WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes(). 

see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23563 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Ryan Boren 2013-03-01 17:00:25 +00:00
parent 0f3a60ae04
commit 5f809d1d22
28 changed files with 88 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
wp-admin/admin.php
View File

@ -43,7 +43,7 @@ if ( get_option('db_upgraded') ) {
do_action('after_db_upgrade'); do_action('after_db_upgrade');
} elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) { } elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) {
if ( !is_multisite() ) { if ( !is_multisite() ) {
wp_redirect(admin_url('upgrade.php?_wp_http_referer=' . urlencode(stripslashes($_SERVER['REQUEST_URI'])))); wp_redirect( admin_url( 'upgrade.php?_wp_http_referer=' . urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
exit; exit;
} elseif ( apply_filters( 'do_mu_upgrade', true ) ) { } elseif ( apply_filters( 'do_mu_upgrade', true ) ) {
/** /**
@ -82,7 +82,7 @@ wp_enqueue_script( 'common' );
$editing = false; $editing = false;
if ( isset($_GET['page']) ) { if ( isset($_GET['page']) ) {
$plugin_page = stripslashes($_GET['page']); $plugin_page = wp_unslash( $_GET['page'] );
$plugin_page = plugin_basename($plugin_page); $plugin_page = plugin_basename($plugin_page);
} }

10
wp-admin/edit-comments.php
View File

@ -20,9 +20,9 @@ if ( $doaction ) {
check_admin_referer( 'bulk-comments' ); check_admin_referer( 'bulk-comments' );
if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) { if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
$comment_status = $wpdb->escape( $_REQUEST['comment_status'] ); $comment_status = $_REQUEST['comment_status'];
$delete_time = $wpdb->escape( $_REQUEST['pagegen_timestamp'] ); $delete_time = $_REQUEST['pagegen_timestamp'];
$comment_ids = $wpdb->get_col( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = '$comment_status' AND '$delete_time' > comment_date_gmt" ); $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
$doaction = 'delete'; $doaction = 'delete';
} elseif ( isset( $_REQUEST['delete_comments'] ) ) { } elseif ( isset( $_REQUEST['delete_comments'] ) ) {
$comment_ids = $_REQUEST['delete_comments']; $comment_ids = $_REQUEST['delete_comments'];
@ -95,7 +95,7 @@ if ( $doaction ) {
wp_safe_redirect( $redirect_to ); wp_safe_redirect( $redirect_to );
exit; exit;
} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) ); wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
exit; exit;
} }
@ -153,7 +153,7 @@ else
echo __('Comments'); echo __('Comments');
if ( isset($_REQUEST['s']) && $_REQUEST['s'] ) if ( isset($_REQUEST['s']) && $_REQUEST['s'] )
printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( stripslashes( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?> printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?>
</h2> </h2>
<?php <?php

2
wp-admin/edit-form-advanced.php
View File

@ -314,7 +314,7 @@ if ( isset( $post_new_file ) && current_user_can( $post_type_object->cap->create
<input type="hidden" id="post_author" name="post_author" value="<?php echo esc_attr( $post->post_author ); ?>" /> <input type="hidden" id="post_author" name="post_author" value="<?php echo esc_attr( $post->post_author ); ?>" />
<input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr( $post_type ) ?>" /> <input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr( $post_type ) ?>" />
<input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr( $post->post_status) ?>" /> <input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr( $post->post_status) ?>" />
<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" /> <input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url(wp_unslash(wp_get_referer())); ?>" />
<?php if ( ! empty( $active_post_lock ) ) { ?> <?php if ( ! empty( $active_post_lock ) ) { ?>
<input type="hidden" id="active_post_lock" value="<?php echo esc_attr( implode( ':', $active_post_lock ) ); ?>" /> <input type="hidden" id="active_post_lock" value="<?php echo esc_attr( implode( ':', $active_post_lock ) ); ?>" />
<?php <?php

2
wp-admin/edit-form-comment.php
View File

@ -132,7 +132,7 @@ do_meta_boxes(null, 'normal', $comment);
<input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID) ?>" /> <input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID) ?>" />
<input type="hidden" name="p" value="<?php echo esc_attr($comment->comment_post_ID) ?>" /> <input type="hidden" name="p" value="<?php echo esc_attr($comment->comment_post_ID) ?>" />
<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" /> <input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(wp_unslash(wp_get_referer())); ?>" />
<?php wp_original_referer_field(true, 'previous'); ?> <?php wp_original_referer_field(true, 'previous'); ?>
<input type="hidden" name="noredir" value="1" /> <input type="hidden" name="noredir" value="1" />

4
wp-admin/edit-tags.php
View File

@ -164,7 +164,7 @@ break;
default: default:
if ( ! empty($_REQUEST['_wp_http_referer']) ) { if ( ! empty($_REQUEST['_wp_http_referer']) ) {
$location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ); $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) );
if ( ! empty( $_REQUEST['paged'] ) ) if ( ! empty( $_REQUEST['paged'] ) )
$location = add_query_arg( 'paged', (int) $_REQUEST['paged'] ); $location = add_query_arg( 'paged', (int) $_REQUEST['paged'] );
@ -265,7 +265,7 @@ $messages[6] = __('Items deleted.');
<?php screen_icon(); ?> <?php screen_icon(); ?>
<h2><?php echo esc_html( $title ); <h2><?php echo esc_html( $title );
if ( !empty($_REQUEST['s']) ) if ( !empty($_REQUEST['s']) )
printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?> printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( wp_unslash($_REQUEST['s']) ) ); ?>
</h2> </h2>
<?php if ( isset($_REQUEST['message']) && ( $msg = (int) $_REQUEST['message'] ) ) : ?> <?php if ( isset($_REQUEST['message']) && ( $msg = (int) $_REQUEST['message'] ) ) : ?>

