From 6fd6b1080d3b1e333dc333175514a0adedf7be64 Mon Sep 17 00:00:00 2001 From: rboren Date: Fri, 18 Jun 2004 00:22:09 +0000 Subject: [PATCH] stripslashes() elimination. Remove extra slashes during upgrade. Bugs 0000059 and 0000018 git-svn-id: http://svn.automattic.com/wordpress/trunk@1435 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/admin-functions.php | 2 +- wp-admin/link-categories.php | 13 +++--- wp-admin/link-manager.php | 16 +++---- wp-admin/menu.php | 2 +- wp-admin/options.php | 2 +- wp-admin/profile.php | 22 ++++----- wp-admin/upgrade-functions.php | 38 +++++++++++++++ wp-admin/users.php | 11 ++--- wp-includes/functions-formatting.php | 1 - wp-includes/functions.php | 51 ++++++++++----------- wp-includes/links.php | 22 ++++----- wp-includes/template-functions-author.php | 10 ++-- wp-includes/template-functions-category.php | 18 ++++---- wp-includes/template-functions-comment.php | 4 +- wp-includes/template-functions-general.php | 20 ++++---- wp-includes/template-functions-links.php | 4 +- wp-includes/version.php | 4 +- 17 files changed, 131 insertions(+), 109 deletions(-) diff --git a/wp-admin/admin-functions.php b/wp-admin/admin-functions.php index d1df178cf0..dd0a74933a 100644 --- a/wp-admin/admin-functions.php +++ b/wp-admin/admin-functions.php @@ -80,7 +80,7 @@ function get_nested_categories($default = 0, $parent = 0) { $result[$cat]['children'] = get_nested_categories($default, $cat); $result[$cat]['cat_ID'] = $cat; $result[$cat]['checked'] = in_array($cat, $checked_categories); - $result[$cat]['cat_name'] = stripslashes(get_the_category_by_ID($cat)); + $result[$cat]['cat_name'] = get_the_category_by_ID($cat); } return $result; diff --git a/wp-admin/link-categories.php b/wp-admin/link-categories.php index 8ba9a999f8..aa37102474 100644 --- a/wp-admin/link-categories.php +++ b/wp-admin/link-categories.php @@ -87,7 +87,6 @@ switch ($action) { $cat_id = $_GET['cat_id']; $cat_name=get_linkcatname($cat_id); - $cat_name=addslashes($cat_name); if ($cat_id=="1") die(sprintf(__("Can't delete the %s link category: this is the default one"), $cat_name)); @@ -132,7 +131,7 @@ switch ($action) { - + @@ -190,15 +189,15 @@ switch ($action) {
- + - + - +
@@ -223,7 +222,7 @@ switch ($action) { $cat_id=$_POST["cat_id"]; - $cat_name=addslashes(stripslashes($_POST["cat_name"])); + $cat_name= $_POST["cat_name"]; $auto_toggle = $_POST["auto_toggle"]; if ($auto_toggle != 'Y') { $auto_toggle = 'N'; @@ -333,7 +332,7 @@ foreach ($results as $row) { $style = ($i % 2) ? ' class="alternate"' : ''; ?> style="border-bottom: 1px dotted #9C9A9C;"> - cat_name)?> + cat_name?> cat_id?> auto_toggle?> show_images?> diff --git a/wp-admin/link-manager.php b/wp-admin/link-manager.php index 8b60717c69..e37a2cbc9f 100644 --- a/wp-admin/link-manager.php +++ b/wp-admin/link-manager.php @@ -312,16 +312,16 @@ switch ($action) { WHERE link_id = $link_id"); if ($row) { - $link_url = stripslashes($row->link_url); - $link_name = stripslashes($row->link_name); + $link_url = $row->link_url; + $link_name = $row->link_name; $link_image = $row->link_image; $link_target = $row->link_target; $link_category = $row->link_category; - $link_description = stripslashes($row->link_description); + $link_description = $row->link_description; $link_visible = $row->link_visible; $link_rating = $row->link_rating; - $link_rel = stripslashes($row->link_rel); - $link_notes = stripslashes($row->link_notes); + $link_rel = $row->link_rel; + $link_notes = $row->link_notes; $link_rss_uri = $row->link_rss; } @@ -690,17 +690,13 @@ function checkAll(form) $links = $wpdb->get_results($sql); if ($links) { foreach ($links as $link) { - $short_url = str_replace('http://', '', stripslashes($link->link_url)); + $short_url = str_replace('http://', '', $link->link_url); $short_url = str_replace('www.', '', $short_url); if ('/' == substr($short_url, -1)) $short_url = substr($short_url, 0, -1); if (strlen($short_url) > 35) $short_url = substr($short_url, 0, 32).'