diff --git a/wp-admin/edit-comments.php b/wp-admin/edit-comments.php index f6dd19c0b3..4ef13601e7 100644 --- a/wp-admin/edit-comments.php +++ b/wp-admin/edit-comments.php @@ -20,8 +20,8 @@ if ( $doaction ) { check_admin_referer( 'bulk-comments' ); if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) { - $comment_status = $_REQUEST['comment_status']; - $delete_time = $_REQUEST['pagegen_timestamp']; + $comment_status = wp_unslash( $_REQUEST['comment_status'] ); + $delete_time = wp_unslash ( $_REQUEST['pagegen_timestamp'] ); $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) ); $doaction = 'delete'; } elseif ( isset( $_REQUEST['delete_comments'] ) ) { diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php index 421c430689..644857f5eb 100644 --- a/wp-admin/includes/template.php +++ b/wp-admin/includes/template.php @@ -1333,7 +1333,7 @@ function _draft_or_post_title( $post = 0 ) { * */ function _admin_search_query() { - echo isset($_REQUEST['s']) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : ''; + echo isset($_REQUEST['s']) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : ''; } /** diff --git a/wp-admin/includes/theme-install.php b/wp-admin/includes/theme-install.php index 5654f05e3c..5d5191b38a 100644 --- a/wp-admin/includes/theme-install.php +++ b/wp-admin/includes/theme-install.php @@ -50,8 +50,8 @@ function install_themes_feature_list() { * @since 2.8.0 */ function install_theme_search_form( $type_selector = true ) { - $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term'; - $term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : ''; + $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term'; + $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : ''; if ( ! $type_selector ) echo '

' . __( 'Search for themes by keyword.' ) . '

'; ?> @@ -179,7 +179,7 @@ add_action('install_themes_updated', 'display_themes'); function install_theme_information() { global $tab, $themes_allowedtags, $wp_list_table; - $theme = themes_api( 'theme_information', array( 'slug' => stripslashes( $_REQUEST['theme'] ) ) ); + $theme = themes_api( 'theme_information', array( 'slug' => wp_unslash( $_REQUEST['theme'] ) ) ); if ( is_wp_error( $theme ) ) wp_die( $theme ); diff --git a/wp-admin/includes/upgrade.php b/wp-admin/includes/upgrade.php index 9ef77e5ba0..531d21f9f7 100644 --- a/wp-admin/includes/upgrade.php +++ b/wp-admin/includes/upgrade.php @@ -132,7 +132,7 @@ function wp_install_defaults($user_id) { $first_post = get_site_option( 'first_post' ); if ( empty($first_post) ) - $first_post = stripslashes( __( 'Welcome to SITE_NAME. This is your first post. Edit or delete it, then start blogging!' ) ); + $first_post = __( 'Welcome to SITE_NAME. This is your first post. Edit or delete it, then start blogging!' ); $first_post = str_replace( "SITE_URL", esc_url( network_home_url() ), $first_post ); $first_post = str_replace( "SITE_NAME", $current_site->site_name, $first_post ); @@ -636,23 +636,23 @@ function upgrade_160() { $users = $wpdb->get_results("SELECT * FROM $wpdb->users"); foreach ( $users as $user ) : if ( !empty( $user->user_firstname ) ) - update_user_meta( $user->ID, 'first_name', $wpdb->escape($user->user_firstname) ); + update_user_meta( $user->ID, 'first_name', wp_slash($user->user_firstname) ); if ( !empty( $user->user_lastname ) ) - update_user_meta( $user->ID, 'last_name', $wpdb->escape($user->user_lastname) ); + update_user_meta( $user->ID, 'last_name', wp_slash($user->user_lastname) ); if ( !empty( $user->user_nickname ) ) - update_user_meta( $user->ID, 'nickname', $wpdb->escape($user->user_nickname) ); + update_user_meta( $user->ID, 'nickname', wp_slash($user->user_nickname) ); if ( !empty( $user->user_level ) ) update_user_meta( $user->ID, $wpdb->prefix . 'user_level', $user->user_level ); if ( !empty( $user->user_icq ) ) - update_user_meta( $user->ID, 'icq', $wpdb->escape($user->user_icq) ); + update_user_meta( $user->ID, 'icq', wp_slash($user->user_icq) ); if ( !empty( $user->user_aim ) ) - update_user_meta( $user->ID, 'aim', $wpdb->escape($user->user_aim) ); + update_user_meta( $user->ID, 'aim', wp_slash($user->user_aim) ); if ( !empty( $user->user_msn ) ) - update_user_meta( $user->ID, 'msn', $wpdb->escape($user->user_msn) ); + update_user_meta( $user->ID, 'msn', wp_slash($user->user_msn) ); if ( !empty( $user->user_yim ) ) - update_user_meta( $user->ID, 'yim', $wpdb->escape($user->user_icq) ); + update_user_meta( $user->ID, 'yim', wp_slash($user->user_icq) ); if ( !empty( $user->user_description ) ) - update_user_meta( $user->ID, 'description', $wpdb->escape($user->user_description) ); + update_user_meta( $user->ID, 'description', wp_slash($user->user_description) ); if ( isset( $user->user_idmode ) ): $idmode = $user->user_idmode; @@ -854,7 +854,7 @@ function upgrade_230() { foreach ( $link_cats as $category) { $cat_id = (int) $category->cat_id; $term_id = 0; - $name = $wpdb->escape($category->cat_name); + $name = wp_slash($category->cat_name); $slug = sanitize_title($name); $term_group = 0; diff --git a/wp-admin/includes/user.php b/wp-admin/includes/user.php index ea3bdbf6a9..f3ec1e5bca 100644 --- a/wp-admin/includes/user.php +++ b/wp-admin/includes/user.php @@ -34,7 +34,7 @@ function edit_user( $user_id = 0 ) { $update = true; $user->ID = (int) $user_id; $userdata = get_userdata( $user_id ); - $user->user_login = $wpdb->escape( $userdata->user_login ); + $user->user_login = wp_slash( $userdata->user_login ); } else { $update = false; } diff --git a/wp-admin/install.php b/wp-admin/install.php index dd489af0cc..c8ade7323e 100644 --- a/wp-admin/install.php +++ b/wp-admin/install.php @@ -84,10 +84,10 @@ function display_setup_form( $error = null ) { if ( ! empty( $_POST ) ) $blog_public = isset( $_POST['blog_public'] ); - $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : ''; - $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin'; - $admin_password = isset($_POST['admin_password']) ? trim( stripslashes( $_POST['admin_password'] ) ) : ''; - $admin_email = isset( $_POST['admin_email'] ) ? trim( stripslashes( $_POST['admin_email'] ) ) : ''; + $weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : ''; + $user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin'; + $admin_password = isset($_POST['admin_password']) ? trim( wp_unslash( $_POST['admin_password'] ) ) : ''; + $admin_email = isset( $_POST['admin_email'] ) ? trim( wp_unslash( $_POST['admin_email'] ) ) : ''; if ( ! is_null( $error ) ) { ?> @@ -189,11 +189,11 @@ switch($step) { display_header(); // Fill in the data we gathered - $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : ''; - $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin'; - $admin_password = isset($_POST['admin_password']) ? $_POST['admin_password'] : ''; - $admin_password_check = isset($_POST['admin_password2']) ? $_POST['admin_password2'] : ''; - $admin_email = isset( $_POST['admin_email'] ) ?trim( stripslashes( $_POST['admin_email'] ) ) : ''; + $weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : ''; + $user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin'; + $admin_password = isset($_POST['admin_password']) ? wp_unslash( $_POST['admin_password'] ) : ''; + $admin_password_check = isset($_POST['admin_password2']) ? wp_unslash( $_POST['admin_password2'] ) : ''; + $admin_email = isset( $_POST['admin_email'] ) ?trim( wp_unslash( $_POST['admin_email'] ) ) : ''; $public = isset( $_POST['blog_public'] ) ? (int) $_POST['blog_public'] : 0; // check e-mail address $error = false; diff --git a/wp-admin/link-manager.php b/wp-admin/link-manager.php index 92194f0392..3154f8e3db 100644 --- a/wp-admin/link-manager.php +++ b/wp-admin/link-manager.php @@ -31,7 +31,7 @@ if ( $doaction && isset( $_REQUEST['linkcheck'] ) ) { exit; } } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { - wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) ); + wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); exit; } @@ -72,7 +72,7 @@ if ( ! current_user_can('manage_links') )