2
wp-admin/edit.php
View File

@ -138,7 +138,7 @@ if ( $doaction ) {
wp_redirect($sendback); wp_redirect($sendback);
exit(); exit();
} elseif ( ! empty($_REQUEST['_wp_http_referer']) ) { } elseif ( ! empty($_REQUEST['_wp_http_referer']) ) {
wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ) ); wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) ) );
exit; exit;
} }

24
wp-admin/includes/ajax-actions.php
View File

@ -59,7 +59,7 @@ function wp_ajax_ajax_tag_search() {
wp_die( 0 ); wp_die( 0 );
} }
$s = stripslashes( $_GET['q'] ); $s = wp_unslash( $_GET['q'] );
$comma = _x( ',', 'tag delimiter' ); $comma = _x( ',', 'tag delimiter' );
if ( ',' !== $comma ) if ( ',' !== $comma )
@ -572,7 +572,7 @@ function wp_ajax_add_link_category( $action ) {
continue; continue;
else if ( is_array( $cat_id ) ) else if ( is_array( $cat_id ) )
$cat_id = $cat_id['term_id']; $cat_id = $cat_id['term_id'];
$cat_name = esc_html(stripslashes($cat_name)); $cat_name = esc_html(wp_unslash($cat_name));
$x->add( array( $x->add( array(
'what' => 'link-category', 'what' => 'link-category',
'id' => $cat_id, 'id' => $cat_id,
@ -957,8 +957,8 @@ function wp_ajax_add_meta() {
) ); ) );
} else { // Update? } else { // Update?
$mid = (int) key( $_POST['meta'] ); $mid = (int) key( $_POST['meta'] );
$key = stripslashes( $_POST['meta'][$mid]['key'] ); $key = wp_unslash( $_POST['meta'][$mid]['key'] );
$value = stripslashes( $_POST['meta'][$mid]['value'] ); $value = wp_unslash( $_POST['meta'][$mid]['value'] );
if ( '' == trim($key) ) if ( '' == trim($key) )
wp_die( __( 'Please provide a custom field name.' ) ); wp_die( __( 'Please provide a custom field name.' ) );
if ( '' == trim($value) ) if ( '' == trim($value) )
@ -1227,7 +1227,7 @@ function wp_ajax_wp_link_ajax() {
$args = array(); $args = array();
if ( isset( $_POST['search'] ) ) if ( isset( $_POST['search'] ) )
$args['s'] = stripslashes( $_POST['search'] ); $args['s'] = wp_unslash( $_POST['search'] );
$args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1; $args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1;
require(ABSPATH . WPINC . '/class-wp-editor.php'); require(ABSPATH . WPINC . '/class-wp-editor.php');
@ -1328,7 +1328,7 @@ function wp_ajax_inline_save() {
$data = &$_POST; $data = &$_POST;
$post = get_post( $post_ID, ARRAY_A ); $post = get_post( $post_ID, ARRAY_A );
$post = add_magic_quotes($post); //since it is from db $post = wp_slash($post); //since it is from db
$data['content'] = $post['post_content']; $data['content'] = $post['post_content'];
$data['excerpt'] = $post['post_excerpt']; $data['excerpt'] = $post['post_excerpt'];
@ -1425,7 +1425,7 @@ function wp_ajax_find_posts() {
$post_types = get_post_types( array( 'public' => true ), 'objects' ); $post_types = get_post_types( array( 'public' => true ), 'objects' );
unset( $post_types['attachment'] ); unset( $post_types['attachment'] );
$s = stripslashes( $_POST['ps'] ); $s = wp_unslash( $_POST['ps'] );
$searchand = $search = ''; $searchand = $search = '';
$args = array( $args = array(
'post_type' => array_keys( $post_types ), 'post_type' => array_keys( $post_types ),
@ -1890,7 +1890,7 @@ function wp_ajax_save_attachment() {
if ( isset( $changes['alt'] ) ) { if ( isset( $changes['alt'] ) ) {
$alt = get_post_meta( $id, '_wp_attachment_image_alt', true ); $alt = get_post_meta( $id, '_wp_attachment_image_alt', true );
$new_alt = stripslashes( $changes['alt'] ); $new_alt = wp_unslash( $changes['alt'] );
if ( $alt != $new_alt ) { if ( $alt != $new_alt ) {
$new_alt = wp_strip_all_tags( $new_alt, true ); $new_alt = wp_strip_all_tags( $new_alt, true );
update_post_meta( $id, '_wp_attachment_image_alt', addslashes( $new_alt ) ); update_post_meta( $id, '_wp_attachment_image_alt', addslashes( $new_alt ) );
@ -1990,7 +1990,7 @@ function wp_ajax_save_attachment_order() {
function wp_ajax_send_attachment_to_editor() { function wp_ajax_send_attachment_to_editor() {
check_ajax_referer( 'media-send-to-editor', 'nonce' ); check_ajax_referer( 'media-send-to-editor', 'nonce' );
$attachment = stripslashes_deep( $_POST['attachment'] ); $attachment = wp_unslash( $_POST['attachment'] );
$id = intval( $attachment['id'] ); $id = intval( $attachment['id'] );
@ -2045,7 +2045,7 @@ function wp_ajax_send_attachment_to_editor() {
function wp_ajax_send_link_to_editor() { function wp_ajax_send_link_to_editor() {
check_ajax_referer( 'media-send-to-editor', 'nonce' ); check_ajax_referer( 'media-send-to-editor', 'nonce' );
if ( ! $src = stripslashes( $_POST['src'] ) ) if ( ! $src = wp_unslash( $_POST['src'] ) )
wp_send_json_error(); wp_send_json_error();
if ( ! strpos( $src, '://' ) ) if ( ! strpos( $src, '://' ) )
@ -2054,7 +2054,7 @@ function wp_ajax_send_link_to_editor() {
if ( ! $src = esc_url_raw( $src ) ) if ( ! $src = esc_url_raw( $src ) )
wp_send_json_error(); wp_send_json_error();
if ( ! $title = trim( stripslashes( $_POST['title'] ) ) ) if ( ! $title = trim( wp_unslash( $_POST['title'] ) ) )
$title = wp_basename( $src ); $title = wp_basename( $src );
$html = ''; $html = '';
@ -2114,7 +2114,7 @@ function wp_ajax_nopriv_heartbeat() {
$screen_id = 'site'; $screen_id = 'site';
if ( ! empty($_POST['data']) ) { if ( ! empty($_POST['data']) ) {
$data = stripslashes_deep( (array) $_POST['data'] ); $data = wp_unslash( (array) $_POST['data'] );
$response = apply_filters( 'heartbeat_nopriv_received', $response, $data, $screen_id ); $response = apply_filters( 'heartbeat_nopriv_received', $response, $data, $screen_id );
} }