...'; - $link->link_name = stripslashes($link->link_name); - $link->category = stripslashes($link->category); - $link->link_rel = stripslashes($link->link_rel); - $link->link_description = stripslashes($link->link_description); $image = ($link->link_image != null) ? __('Yes') : __('No'); $visible = ($link->link_visible == 'Y') ? __('Yes') : __('No'); ++$i; diff --git a/wp-admin/menu.php b/wp-admin/menu.php index 0bfb78f17d..ee5166fbcf 100644 --- a/wp-admin/menu.php +++ b/wp-admin/menu.php @@ -40,5 +40,5 @@ get_settings('use_fileupload') && ?>
  • »
    • + ?>/wp-login.php?action=logout" title=""> diff --git a/wp-admin/options.php b/wp-admin/options.php index 72d9b1973e..217104d683 100644 --- a/wp-admin/options.php +++ b/wp-admin/options.php @@ -75,7 +75,7 @@ $nonbools = array('default_ping_status', 'default_comment_status'); foreach ($options as $option) { // should we even bother checking? if ($user_level >= $option->option_admin_level) { - $old_val = stripslashes($option->option_value); + $old_val = $option->option_value; $new_val = $_POST[$option->option_name]; if (!$new_val) { if (3 == $option->option_type) diff --git a/wp-admin/profile.php b/wp-admin/profile.php index 41481d8a07..a622456504 100644 --- a/wp-admin/profile.php +++ b/wp-admin/profile.php @@ -83,19 +83,19 @@ case 'update': setcookie('wordpresspass_'.$cookiehash, md5(md5($newuser_pass)), time() + 31536000, COOKIEPATH); } - $newuser_firstname=addslashes(stripslashes($_POST['newuser_firstname'])); - $newuser_lastname=addslashes(stripslashes($_POST['newuser_lastname'])); - $newuser_nickname=addslashes(stripslashes($_POST['newuser_nickname'])); + $newuser_firstname=$_POST['newuser_firstname']; + $newuser_lastname=$_POST['newuser_lastname']; + $newuser_nickname=$_POST['newuser_nickname']; $newuser_nicename=sanitize_title($newuser_nickname); - $newuser_icq=addslashes(stripslashes($_POST['newuser_icq'])); - $newuser_aim=addslashes(stripslashes($_POST['newuser_aim'])); - $newuser_msn=addslashes(stripslashes($_POST['newuser_msn'])); - $newuser_yim=addslashes(stripslashes($_POST['newuser_yim'])); - $newuser_email=addslashes(stripslashes($_POST['newuser_email'])); - $newuser_url=addslashes(stripslashes($_POST['newuser_url'])); + $newuser_icq=$_POST['newuser_icq']; + $newuser_aim=$_POST['newuser_aim']; + $newuser_msn=$_POST['newuser_msn']; + $newuser_yim=$_POST['newuser_yim']; + $newuser_email=$_POST['newuser_email']; + $newuser_url=$_POST['newuser_url']; $newuser_url = preg_match('/^(https?|ftps?|mailto|news|gopher):/is', $newuser_url) ? $newuser_url : 'http://' . $newuser_url; - $newuser_idmode=addslashes(stripslashes($_POST['newuser_idmode'])); - $user_description = addslashes(stripslashes($_POST['user_description'])); + $newuser_idmode=$_POST['newuser_idmode']; + $user_description = $_POST['user_description']; $query = "UPDATE $wpdb->users SET user_firstname='$newuser_firstname', $updatepassword user_lastname='$newuser_lastname', user_nickname='$newuser_nickname', user_icq='$newuser_icq', user_email='$newuser_email', user_url='$newuser_url', user_aim='$newuser_aim', user_msn='$newuser_msn', user_yim='$newuser_yim', user_idmode='$newuser_idmode', user_description = '$user_description', user_nicename = '$newuser_nicename' WHERE ID = $user_ID"; $result = $wpdb->query($query); diff --git a/wp-admin/upgrade-functions.php b/wp-admin/upgrade-functions.php index 8b29ec4ec7..51cbe57fef 100644 --- a/wp-admin/upgrade-functions.php +++ b/wp-admin/upgrade-functions.php @@ -90,6 +90,23 @@ function get_alloptions_110() { return $all_options; } +function deslash($content) { + // Note: \\\ inside a regex denotes a single backslash. + + // Replace one or more backslashes followed by a single quote with + // a single quote. + $content = preg_replace("/\\\+'/", "'", $content); + + // Replace one or more backslashes followed by a double quote with + // a double quote. + $content = preg_replace('/\\\+"/', '"', $content); + + // Replace one or more backslashes with one backslash. + $content = preg_replace("/\\\+/", "\\", $content); + + return $content; +} + // .71 stuff function upgrade_071() { @@ -871,6 +888,27 @@ function upgrade_130() { foreach ($fatoptions as $fatoption) : $wpdb->query("UPDATE $wpdb->options SET `autoload` = 'no' WHERE option_name = '$fatoption'"); endforeach; + + // Remove extraneous backslashes. + $posts = $wpdb->get_results("SELECT ID, post_title, post_content, post_excerpt FROM $wpdb->posts"); + if ($posts) { + foreach($posts as $post) { + $post_content = addslashes(deslash($post->post_content)); + $post_title = addslashes(deslash($post->post_title)); + $post_excerpt = addslashes(deslash($post->post_excerpt)); + $wpdb->query("UPDATE $wpdb->posts SET post_title = '$post_title', post_content = '$post_content', post_excerpt = '$post_excerpt' WHERE ID = '$post->ID'"); + } + } + + // Remove extraneous backslashes. + $comments = $wpdb->get_results("SELECT comment_ID, comment_author, comment_content FROM $wpdb->comments"); + if ($comments) { + foreach($comments as $comment) { + $comment_content = addslashes(deslash($comment->comment_content)); + $comment_author = addslashes(deslash($comment->comment_author)); + $wpdb->query("UPDATE $wpdb->comments SET comment_content = '$comment_content', comment_author = '$comment_author' WHERE comment_ID = '$comment->comment_ID'"); + } + } } ?> \ No newline at end of file diff --git a/wp-admin/users.php b/wp-admin/users.php index 3ffd22646f..a6654c4ff9 100644 --- a/wp-admin/users.php +++ b/wp-admin/users.php @@ -70,13 +70,7 @@ case 'adduser': return false; } - $user_login = addslashes(stripslashes($user_login)); - $pass1 = addslashes(stripslashes($pass1)); - $user_nickname = addslashes(stripslashes($user_nickname)); $user_nicename = sanitize_title($user_nickname); - $user_firstname = addslashes(stripslashes($user_firstname)); - $user_lastname = addslashes(stripslashes($user_lastname)); - $user_uri = addslashes(stripslashes($user_uri)); $user_uri = preg_match('/^(https?|ftps?|mailto|news|gopher):/is', $user_uri) ? $user_uri : 'http://' . $user_uri; $now = gmdate('Y-m-d H:i:s'); $new_users_can_blog = get_settings('new_users_can_blog'); @@ -95,6 +89,7 @@ case 'adduser': $stars .= '*'; } + $user_login = stripslashes($user_login); $message = 'New user registration on your blog ' . get_settings('blogname') . ":\r\n\r\n"; $message .