From 7da41242f922aae8f9867138b0cd37472cb3a7d6 Mon Sep 17 00:00:00 2001 From: Nikolay Bachiyski Date: Wed, 30 Mar 2016 17:23:24 +0000 Subject: [PATCH] Taxonomies: make sure taxonomy functions work correctly with taxonomy names with special characters The codex says that taxonomy names "should only contain lowercase letters and the underscore character", but that's not enforced. It's too late to enforce it, since some plugins haven't been following it and the official phpdoc doesn't mention this restriction. Merge of [37133] to the 4.3 branch. Built from https://develop.svn.wordpress.org/branches/4.3@37136 git-svn-id: http://core.svn.wordpress.org/branches/4.3@37103 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/taxonomy.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wp-includes/taxonomy.php b/wp-includes/taxonomy.php index 4328a36670..7ad0334844 100644 --- a/wp-includes/taxonomy.php +++ b/wp-includes/taxonomy.php @@ -625,7 +625,7 @@ function get_objects_in_term( $term_ids, $taxonomies, $args = array() ) { $term_ids = array_map('intval', $term_ids ); - $taxonomies = "'" . implode( "', '", $taxonomies ) . "'"; + $taxonomies = "'" . implode( "', '", array_map( 'esc_sql', $taxonomies ) ) . "'"; $term_ids = "'" . implode( "', '", $term_ids ) . "'"; $object_ids = $wpdb->get_col("SELECT tr.object_id FROM $wpdb->term_relationships AS tr INNER JOIN $wpdb->term_taxonomy AS tt ON tr.term_taxonomy_id = tt.term_taxonomy_id WHERE tt.taxonomy IN ($taxonomies) AND tt.term_id IN ($term_ids) ORDER BY tr.object_id $order"); @@ -1810,7 +1810,7 @@ function get_terms( $taxonomies, $args = '' ) { $order = 'ASC'; } - $where = "tt.taxonomy IN ('" . implode("', '", $taxonomies) . "')"; + $where = "tt.taxonomy IN ('" . implode("', '", array_map( 'esc_sql', $taxonomies ) ) . "')"; $exclude = $args['exclude']; $exclude_tree = $args['exclude_tree']; @@ -2739,7 +2739,7 @@ function wp_get_object_terms($object_ids, $taxonomies, $args = array()) { $taxonomy_array = $taxonomies; $object_id_array = $object_ids; - $taxonomies = "'" . implode("', '", $taxonomies) . "'"; + $taxonomies = "'" . implode("', '", array_map( 'esc_sql', $taxonomies ) ) . "'"; $object_ids = implode(', ', $object_ids); $select_this = '';