8
wp-admin/includes/bookmark.php
View File

@ -55,12 +55,12 @@ function edit_link( $link_id = 0 ) {
function get_default_link_to_edit() { function get_default_link_to_edit() {
$link = new stdClass; $link = new stdClass;
if ( isset( $_GET['linkurl'] ) ) if ( isset( $_GET['linkurl'] ) )
$link->link_url = esc_url( $_GET['linkurl'] ); $link->link_url = esc_url( wp_unslash( $_GET['linkurl'] ) );
else else
$link->link_url = ''; $link->link_url = '';
if ( isset( $_GET['name'] ) ) if ( isset( $_GET['name'] ) )
$link->link_name = esc_attr( $_GET['name'] ); $link->link_name = esc_attr( wp_unslash( $_GET['name'] ) );
else else
$link->link_name = ''; $link->link_name = '';
@ -137,7 +137,7 @@ function wp_insert_link( $linkdata, $wp_error = false ) {
$linkdata = wp_parse_args( $linkdata, $defaults ); $linkdata = wp_parse_args( $linkdata, $defaults );
$linkdata = sanitize_bookmark( $linkdata, 'db' ); $linkdata = sanitize_bookmark( $linkdata, 'db' );
extract( stripslashes_deep( $linkdata ), EXTR_SKIP ); extract( wp_unslash( $linkdata ), EXTR_SKIP );
$update = false; $update = false;
@ -251,7 +251,7 @@ function wp_update_link( $linkdata ) {
$link = get_bookmark( $link_id, ARRAY_A ); $link = get_bookmark( $link_id, ARRAY_A );
// Escape data pulled from DB. // Escape data pulled from DB.
$link = add_magic_quotes( $link ); $link = wp_slash( $link );
// Passed link category list overwrites existing category list if not empty. // Passed link category list overwrites existing category list if not empty.
if ( isset( $linkdata['link_category'] ) && is_array( $linkdata['link_category'] ) if ( isset( $linkdata['link_category'] ) && is_array( $linkdata['link_category'] )

2
wp-admin/includes/class-wp-comments-list-table.php
View File

@ -170,7 +170,7 @@ class WP_Comments_List_Table extends WP_List_Table {
/* /*
// I toyed with this, but decided against it. Leaving it in here in case anyone thinks it is a good idea. ~ Mark // I toyed with this, but decided against it. Leaving it in here in case anyone thinks it is a good idea. ~ Mark
if ( !empty( $_REQUEST['s'] ) ) if ( !empty( $_REQUEST['s'] ) )
$link = add_query_arg( 's', esc_attr( stripslashes( $_REQUEST['s'] ) ), $link ); $link = add_query_arg( 's', esc_attr( wp_unslash( $_REQUEST['s'] ) ), $link );
*/ */
$status_links[$status] = "<a href='$link'$class>" . sprintf( $status_links[$status] = "<a href='$link'$class>" . sprintf(
translate_nooped_plural( $label, $num_comments->$status ), translate_nooped_plural( $label, $num_comments->$status ),

2
wp-admin/includes/class-wp-ms-sites-list-table.php
View File

@ -29,7 +29,7 @@ class WP_MS_Sites_List_Table extends WP_List_Table {
$pagenum = $this->get_pagenum(); $pagenum = $this->get_pagenum();
$s = isset( $_REQUEST['s'] ) ? stripslashes( trim( $_REQUEST[ 's' ] ) ) : ''; $s = isset( $_REQUEST['s'] ) ? wp_unslash( trim( $_REQUEST[ 's' ] ) ) : '';
$wild = ''; $wild = '';
if ( false !== strpos($s, '*') ) { if ( false !== strpos($s, '*') ) {
$wild = '%'; $wild = '%';

2
wp-admin/includes/class-wp-ms-themes-list-table.php
View File

@ -126,7 +126,7 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
function _search_callback( $theme ) { function _search_callback( $theme ) {
static $term; static $term;
if ( is_null( $term ) ) if ( is_null( $term ) )
$term = stripslashes( $_REQUEST['s'] ); $term = wp_unslash( $_REQUEST['s'] );
foreach ( array( 'Name', 'Description', 'Author', 'Author', 'AuthorURI' ) as $field ) { foreach ( array( 'Name', 'Description', 'Author', 'Author', 'AuthorURI' ) as $field ) {
// Don't mark up; Do translate. // Don't mark up; Do translate.

