diff --git a/wp-includes/class-wp-customize-setting.php b/wp-includes/class-wp-customize-setting.php
index 7fe88e8333..4593729886 100644
--- a/wp-includes/class-wp-customize-setting.php
+++ b/wp-includes/class-wp-customize-setting.php
@@ -496,7 +496,6 @@ class WP_Customize_Setting {
* @return string|array|null Null if an input isn't valid, otherwise the sanitized value.
*/
public function sanitize( $value ) {
- $value = wp_unslash( $value );
/**
* Filter a Customize setting value in un-slashed form.
diff --git a/wp-includes/customize/class-wp-customize-nav-menu-setting.php b/wp-includes/customize/class-wp-customize-nav-menu-setting.php
index 5562a8df52..8d6436c68c 100644
--- a/wp-includes/customize/class-wp-customize-nav-menu-setting.php
+++ b/wp-includes/customize/class-wp-customize-nav-menu-setting.php
@@ -513,14 +513,14 @@ class WP_Customize_Nav_Menu_Setting extends WP_Customize_Setting {
$menu_data['menu-name'] = $value['name'];
$menu_id = $is_placeholder ? 0 : $this->term_id;
- $r = wp_update_nav_menu_object( $menu_id, $menu_data );
+ $r = wp_update_nav_menu_object( $menu_id, wp_slash( $menu_data ) );
$original_name = $menu_data['menu-name'];
$name_conflict_suffix = 1;
while ( is_wp_error( $r ) && 'menu_exists' === $r->get_error_code() ) {
$name_conflict_suffix += 1;
/* translators: 1: original menu name, 2: duplicate count */
$menu_data['menu-name'] = sprintf( __( '%1$s (%2$d)' ), $original_name, $name_conflict_suffix );
- $r = wp_update_nav_menu_object( $menu_id, $menu_data );
+ $r = wp_update_nav_menu_object( $menu_id, wp_slash( $menu_data ) );
}
if ( is_wp_error( $r ) ) {
diff --git a/wp-includes/nav-menu.php b/wp-includes/nav-menu.php
index 3b878f762b..9627d27edb 100644
--- a/wp-includes/nav-menu.php
+++ b/wp-includes/nav-menu.php
@@ -196,12 +196,15 @@ function is_nav_menu_item( $menu_item_id = 0 ) {
/**
* Creates a navigation menu.
*
+ * Note that $menu_name is expected to be pre-slashed.
+ *
* @since 3.0.0
*
* @param string $menu_name Menu name.
* @return int|WP_Error Menu ID on success, WP_Error object on failure.
*/
function wp_create_nav_menu( $menu_name ) {
+ // expected_slashed ($menu_name)
return wp_update_nav_menu_object( 0, array( 'menu-name' => $menu_name ) );
}
@@ -252,6 +255,8 @@ function wp_delete_nav_menu( $menu ) {
/**
* Save the properties of a menu or create a new menu with those properties.
*
+ * Note that $menu_data is expected to be pre-slashed.
+ *
* @since 3.0.0
*
* @param int $menu_id The ID of the menu or "0" to create a new menu.
@@ -259,6 +264,7 @@ function wp_delete_nav_menu( $menu ) {
* @return int|WP_Error Menu ID on success, WP_Error object on failure.
*/
function wp_update_nav_menu_object( $menu_id = 0, $menu_data = array() ) {
+ // expected_slashed ($menu_data)
$menu_id = (int) $menu_id;
$_menu = wp_get_nav_menu_object( $menu_id );
diff --git a/wp-includes/version.php b/wp-includes/version.php
index d580cfb37a..dc2f81e0f4 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
-$wp_version = '4.5-alpha-36621';
+$wp_version = '4.5-alpha-36622';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
diff --git a/wp-includes/widgets/class-wp-nav-menu-widget.php b/wp-includes/widgets/class-wp-nav-menu-widget.php
index 22ec861076..d6ac26c948 100644
--- a/wp-includes/widgets/class-wp-nav-menu-widget.php
+++ b/wp-includes/widgets/class-wp-nav-menu-widget.php
@@ -92,7 +92,7 @@
public function update( $new_instance, $old_instance ) {
$instance = array();
if ( ! empty( $new_instance['title'] ) ) {
- $instance['title'] = sanitize_text_field( stripslashes( $new_instance['title'] ) );
+ $instance['title'] = sanitize_text_field( $new_instance['title'] );
}
if ( ! empty( $new_instance['nav_menu'] ) ) {
$instance['nav_menu'] = (int) $new_instance['nav_menu'];
diff --git a/wp-includes/widgets/class-wp-widget-tag-cloud.php b/wp-includes/widgets/class-wp-widget-tag-cloud.php
index 99f7af6ea1..4115c79387 100644
--- a/wp-includes/widgets/class-wp-widget-tag-cloud.php
+++ b/wp-includes/widgets/class-wp-widget-tag-cloud.php
@@ -98,7 +98,7 @@ class WP_Widget_Tag_Cloud extends WP_Widget {
*/
public function update( $new_instance, $old_instance ) {
$instance = array();
- $instance['title'] = sanitize_text_field( stripslashes( $new_instance['title'] ) );
+ $instance['title'] = sanitize_text_field( $new_instance['title'] );
$instance['taxonomy'] = stripslashes($new_instance['taxonomy']);
return $instance;
}
diff --git a/wp-includes/widgets/class-wp-widget-text.php b/wp-includes/widgets/class-wp-widget-text.php
index 96cf642908..5a1a056a54 100644
--- a/wp-includes/widgets/class-wp-widget-text.php
+++ b/wp-includes/widgets/class-wp-widget-text.php
@@ -80,10 +80,11 @@ class WP_Widget_Text extends WP_Widget {
public function update( $new_instance, $old_instance ) {
$instance = $old_instance;
$instance['title'] = sanitize_text_field( $new_instance['title'] );
- if ( current_user_can('unfiltered_html') )
- $instance['text'] = $new_instance['text'];
- else
- $instance['text'] = wp_kses_post( stripslashes( $new_instance['text'] ) );
+ if ( current_user_can( 'unfiltered_html' ) ) {
+ $instance['text'] = $new_instance['text'];
+ } else {
+ $instance['text'] = wp_kses_post( $new_instance['text'] );
+ }
$instance['filter'] = ! empty( $new_instance['filter'] );
return $instance;
}