= "Login: $user_login\r\n\r\nE-mail: $user_email"; @@ -204,7 +199,7 @@ default: $user_data = get_userdata($user->ID); $email = $user_data->user_email; $url = $user_data->user_url; - $short_url = str_replace('http://', '', stripslashes($url)); + $short_url = str_replace('http://', '', $url); $short_url = str_replace('www.', '', $short_url); if ('/' == substr($short_url, -1)) $short_url = substr($short_url, 0, -1); @@ -255,7 +250,7 @@ default: $user_data = get_userdata($user->ID); $email = $user_data->user_email; $url = $user_data->user_url; - $short_url = str_replace('http://', '', stripslashes($url)); + $short_url = str_replace('http://', '', $url); $short_url = str_replace('www.', '', $short_url); if ('/' == substr($short_url, -1)) $short_url = substr($short_url, 0, -1); diff --git a/wp-includes/functions-formatting.php b/wp-includes/functions-formatting.php index a9bb50ef86..2380b1c0a2 100644 --- a/wp-includes/functions-formatting.php +++ b/wp-includes/functions-formatting.php @@ -50,7 +50,6 @@ function wptexturize($text) { } function clean_pre($text) { - $text = stripslashes($text); $text = str_replace('
    ', '', $text); return $text; } diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 38f62ec915..9faeb7c52d 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -166,16 +166,11 @@ function get_currentuserinfo() { // a bit like get_userdata(), on steroids function get_userdata($userid) { global $wpdb, $cache_userdata; if ( empty($cache_userdata[$userid]) ) { - $user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE ID = '$userid'"); - $user->user_nickname = stripslashes($user->user_nickname); - $user->user_firstname = stripslashes($user->user_firstname); - $user->user_lastname = stripslashes($user->user_lastname); - $user->user_description = stripslashes($user->user_description); - $cache_userdata[$userid] = $user; - } else { - $user = $cache_userdata[$userid]; - } - return $user; + $cache_userdata[$userid] = + $wpdb->get_row("SELECT * FROM $wpdb->users WHERE ID = '$userid'"); + } + + return $cache_userdata[$userid]; } function get_userdatabylogin($user_login) { @@ -315,7 +310,7 @@ function get_alloptions() { if ('siteurl' == $option->option_name) $option->option_value = preg_replace('|/+$|', '', $option->option_value); if ('home' == $option->option_name) $option->option_value = preg_replace('|/+$|', '', $option->option_value); if ('category_base' == $option->option_name) $option->option_value = preg_replace('|/+$|', '', $option->option_value); - $all_options->{$option->option_name} = stripslashes($option->option_value); + $all_options->{$option->option_name} = $option->option_value; } } return $all_options; @@ -323,7 +318,7 @@ function get_alloptions() { function update_option($option_name, $newvalue) { global $wpdb, $cache_settings; - $newvalue = stripslashes($newvalue); + $newvalue = $newvalue; $newvalue = trim($newvalue); // I can't think of any situation we wouldn't want to trim $newvalue = $wpdb->escape($newvalue); $wpdb->query("UPDATE $wpdb->options SET option_value = '$newvalue' WHERE option_name = '$option_name'"); @@ -516,9 +511,9 @@ add_action('publish_post', 'generic_ping'); // Send a Trackback function trackback($trackback_url, $title, $excerpt, $ID) { global $wpdb; - $title = urlencode(stripslashes($title)); - $excerpt = urlencode(stripslashes($excerpt)); - $blog_name = urlencode(stripslashes(get_settings('blogname'))); + $title = urlencode($title); + $excerpt = urlencode($excerpt); + $blog_name = urlencode(get_settings('blogname')); $tb_url = $trackback_url; $url = urlencode(get_permalink($ID)); $query_string = "title=$title&url=$url&blog_name=$blog_name&excerpt=$excerpt"; @@ -932,38 +927,38 @@ function wp_notify_postauthor($comment_id, $comment_type='comment') { $comment_author_domain = gethostbyaddr($comment->comment_author_IP); - $blogname = stripslashes(get_settings('blogname')); + $blogname = get_settings('blogname'); if ('comment' == $comment_type) { - $notify_message = "New comment on your post #$comment->comment_post_ID \"".stripslashes($post->post_title)."