6
wp-admin/includes/class-wp-ms-users-list-table.php
View File

@ -173,10 +173,10 @@ class WP_MS_Users_List_Table extends WP_List_Table {
case 'username': case 'username':
$avatar = get_avatar( $user->user_email, 32 ); $avatar = get_avatar( $user->user_email, 32 );
$edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) ); $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) );
echo "<td $attributes>"; ?> echo "<td $attributes>"; ?>
<?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo stripslashes( $user->user_login ); ?></a><?php <?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo $user->user_login; ?></a><?php
if ( in_array( $user->user_login, $super_admins ) ) if ( in_array( $user->user_login, $super_admins ) )
echo ' - ' . __( 'Super Admin' ); echo ' - ' . __( 'Super Admin' );
?></strong> ?></strong>
@ -186,7 +186,7 @@ class WP_MS_Users_List_Table extends WP_List_Table {
$actions['edit'] = '<a href="' . $edit_link . '">' . __( 'Edit' ) . '</a>'; $actions['edit'] = '<a href="' . $edit_link . '">' . __( 'Edit' ) . '</a>';
if ( current_user_can( 'delete_user', $user->ID ) && ! in_array( $user->user_login, $super_admins ) ) { if ( current_user_can( 'delete_user', $user->ID ) && ! in_array( $user->user_login, $super_admins ) ) {
$actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>'; $actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>';
} }
$actions = apply_filters( 'ms_user_row_actions', $actions, $user ); $actions = apply_filters( 'ms_user_row_actions', $actions, $user );

6
wp-admin/includes/class-wp-plugin-install-list-table.php
View File

@ -48,8 +48,8 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
switch ( $tab ) { switch ( $tab ) {
case 'search': case 'search':
$type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term'; $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
$term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : ''; $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : '';
switch ( $type ) { switch ( $type ) {
case 'tag': case 'tag':
@ -73,7 +73,7 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
break; break;
case 'favorites': case 'favorites':
$user = isset( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
update_user_meta( get_current_user_id(), 'wporg_favorites', $user ); update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
if ( $user ) if ( $user )
$args['user'] = $user; $args['user'] = $user;

4
wp-admin/includes/class-wp-plugins-list-table.php
View File

@ -22,7 +22,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
$status = $_REQUEST['plugin_status']; $status = $_REQUEST['plugin_status'];
if ( isset($_REQUEST['s']) ) if ( isset($_REQUEST['s']) )
$_SERVER['REQUEST_URI'] = add_query_arg('s', stripslashes($_REQUEST['s']) ); $_SERVER['REQUEST_URI'] = add_query_arg('s', wp_unslash($_REQUEST['s']) );
$page = $this->get_pagenum(); $page = $this->get_pagenum();
} }
@ -140,7 +140,7 @@ class WP_Plugins_List_Table extends WP_List_Table {
function _search_callback( $plugin ) { function _search_callback( $plugin ) {
static $term; static $term;
if ( is_null( $term ) ) if ( is_null( $term ) )
$term = stripslashes( $_REQUEST['s'] ); $term = wp_unslash( $_REQUEST['s'] );
foreach ( $plugin as $value ) foreach ( $plugin as $value )
if ( stripos( $value, $term ) !== false ) if ( stripos( $value, $term ) !== false )

6
wp-admin/includes/class-wp-terms-list-table.php
View File

@ -52,7 +52,7 @@ class WP_Terms_List_Table extends WP_List_Table {
$tags_per_page = apply_filters( 'edit_categories_per_page', $tags_per_page ); // Old filter $tags_per_page = apply_filters( 'edit_categories_per_page', $tags_per_page ); // Old filter
} }
$search = !empty( $_REQUEST['s'] ) ? trim( stripslashes( $_REQUEST['s'] ) ) : ''; $search = !empty( $_REQUEST['s'] ) ? trim( wp_unslash( $_REQUEST['s'] ) ) : '';
$args = array( $args = array(
'search' => $search, 'search' => $search,
@ -61,10 +61,10 @@ class WP_Terms_List_Table extends WP_List_Table {
); );
if ( !empty( $_REQUEST['orderby'] ) ) if ( !empty( $_REQUEST['orderby'] ) )
$args['orderby'] = trim( stripslashes( $_REQUEST['orderby'] ) ); $args['orderby'] = trim( wp_unslash( $_REQUEST['orderby'] ) );
if ( !empty( $_REQUEST['order'] ) ) if ( !empty( $_REQUEST['order'] ) )
$args['order'] = trim( stripslashes( $_REQUEST['order'] ) ); $args['order'] = trim( wp_unslash( $_REQUEST['order'] ) );
$this->callback_args = $args; $this->callback_args = $args;

4
wp-admin/includes/class-wp-theme-install-list-table.php
View File

@ -24,7 +24,7 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table {
$search_terms = array(); $search_terms = array();
$search_string = ''; $search_string = '';
if ( ! empty( $_REQUEST['s'] ) ){ if ( ! empty( $_REQUEST['s'] ) ){
$search_string = strtolower( stripslashes( $_REQUEST['s'] ) ); $search_string = strtolower( wp_unslash( $_REQUEST['s'] ) );
$search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', $search_string ) ) ) ); $search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', $search_string ) ) ) );
} }
@ -59,7 +59,7 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table {
switch ( $tab ) { switch ( $tab ) {
case 'search': case 'search':
$type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term'; $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
switch ( $type ) { switch ( $type ) {
case 'tag': case 'tag':
$args['tag'] = array_map( 'sanitize_key', $search_terms ); $args['tag'] = array_map( 'sanitize_key', $search_terms );

