From 92e7d3c3bc29a9b196bd0e5daeb7a0f0b25a4497 Mon Sep 17 00:00:00 2001 From: ryan Date: Fri, 25 May 2007 02:22:30 +0000 Subject: [PATCH] Make sure sanitize_option() is always called when updating options. git-svn-id: http://svn.automattic.com/wordpress/trunk@5541 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/options.php | 73 +------------------------------------- wp-includes/formatting.php | 68 +++++++++++++++++++++++++++++++++++ wp-includes/functions.php | 2 ++ 3 files changed, 71 insertions(+), 72 deletions(-) diff --git a/wp-admin/options.php b/wp-admin/options.php index 98aa3c42e3..93238870da 100644 --- a/wp-admin/options.php +++ b/wp-admin/options.php @@ -10,77 +10,6 @@ wp_reset_vars(array('action')); if ( !current_user_can('manage_options') ) wp_die(__('Cheatin’ uh?')); -function sanitize_option($option, $value) { // Remember to call stripslashes! - - switch ($option) { - case 'admin_email': - $value = stripslashes($value); - $value = sanitize_email($value); - break; - - case 'default_post_edit_rows': - case 'mailserver_port': - case 'comment_max_links': - $value = stripslashes($value); - $value = abs((int) $value); - break; - - case 'posts_per_page': - case 'posts_per_rss': - $value = stripslashes($value); - $value = (int) $value; - if ( empty($value) ) $value = 1; - if ( $value < -1 ) $value = abs($value); - break; - - case 'default_ping_status': - case 'default_comment_status': - $value = stripslashes($value); - // Options that if not there have 0 value but need to be something like "closed" - if ( $value == '0' || $value == '') - $value = 'closed'; - break; - - case 'blogdescription': - case 'blogname': - if (current_user_can('unfiltered_html') == false) - $value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes - $value = stripslashes($value); - break; - - case 'blog_charset': - $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes - break; - - case 'date_format': - case 'time_format': - case 'mailserver_url': - case 'mailserver_login': - case 'mailserver_pass': - case 'ping_sites': - case 'upload_path': - $value = strip_tags($value); - $value = wp_filter_kses($value); // calls stripslashes then addslashes - $value = stripslashes($value); - break; - - case 'gmt_offset': - $value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes - break; - - case 'siteurl': - case 'home': - $value = stripslashes($value); - $value = clean_url($value); - break; - default : - $value = stripslashes($value); - break; - } - - return $value; -} - switch($action) { case 'update': @@ -101,7 +30,7 @@ case 'update': foreach ($options as $option) { $option = trim($option); $value = trim($_POST[$option]); - $value = sanitize_option($option, $value); // This does stripslashes on those that need it + $value = stripslashes($value); update_option($option, $value); } } diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 14eb5b8d87..12a9b538b5 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -1118,4 +1118,72 @@ function wp_make_link_relative( $link ) { return preg_replace('|https?://[^/]+(/.*)|i', '$1', $link ); } +function sanitize_option($option, $value) { // Remember to call stripslashes! + + switch ($option) { + case 'admin_email': + $value = sanitize_email($value); + break; + + case 'default_post_edit_rows': + case 'mailserver_port': + case 'comment_max_links': + $value = abs((int) $value); + break; + + case 'posts_per_page': + case 'posts_per_rss': + $value = (int) $value; + if ( empty($value) ) $value = 1; + if ( $value < -1 ) $value = abs($value); + break; + + case 'default_ping_status': + case 'default_comment_status': + // Options that if not there have 0 value but need to be something like "closed" + if ( $value == '0' || $value == '') + $value = 'closed'; + break; + + case 'blogdescription': + case 'blogname': + $value = addslashes($value); + $value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes + $value = stripslashes($value); + $value = wp_specialchars( $value ); + break; + + case 'blog_charset': + $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes + break; + + case 'date_format': + case 'time_format': + case 'mailserver_url': + case 'mailserver_login': + case 'mailserver_pass': + case 'ping_sites': + case 'upload_path': + $value = strip_tags($value); + $value = addslashes($value); + $value = wp_filter_kses($value); // calls stripslashes then addslashes + $value = stripslashes($value); + break; + + case 'gmt_offset': + $value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes + break; + + case 'siteurl': + case 'home': + $value = stripslashes($value); + $value = clean_url($value); + break; + default : + break; + } + + return $value; +} + ?> diff --git a/wp-includes/functions.php b/wp-includes/functions.php index f1325d36a9..d6b1755862 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -315,6 +315,8 @@ function update_option($option_name, $newvalue) { wp_protect_special_option($option_name); + $newvalue = sanitize_option($option_name, $newvalue); + if ( is_string($newvalue) ) $newvalue = trim($newvalue);