $post_date = stripslashes( sanitize_post_field( 'post_date', $date, 0, 'db' ) ); + $post_title = wp_unslash( sanitize_post_field( 'post_title', $title, 0, 'db' ) ); + $post_content = wp_unslash( sanitize_post_field( 'post_content', $content, 0, 'db' ) ); + $post_date = wp_unslash( sanitize_post_field( 'post_date', $date, 0, 'db' ) ); $query = "SELECT ID FROM $wpdb->posts WHERE 1=1"; $args = array(); @@ -620,8 +620,8 @@ function add_meta( $post_ID ) { global $wpdb; $post_ID = (int) $post_ID; - $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : ''; - $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : ''; + $metakeyselect = isset($_POST['metakeyselect']) ? wp_unslash( trim( $_POST['metakeyselect'] ) ) : ''; + $metakeyinput = isset($_POST['metakeyinput']) ? wp_unslash( trim( $_POST['metakeyinput'] ) ) : ''; $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : ''; if ( is_string( $metavalue ) ) $metavalue = trim( $metavalue ); @@ -719,8 +719,8 @@ function has_meta( $postid ) { * @return unknown */ function update_meta( $meta_id, $meta_key, $meta_value ) { - $meta_key = stripslashes( $meta_key ); - $meta_value = stripslashes_deep( $meta_value ); + $meta_key = wp_unslash( $meta_key ); + $meta_value = wp_unslash( $meta_value ); return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key ); } @@ -1245,7 +1245,7 @@ function wp_create_post_autosave( $post_id ) { } // _wp_put_post_revision() expects unescaped. - $_POST = stripslashes_deep($_POST); + $_POST = wp_unslash($_POST); // Otherwise create the new autosave as a special post revision return _wp_put_post_revision( $_POST, true ); diff --git a/wp-admin/includes/taxonomy.php b/wp-admin/includes/taxonomy.php index 7423cf9214..fdc6d64d55 100644 --- a/wp-admin/includes/taxonomy.php +++ b/wp-admin/includes/taxonomy.php @@ -158,7 +158,7 @@ function wp_update_category($catarr) { $category = get_category($cat_ID, ARRAY_A); // Escape data pulled from DB. - $category = add_magic_quotes($category); + $category = wp_slash($category); // Merge old and new fields with new fields overwriting old ones. $catarr = array_merge($category, $catarr);