4
wp-admin/includes/class-wp-themes-list-table.php
View File

@ -28,7 +28,7 @@ class WP_Themes_List_Table extends WP_List_Table {
$themes = wp_get_themes( array( 'allowed' => true ) ); $themes = wp_get_themes( array( 'allowed' => true ) );
if ( ! empty( $_REQUEST['s'] ) ) if ( ! empty( $_REQUEST['s'] ) )
$this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( stripslashes( $_REQUEST['s'] ) ) ) ) ) ); $this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( wp_unslash( $_REQUEST['s'] ) ) ) ) ) );
if ( ! empty( $_REQUEST['features'] ) ) if ( ! empty( $_REQUEST['features'] ) )
$this->features = $_REQUEST['features']; $this->features = $_REQUEST['features'];
@ -235,7 +235,7 @@ class WP_Themes_List_Table extends WP_List_Table {
* @uses _pagination_args['total_pages'] * @uses _pagination_args['total_pages']
*/ */
function _js_vars( $extra_args = array() ) { function _js_vars( $extra_args = array() ) {
$search_string = isset( $_REQUEST['s'] ) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : ''; $search_string = isset( $_REQUEST['s'] ) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : '';
$args = array( $args = array(
'search' => $search_string, 'search' => $search_string,

2
wp-admin/includes/class-wp-upgrader.php
View File

@ -1427,7 +1427,7 @@ class Plugin_Installer_Skin extends WP_Upgrader_Skin {
$install_actions = array(); $install_actions = array();
$from = isset($_GET['from']) ? stripslashes($_GET['from']) : 'plugins'; $from = isset($_GET['from']) ? wp_unslash( $_GET['from'] ) : 'plugins';
if ( 'import' == $from ) if ( 'import' == $from )
$install_actions['activate_plugin'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;from=import&amp;plugin=' . $plugin_file, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" target="_parent">' . __('Activate Plugin &amp; Run Importer') . '</a>'; $install_actions['activate_plugin'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;from=import&amp;plugin=' . $plugin_file, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" target="_parent">' . __('Activate Plugin &amp; Run Importer') . '</a>';

2
wp-admin/includes/class-wp-users-list-table.php
View File

@ -241,7 +241,7 @@ class WP_Users_List_Table extends WP_List_Table {
// Check if the user for this row is editable // Check if the user for this row is editable
if ( current_user_can( 'list_users' ) ) { if ( current_user_can( 'list_users' ) ) {
// Set up the user editing link // Set up the user editing link
$edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) ); $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) );
// Set up the hover actions for this user // Set up the hover actions for this user
$actions = array(); $actions = array();

2
wp-admin/includes/dashboard.php
View File

@ -1093,7 +1093,7 @@ function wp_dashboard_rss_control( $widget_id, $form_inputs = array() ) {
$widget_options[$widget_id]['number'] = $number; $widget_options[$widget_id]['number'] = $number;
if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset($_POST['widget-rss'][$number]) ) { if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset($_POST['widget-rss'][$number]) ) {
$_POST['widget-rss'][$number] = stripslashes_deep( $_POST['widget-rss'][$number] ); $_POST['widget-rss'][$number] = wp_unslash( $_POST['widget-rss'][$number] );
$widget_options[$widget_id] = wp_widget_rss_process( $_POST['widget-rss'][$number] ); $widget_options[$widget_id] = wp_widget_rss_process( $_POST['widget-rss'][$number] );
// title is optional. If black, fill it if possible // title is optional. If black, fill it if possible
if ( !$widget_options[$widget_id]['title'] && isset($_POST['widget-rss'][$number]['title']) ) { if ( !$widget_options[$widget_id]['title'] && isset($_POST['widget-rss'][$number]['title']) ) {

4
wp-admin/includes/deprecated.php
View File

@ -472,7 +472,7 @@ class WP_User_Search {
function WP_User_Search ($search_term = '', $page = '', $role = '') { function WP_User_Search ($search_term = '', $page = '', $role = '') {
_deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' ); _deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' );
$this->search_term = stripslashes( $search_term ); $this->search_term = wp_unslash( $search_term );
$this->raw_page = ( '' == $page ) ? false : (int) $page; $this->raw_page = ( '' == $page ) ? false : (int) $page;
$this->page = (int) ( '' == $page ) ? 1 : $page; $this->page = (int) ( '' == $page ) ? 1 : $page;
$this->role = $role; $this->role = $role;
@ -551,7 +551,7 @@ class WP_User_Search {
* @access public * @access public
*/ */
function prepare_vars_for_template_usage() { function prepare_vars_for_template_usage() {
$this->search_term = stripslashes($this->search_term); // done with DB, from now on we want slashes gone $this->search_term = wp_unslash($this->search_term); // done with DB, from now on we want slashes gone
} }
/** /**

