WordPress-C/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2025-03-09 07:00:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make sure sanitize_option() is always called when updating options.

Browse Source 
git-svn-id: http://svn.automattic.com/wordpress/trunk@5541 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2007-05-25 02:22:30 +00:00
parent 677b609ee2
commit 92e7d3c3bc
3 changed files with 71 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
wp-admin/options.php
View File

@ -10,77 +10,6 @@ wp_reset_vars(array('action'));
if ( !current_user_can('manage_options') ) if ( !current_user_can('manage_options') )
wp_die(__('Cheatin’ uh?')); wp_die(__('Cheatin’ uh?'));
function sanitize_option($option, $value) { // Remember to call stripslashes!
switch ($option) {
case 'admin_email':
$value = stripslashes($value);
$value = sanitize_email($value);
break;
case 'default_post_edit_rows':
case 'mailserver_port':
case 'comment_max_links':
$value = stripslashes($value);
$value = abs((int) $value);
break;
case 'posts_per_page':
case 'posts_per_rss':
$value = stripslashes($value);
$value = (int) $value;
if ( empty($value) ) $value = 1;
if ( $value < -1 ) $value = abs($value);
break;
case 'default_ping_status':
case 'default_comment_status':
$value = stripslashes($value);
// Options that if not there have 0 value but need to be something like "closed"
if ( $value == '0' || $value == '')
$value = 'closed';
break;
case 'blogdescription':
case 'blogname':
if (current_user_can('unfiltered_html') == false)
$value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
$value = stripslashes($value);
break;
case 'blog_charset':
$value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes
break;
case 'date_format':
case 'time_format':
case 'mailserver_url':
case 'mailserver_login':
case 'mailserver_pass':
case 'ping_sites':
case 'upload_path':
$value = strip_tags($value);
$value = wp_filter_kses($value); // calls stripslashes then addslashes
$value = stripslashes($value);
break;
case 'gmt_offset':
$value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes
break;
case 'siteurl':
case 'home':
$value = stripslashes($value);
$value = clean_url($value);
break;
default :
$value = stripslashes($value);
break;
}
return $value;
}
switch($action) { switch($action) {
case 'update': case 'update':
@ -101,7 +30,7 @@ case 'update':
foreach ($options as $option) { foreach ($options as $option) {
$option = trim($option); $option = trim($option);
$value = trim($_POST[$option]); $value = trim($_POST[$option]);
$value = sanitize_option($option, $value); // This does stripslashes on those that need it $value = stripslashes($value);
update_option($option, $value); update_option($option, $value);
} }
} }

68
wp-includes/formatting.php
View File

@ -1118,4 +1118,72 @@ function wp_make_link_relative( $link ) {
return preg_replace('|https?://[^/]+(/.*)|i', '$1', $link ); return preg_replace('|https?://[^/]+(/.*)|i', '$1', $link );
} }
function sanitize_option($option, $value) { // Remember to call stripslashes!
switch ($option) {
case 'admin_email':
$value = sanitize_email($value);
break;
case 'default_post_edit_rows':
case 'mailserver_port':
case 'comment_max_links':
$value = abs((int) $value);
break;
case 'posts_per_page':
case 'posts_per_rss':
$value = (int) $value;
if ( empty($value) ) $value = 1;
if ( $value < -1 ) $value = abs($value);
break;
case 'default_ping_status':
case 'default_comment_status':
// Options that if not there have 0 value but need to be something like "closed"
if ( $value == '0' || $value == '')
$value = 'closed';
break;
case 'blogdescription':
case 'blogname':
$value = addslashes($value);
$value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
$value = stripslashes($value);
$value = wp_specialchars( $value );
break;
case 'blog_charset':
$value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes
break;
case 'date_format':
case 'time_format':
case 'mailserver_url':
case 'mailserver_login':
case 'mailserver_pass':
case 'ping_sites':
case 'upload_path':
$value = strip_tags($value);
$value = addslashes($value);
$value = wp_filter_kses($value); // calls stripslashes then addslashes
$value = stripslashes($value);
break;
case 'gmt_offset':
$value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes
break;
case 'siteurl':
case 'home':
$value = stripslashes($value);
$value = clean_url($value);
break;
default :
break;
}
return $value;
}
?> ?>

2
wp-includes/functions.php
View File

@ -315,6 +315,8 @@ function update_option($option_name, $newvalue) {
wp_protect_special_option($option_name); wp_protect_special_option($option_name);
$newvalue = sanitize_option($option_name, $newvalue);
if ( is_string($newvalue) ) if ( is_string($newvalue) )
$newvalue = trim($newvalue); $newvalue = trim($newvalue);