\"\r\n\r\n"; + $notify_message = "New comment on your post #$comment->comment_post_ID \"".$post->post_title."\"\r\n\r\n"; $notify_message .= "Author : $comment->comment_author (IP: $comment->comment_author_IP , $comment_author_domain)\r\n"; $notify_message .= "E-mail : $comment->comment_author_email\r\n"; $notify_message .= "URI : $comment->comment_author_url\r\n"; $notify_message .= "Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=$comment->comment_author_IP\r\n"; - $notify_message .= "Comment:\r\n".stripslashes($comment->comment_content)."\r\n\r\n"; + $notify_message .= "Comment:\r\n".$comment->comment_content."\r\n\r\n"; $notify_message .= "You can see all comments on this post here: \r\n"; - $subject = '[' . $blogname . '] Comment: "' .stripslashes($post->post_title).'"'; + $subject = '[' . $blogname . '] Comment: "' .$post->post_title.'"'; } elseif ('trackback' == $comment_type) { - $notify_message = "New trackback on your post #$comment_post_ID \"".stripslashes($post->post_title)."\"\r\n\r\n"; + $notify_message = "New trackback on your post #$comment_post_ID \"".$post->post_title."\"\r\n\r\n"; $notify_message .= "Website: $comment->comment_author (IP: $comment->comment_author_IP , $comment_author_domain)\r\n"; $notify_message .= "URI : $comment->comment_author_url\r\n"; - $notify_message .= "Excerpt: \n".stripslashes($comment->comment_content)."\r\n\r\n"; + $notify_message .= "Excerpt: \n".$comment->comment_content."\r\n\r\n"; $notify_message .= "You can see all trackbacks on this post here: \r\n"; - $subject = '[' . $blogname . '] Trackback: "' .stripslashes($post->post_title).'"'; + $subject = '[' . $blogname . '] Trackback: "' .$post->post_title.'"'; } elseif ('pingback' == $comment_type) { - $notify_message = "New pingback on your post #$comment_post_ID \"".stripslashes($post->post_title)."\"\r\n\r\n"; + $notify_message = "New pingback on your post #$comment_post_ID \"".$post->post_title."\"\r\n\r\n"; $notify_message .= "Website: $comment->comment_author\r\n"; $notify_message .= "URI : $comment->comment_author_url\r\n"; $notify_message .= "Excerpt: \n[...] $original_context [...]\r\n\r\n"; $notify_message .= "You can see all pingbacks on this post here: \r\n"; - $subject = '[' . $blogname . '] Pingback: "' .stripslashes($post->post_title).'"'; + $subject = '[' . $blogname . '] Pingback: "' .$post->post_title.'"'; } $notify_message .= get_permalink($comment->comment_post_ID) . '#comments'; if ('' == $comment->comment_author_email || '' == $comment->comment_author) { $from = "From: \"$blogname\" '; } else { - $from = 'From: "' . stripslashes($comment->comment_author) . "\" <$comment->comment_author_email>"; + $from = 'From: "' . $comment->comment_author . "\" <$comment->comment_author_email>"; } $message_headers = "MIME-Version: 1.0\r\n" @@ -991,18 +986,18 @@ function wp_notify_moderator($comment_id) { $comment_author_domain = gethostbyaddr($comment->comment_author_IP); $comments_waiting = $wpdb->get_var("SELECT count(comment_ID) FROM $wpdb->comments WHERE comment_approved = '0'"); - $notify_message = "A new comment on the post #$comment->comment_post_ID \"".stripslashes($post->post_title)."\" is waiting for your approval\r\n\r\n"; + $notify_message = "A new comment on the post #$comment->comment_post_ID \"".$post->post_title."\" is waiting for your approval\r\n\r\n"; $notify_message .= "Author : $comment->comment_author (IP: $comment->comment_author_IP , $comment_author_domain)\r\n"; $notify_message .