14
wp-admin/includes/file.php
View File

@ -901,13 +901,13 @@ function request_filesystem_credentials($form_post, $type = '', $error = false,
$credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => '')); $credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => ''));
// If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option) // If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option)
$credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? stripslashes($_POST['hostname']) : $credentials['hostname']); $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? wp_unslash( $_POST['hostname'] ) : $credentials['hostname']);
$credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? stripslashes($_POST['username']) : $credentials['username']); $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? wp_unslash( $_POST['username'] ) : $credentials['username']);
$credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? stripslashes($_POST['password']) : ''); $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? wp_unslash( $_POST['password'] ) : '');
// Check to see if we are setting the public/private keys for ssh // Check to see if we are setting the public/private keys for ssh
$credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? stripslashes($_POST['public_key']) : ''); $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? wp_unslash( $_POST['public_key'] ) : '');
$credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? stripslashes($_POST['private_key']) : ''); $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? wp_unslash( $_POST['private_key'] ) : '');
//sanitize the hostname, Some people might pass in odd-data: //sanitize the hostname, Some people might pass in odd-data:
$credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off $credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off
@ -925,7 +925,7 @@ function request_filesystem_credentials($form_post, $type = '', $error = false,
else if ( (defined('FTP_SSL') && FTP_SSL) && 'ftpext' == $type ) //Only the FTP Extension understands SSL else if ( (defined('FTP_SSL') && FTP_SSL) && 'ftpext' == $type ) //Only the FTP Extension understands SSL
$credentials['connection_type'] = 'ftps'; $credentials['connection_type'] = 'ftps';
else if ( !empty($_POST['connection_type']) ) else if ( !empty($_POST['connection_type']) )
$credentials['connection_type'] = stripslashes($_POST['connection_type']); $credentials['connection_type'] = wp_unslash( $_POST['connection_type'] );
else if ( !isset($credentials['connection_type']) ) //All else fails (And it's not defaulted to something else saved), Default to FTP else if ( !isset($credentials['connection_type']) ) //All else fails (And it's not defaulted to something else saved), Default to FTP
$credentials['connection_type'] = 'ftp'; $credentials['connection_type'] = 'ftp';
@ -1050,7 +1050,7 @@ jQuery(function($){
<?php <?php
foreach ( (array) $extra_fields as $field ) { foreach ( (array) $extra_fields as $field ) {
if ( isset( $_POST[ $field ] ) ) if ( isset( $_POST[ $field ] ) )
echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( stripslashes( $_POST[ $field ] ) ) . '" />'; echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( wp_unslash( $_POST[ $field ] ) ) . '" />';
} }
submit_button( __( 'Proceed' ), 'button', 'upgrade' ); submit_button( __( 'Proceed' ), 'button', 'upgrade' );
?> ?>

4
wp-admin/includes/image-edit.php
View File

@ -454,7 +454,7 @@ function stream_preview_image( $post_id ) {
if ( is_wp_error( $img ) ) if ( is_wp_error( $img ) )
return false; return false;
$changes = !empty($_REQUEST['history']) ? json_decode( stripslashes($_REQUEST['history']) ) : null; $changes = !empty($_REQUEST['history']) ? json_decode( wp_unslash($_REQUEST['history']) ) : null;
if ( $changes ) if ( $changes )
$img = image_edit_apply_changes( $img, $changes ); $img = image_edit_apply_changes( $img, $changes );
@ -587,7 +587,7 @@ function wp_save_image( $post_id ) {
return $return; return $return;
} }
} elseif ( !empty($_REQUEST['history']) ) { } elseif ( !empty($_REQUEST['history']) ) {
$changes = json_decode( stripslashes($_REQUEST['history']) ); $changes = json_decode( wp_unslash($_REQUEST['history']) );
if ( $changes ) if ( $changes )
$img = image_edit_apply_changes($img, $changes); $img = image_edit_apply_changes($img, $changes);
} else { } else {

12
wp-admin/includes/media.php
View File

@ -468,8 +468,8 @@ function media_upload_form_handler() {
if ( isset($attachment['image_alt']) ) { if ( isset($attachment['image_alt']) ) {
$image_alt = get_post_meta($attachment_id, '_wp_attachment_image_alt', true); $image_alt = get_post_meta($attachment_id, '_wp_attachment_image_alt', true);
if ( $image_alt != stripslashes($attachment['image_alt']) ) { if ( $image_alt != wp_unslash($attachment['image_alt']) ) {
$image_alt = wp_strip_all_tags( stripslashes($attachment['image_alt']), true ); $image_alt = wp_strip_all_tags( wp_unslash($attachment['image_alt']), true );
// update_meta expects slashed // update_meta expects slashed
update_post_meta( $attachment_id, '_wp_attachment_image_alt', addslashes($image_alt) ); update_post_meta( $attachment_id, '_wp_attachment_image_alt', addslashes($image_alt) );
} }
@ -501,7 +501,7 @@ function media_upload_form_handler() {
} }
if ( isset($send_id) ) { if ( isset($send_id) ) {
$attachment = stripslashes_deep( $_POST['attachments'][$send_id] ); $attachment = wp_unslash( $_POST['attachments'][$send_id] );
$html = isset( $attachment['post_title'] ) ? $attachment['post_title'] : ''; $html = isset( $attachment['post_title'] ) ? $attachment['post_title'] : '';
if ( !empty($attachment['url']) ) { if ( !empty($attachment['url']) ) {
@ -546,7 +546,7 @@ function wp_media_upload_handler() {
$src = "http://$src"; $src = "http://$src";
if ( isset( $_POST['media_type'] ) && 'image' != $_POST['media_type'] ) { if ( isset( $_POST['media_type'] ) && 'image' != $_POST['media_type'] ) {
$title = esc_html( stripslashes( $_POST['title'] ) ); $title = esc_html( wp_unslash( $_POST['title'] ) );
if ( empty( $title ) ) if ( empty( $title ) )
$title = esc_html( basename( $src ) ); $title = esc_html( basename( $src ) );
@ -561,9 +561,9 @@ function wp_media_upload_handler() {
$html = apply_filters( $type . '_send_to_editor_url', $html, esc_url_raw( $src ), $title ); $html = apply_filters( $type . '_send_to_editor_url', $html, esc_url_raw( $src ), $title );
} else { } else {
$align = ''; $align = '';
$alt = esc_attr( stripslashes( $_POST['alt'] ) ); $alt = esc_attr( wp_unslash( $_POST['alt'] ) );
if ( isset($_POST['align']) ) { if ( isset($_POST['align']) ) {
$align = esc_attr( stripslashes( $_POST['align'] ) ); $align = esc_attr( wp_unslash( $_POST['align'] ) );
$class = " class='align$align'"; $class = " class='align$align'";
} }
if ( !empty($src) ) if ( !empty($src) )

