diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php index bcbd524560..78133662fb 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php @@ -142,7 +142,7 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { $attachment->post_title = preg_replace( '/\.[^.]+$/', '', basename( $file ) ); } - $id = wp_insert_post( $attachment, true ); + $id = wp_insert_post( wp_slash( (array) $attachment ), true ); if ( is_wp_error( $id ) ) { if ( 'db_update_error' === $id->get_error_code() ) { @@ -250,18 +250,18 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller { // Attachment caption (post_excerpt internally) if ( isset( $request['caption'] ) ) { if ( is_string( $request['caption'] ) ) { - $prepared_attachment->post_excerpt = wp_filter_post_kses( $request['caption'] ); + $prepared_attachment->post_excerpt = $request['caption']; } elseif ( isset( $request['caption']['raw'] ) ) { - $prepared_attachment->post_excerpt = wp_filter_post_kses( $request['caption']['raw'] ); + $prepared_attachment->post_excerpt = $request['caption']['raw']; } } // Attachment description (post_content internally) if ( isset( $request['description'] ) ) { if ( is_string( $request['description'] ) ) { - $prepared_attachment->post_content = wp_filter_post_kses( $request['description'] ); + $prepared_attachment->post_content = $request['description']; } elseif ( isset( $request['description']['raw'] ) ) { - $prepared_attachment->post_content = wp_filter_post_kses( $request['description']['raw'] ); + $prepared_attachment->post_content = $request['description']['raw']; } } diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php index c313784504..0aa9801b0b 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php @@ -488,7 +488,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { } $post->post_type = $this->post_type; - $post_id = wp_insert_post( $post, true ); + $post_id = wp_insert_post( wp_slash( (array) $post ), true ); if ( is_wp_error( $post_id ) ) { @@ -628,7 +628,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { } // convert the post object to an array, otherwise wp_update_post will expect non-escaped input. - $post_id = wp_update_post( (array) $post, true ); + $post_id = wp_update_post( wp_slash( (array) $post ), true ); if ( is_wp_error( $post_id ) ) { if ( 'db_update_error' === $post_id->get_error_code() ) { @@ -969,27 +969,27 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { // Post title. if ( ! empty( $schema['properties']['title'] ) && isset( $request['title'] ) ) { if ( is_string( $request['title'] ) ) { - $prepared_post->post_title = wp_filter_post_kses( $request['title'] ); + $prepared_post->post_title = $request['title']; } elseif ( ! empty( $request['title']['raw'] ) ) { - $prepared_post->post_title = wp_filter_post_kses( $request['title']['raw'] ); + $prepared_post->post_title = $request['title']['raw']; } } // Post content. if ( ! empty( $schema['properties']['content'] ) && isset( $request['content'] ) ) { if ( is_string( $request['content'] ) ) { - $prepared_post->post_content = wp_filter_post_kses( $request['content'] ); + $prepared_post->post_content = $request['content']; } elseif ( isset( $request['content']['raw'] ) ) { - $prepared_post->post_content = wp_filter_post_kses( $request['content']['raw'] ); + $prepared_post->post_content = $request['content']['raw']; } } // Post excerpt. if ( ! empty( $schema['properties']['excerpt'] ) && isset( $request['excerpt'] ) ) { if ( is_string( $request['excerpt'] ) ) { - $prepared_post->post_excerpt = wp_filter_post_kses( $request['excerpt'] ); + $prepared_post->post_excerpt = $request['excerpt']; } elseif ( isset( $request['excerpt']['raw'] ) ) { - $prepared_post->post_excerpt = wp_filter_post_kses( $request['excerpt']['raw'] ); + $prepared_post->post_excerpt = $request['excerpt']['raw']; } } diff --git a/wp-includes/version.php b/wp-includes/version.php index c4575683ed..2aceea9865 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-beta2-39154'; +$wp_version = '4.7-beta2-39155'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.