= "E-mail : $comment->comment_author_email\r\n"; $notify_message .= "URL : $comment->comment_author_url\r\n"; $notify_message .= "Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=$comment->comment_author_IP\r\n"; - $notify_message .= "Comment:\r\n".stripslashes($comment->comment_content)."\r\n\r\n"; + $notify_message .= "Comment:\r\n".$comment->comment_content."\r\n\r\n"; $notify_message .= "To approve this comment, visit: " . get_settings('siteurl') . "/wp-admin/post.php?action=mailapprovecomment&p=".$comment->comment_post_ID."&comment=$comment_id\r\n"; $notify_message .= "To delete this comment, visit: " . get_settings('siteurl') . "/wp-admin/post.php?action=confirmdeletecomment&p=".$comment->comment_post_ID."&comment=$comment_id\r\n"; $notify_message .= "Currently $comments_waiting comments are waiting for approval. Please visit the moderation panel:\r\n"; $notify_message .= get_settings('siteurl') . "/wp-admin/moderation.php\r\n"; - $subject = '[' . stripslashes(get_settings('blogname')) . '] Please approve: "' .stripslashes($post->post_title).'"'; + $subject = '[' . get_settings('blogname') . '] Please approve: "' .$post->post_title.'"'; $admin_email = get_settings("admin_email"); $from = "From: $admin_email"; diff --git a/wp-includes/links.php b/wp-includes/links.php index c32e5aa808..43eefd4209 100644 --- a/wp-includes/links.php +++ b/wp-includes/links.php @@ -176,14 +176,14 @@ function get_links($category = -1, $before = '', $after = '
    ', } $the_link = '#'; if (($row->link_url != null) && ($row->link_url != '')) { - $the_link = htmlspecialchars(stripslashes($row->link_url)); + $the_link = htmlspecialchars($row->link_url); } - $rel = stripslashes($row->link_rel); + $rel = $row->link_rel; if ($rel != '') { $rel = " rel='$rel'"; } - $desc = htmlspecialchars(stripslashes($row->link_description), ENT_QUOTES); - $name = htmlspecialchars(stripslashes($row->link_name), ENT_QUOTES); + $desc = htmlspecialchars($row->link_description, ENT_QUOTES); + $name = htmlspecialchars($row->link_name, ENT_QUOTES); $title = $desc; @@ -273,7 +273,7 @@ function get_links($category = -1, $before = '', $after = '
    ', ** Use this like: ** $links = get_linkobjectsbyname('fred'); ** foreach ($links as $link) { - ** echo '
  • '.stripslashes($link->link_name).'
    • '; + ** echo '
  • '.$link->link_name.'
    • '; ** } **/ function get_linkobjectsbyname($cat_name = "noname" , $orderby = 'name', $limit = -1) { @@ -350,10 +350,10 @@ function get_linkobjects($category = -1, $orderby = 'name', $limit = -1) { $results = $wpdb->get_results($sql); if ($results) { foreach ($results as $result) { - $result->link_url = stripslashes($result->link_url); - $result->link_name = stripslashes($result->link_name); - $result->link_description = stripslashes($result->link_description); - $result->link_notes = stripslashes($result->link_notes); + $result->link_url = $result->link_url; + $result->link_name = $result->link_name; + $result->link_description = $result->link_description; + $result->link_notes = $result->link_notes; $newresults[] = $result; } } @@ -464,7 +464,7 @@ function get_linkcatname($id = 0) { if ('' != $id) { $cat_name = $wpdb->get_var("SELECT cat_name FROM $wpdb->linkcategories WHERE cat_id=$id"); } - return stripslashes($cat_name); + return $cat_name; } /** function get_get_autotoggle() @@ -559,7 +559,7 @@ function get_links_list($order = 'name', $hide_if_empty = 'obsolete') { $orderby = (bool_from_yn($cat['sort_desc'])?'_':'') . $orderby; // Display the category name - echo '
  • ' . stripslashes($cat['cat_name']) . "\n\t