2
wp-admin/includes/misc.php
View File

@ -220,7 +220,7 @@ add_action( 'update_option_page_on_front', 'update_home_siteurl', 10, 2 );
* @return string * @return string
*/ */
function url_shorten( $url ) { function url_shorten( $url ) {
$short_url = str_replace( 'http://', '', stripslashes( $url )); $short_url = str_replace( 'http://', '', wp_unslash( $url ));
$short_url = str_replace( 'www.', '', $short_url ); $short_url = str_replace( 'www.', '', $short_url );
$short_url = untrailingslashit( $short_url ); $short_url = untrailingslashit( $short_url );
if ( strlen( $short_url ) > 35 ) if ( strlen( $short_url ) > 35 )

12
wp-admin/includes/plugin-install.php
View File

@ -116,8 +116,8 @@ add_action('install_plugins_dashboard', 'install_dashboard');
* @since 2.7.0 * @since 2.7.0
*/ */
function install_search_form( $type_selector = true ) { function install_search_form( $type_selector = true ) {
$type = isset($_REQUEST['type']) ? stripslashes( $_REQUEST['type'] ) : 'term'; $type = isset($_REQUEST['type']) ? wp_unslash( $_REQUEST['type'] ) : 'term';
$term = isset($_REQUEST['s']) ? stripslashes( $_REQUEST['s'] ) : ''; $term = isset($_REQUEST['s']) ? wp_unslash( $_REQUEST['s'] ) : '';
?><form id="search-plugins" method="get" action=""> ?><form id="search-plugins" method="get" action="">
<input type="hidden" name="tab" value="search" /> <input type="hidden" name="tab" value="search" />
@ -160,7 +160,7 @@ add_action('install_plugins_upload', 'install_plugins_upload', 10, 1);
* *
*/ */
function install_plugins_favorites_form() { function install_plugins_favorites_form() {
$user = ! empty( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); $user = ! empty( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
?> ?>
<p class="install-help"><?php _e( 'If you have marked plugins as favorites on WordPress.org, you can browse them here.' ); ?></p> <p class="install-help"><?php _e( 'If you have marked plugins as favorites on WordPress.org, you can browse them here.' ); ?></p>
<form method="get" action=""> <form method="get" action="">
@ -251,7 +251,7 @@ function install_plugin_install_status($api, $loop = false) {
} }
} }
if ( isset($_GET['from']) ) if ( isset($_GET['from']) )
$url .= '&amp;from=' . urlencode(stripslashes($_GET['from'])); $url .= '&amp;from=' . urlencode( wp_unslash( $_GET['from'] ) );
return compact('status', 'url', 'version'); return compact('status', 'url', 'version');
} }
@ -264,7 +264,7 @@ function install_plugin_install_status($api, $loop = false) {
function install_plugin_information() { function install_plugin_information() {
global $tab; global $tab;
$api = plugins_api('plugin_information', array('slug' => stripslashes( $_REQUEST['plugin'] ) )); $api = plugins_api('plugin_information', array('slug' => wp_unslash( $_REQUEST['plugin'] ) ));
if ( is_wp_error($api) ) if ( is_wp_error($api) )
wp_die($api); wp_die($api);
@ -295,7 +295,7 @@ function install_plugin_information() {
$api->$key = wp_kses( $api->$key, $plugins_allowedtags ); $api->$key = wp_kses( $api->$key, $plugins_allowedtags );
} }
$section = isset($_REQUEST['section']) ? stripslashes( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English. $section = isset($_REQUEST['section']) ? wp_unslash( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English.
if ( empty($section) || ! isset($api->sections[ $section ]) ) if ( empty($section) || ! isset($api->sections[ $section ]) )
$section = array_shift( $section_titles = array_keys((array)$api->sections) ); $section = array_shift( $section_titles = array_keys((array)$api->sections) );

28
wp-admin/includes/post.php
View File

@ -197,7 +197,7 @@ function edit_post( $post_data = null ) {
} }
if ( isset( $post_data[ '_wp_format_url' ] ) ) { if ( isset( $post_data[ '_wp_format_url' ] ) ) {
update_post_meta( $post_ID, '_wp_format_url', addslashes( esc_url_raw( stripslashes( $post_data['_wp_format_url'] ) ) ) ); update_post_meta( $post_ID, '_wp_format_url', addslashes( esc_url_raw( wp_unslash( $post_data['_wp_format_url'] ) ) ) );
} }
$format_keys = array( 'quote', 'quote_source', 'image', 'gallery', 'media' ); $format_keys = array( 'quote', 'quote_source', 'image', 'gallery', 'media' );
@ -236,8 +236,8 @@ function edit_post( $post_data = null ) {
if ( 'attachment' == $post_data['post_type'] ) { if ( 'attachment' == $post_data['post_type'] ) {
if ( isset( $post_data[ '_wp_attachment_image_alt' ] ) ) { if ( isset( $post_data[ '_wp_attachment_image_alt' ] ) ) {
$image_alt = get_post_meta( $post_ID, '_wp_attachment_image_alt', true ); $image_alt = get_post_meta( $post_ID, '_wp_attachment_image_alt', true );
if ( $image_alt != stripslashes( $post_data['_wp_attachment_image_alt'] ) ) { if ( $image_alt != wp_unslash( $post_data['_wp_attachment_image_alt'] ) ) {
$image_alt = wp_strip_all_tags( stripslashes( $post_data['_wp_attachment_image_alt'] ), true ); $image_alt = wp_strip_all_tags( wp_unslash( $post_data['_wp_attachment_image_alt'] ), true );
// update_meta expects slashed // update_meta expects slashed
update_post_meta( $post_ID, '_wp_attachment_image_alt', addslashes( $image_alt ) ); update_post_meta( $post_ID, '_wp_attachment_image_alt', addslashes( $image_alt ) );
} }
@ -430,15 +430,15 @@ function get_default_post_to_edit( $post_type = 'post', $create_in_db = false )
$post_title = ''; $post_title = '';
if ( !empty( $_REQUEST['post_title'] ) ) if ( !empty( $_REQUEST['post_title'] ) )
$post_title = esc_html( stripslashes( $_REQUEST['post_title'] )); $post_title = esc_html( wp_unslash( $_REQUEST['post_title'] ));
$post_content = ''; $post_content = '';
if ( !empty( $_REQUEST['content'] ) ) if ( !empty( $_REQUEST['content'] ) )
$post_content = esc_html( stripslashes( $_REQUEST['content'] )); $post_content = esc_html( wp_unslash( $_REQUEST['content'] ));
$post_excerpt = ''; $post_excerpt = '';
if ( !empty( $_REQUEST['excerpt'] ) ) if ( !empty( $_REQUEST['excerpt'] ) )
$post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] )); $post_excerpt = esc_html( wp_unslash( $_REQUEST['excerpt'] ));
if ( $create_in_db ) { if ( $create_in_db ) {
$post_id = wp_insert_post( array( 'post_title' => __( 'Auto Draft' ), 'post_type' => $post_type, 'post_status' => 'auto-draft' ) ); $post_id = wp_insert_post( array( 'post_title' => __( 'Auto Draft' ), 'post_type' => $post_type, 'post_status' => 'auto-draft' ) );
@ -487,9 +487,9 @@ function get_default_post_to_edit( $post_type = 'post', $create_in_db = false )
function post_exists($title, $content = '', $date = '') { function post_exists($title, $content = '', $date = '') {
global $wpdb; global $wpdb;
$post_title = stripslashes( sanitize_post_field( 'post_title', $title, 0, 'db' ) ); $post_title = wp_unslash( sanitize_post_field( 'post_title', $title, 0, 'db' ) );
$post_content = stripslashes( sanitize_post_field( 'post_content', $content, 0, 'db' ) ); $post_content = wp_unslash( sanitize_post_field( 'post_content', $content, 0, 'db' ) );
$post_date = stripslashes( sanitize_post_field( 'post_date', $date, 0, 'db' ) ); $post_date = wp_unslash( sanitize_post_field( 'post_date', $date, 0, 'db' ) );
$query = "SELECT ID FROM $wpdb->posts WHERE 1=1"; $query = "SELECT ID FROM $wpdb->posts WHERE 1=1";
$args = array(); $args = array();
@ -620,8 +620,8 @@ function add_meta( $post_ID ) {
global $wpdb; global $wpdb;
$post_ID = (int) $post_ID; $post_ID = (int) $post_ID;
$metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : ''; $metakeyselect = isset($_POST['metakeyselect']) ? wp_unslash( trim( $_POST['metakeyselect'] ) ) : '';
$metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : ''; $metakeyinput = isset($_POST['metakeyinput']) ? wp_unslash( trim( $_POST['metakeyinput'] ) ) : '';
$metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : ''; $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : '';
if ( is_string( $metavalue ) ) if ( is_string( $metavalue ) )
$metavalue = trim( $metavalue ); $metavalue = trim( $metavalue );
@ -719,8 +719,8 @@ function has_meta( $postid ) {
* @return unknown * @return unknown
*/ */
function update_meta( $meta_id, $meta_key, $meta_value ) { function update_meta( $meta_id, $meta_key, $meta_value ) {
$meta_key = stripslashes( $meta_key ); $meta_key = wp_unslash( $meta_key );
$meta_value = stripslashes_deep( $meta_value ); $meta_value = wp_unslash( $meta_value );
return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key ); return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key );
} }
@ -1245,7 +1245,7 @@ function wp_create_post_autosave( $post_id ) {
} }
// _wp_put_post_revision() expects unescaped. // _wp_put_post_revision() expects unescaped.
$_POST = stripslashes_deep($_POST); $_POST = wp_unslash($_POST);
// Otherwise create the new autosave as a special post revision // Otherwise create the new autosave as a special post revision
return _wp_put_post_revision( $_POST, true ); return _wp_put_post_revision( $_POST, true );

2
wp-admin/includes/taxonomy.php
View File

@ -158,7 +158,7 @@ function wp_update_category($catarr) {
$category = get_category($cat_ID, ARRAY_A); $category = get_category($cat_ID, ARRAY_A);
// Escape data pulled from DB. // Escape data pulled from DB.
$category = add_magic_quotes($category); $category = wp_slash($category);
// Merge old and new fields with new fields overwriting old ones. // Merge old and new fields with new fields overwriting old ones.
$catarr = array_merge($category, $catarr); $catarr = array_merge($category, $catarr);