' . __('Search results for “%s”') . '', esc_html( stripslashes($_REQUEST['s']) ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( wp_unslash($_REQUEST['s']) ) ); ?>

get_error_codes() ) && 'no_wildcard_dns' == $result->get_error_code() ) network_step2( $result ); diff --git a/wp-admin/network/site-info.php b/wp-admin/network/site-info.php index bcc71f9f18..7dd6aeb23a 100644 --- a/wp-admin/network/site-info.php +++ b/wp-admin/network/site-info.php @@ -62,7 +62,7 @@ if ( isset($_REQUEST['action']) && 'update-site' == $_REQUEST['action'] ) { delete_option( 'rewrite_rules' ); // update blogs table - $blog_data = stripslashes_deep( $_POST['blog'] ); + $blog_data = wp_unslash( $_POST['blog'] ); $existing_details = get_blog_details( $id, false ); $blog_data_checkboxes = array( 'public', 'archived', 'spam', 'mature', 'deleted' ); foreach ( $blog_data_checkboxes as $c ) { diff --git a/wp-admin/network/site-new.php b/wp-admin/network/site-new.php index db2e1f74c0..9fc5eefd48 100644 --- a/wp-admin/network/site-new.php +++ b/wp-admin/network/site-new.php @@ -88,7 +88,7 @@ if ( isset($_REQUEST['action']) && 'add-site' == $_REQUEST['action'] ) { $content_mail = sprintf( __( 'New site created by %1$s Address: %2$s -Name: %3$s' ), $current_user->user_login , get_site_url( $id ), stripslashes( $title ) ); +Name: %3$s' ), $current_user->user_login , get_site_url( $id ), wp_unslash( $title ) ); wp_mail( get_site_option('admin_email'), sprintf( __( '[%s] New Site Created' ), $current_site->site_name ), $content_mail, 'From: "Site Admin" <' . get_site_option( 'admin_email' ) . '>' ); wpmu_welcome_notification( $id, $user_id, $password, $title, array( 'public' => 1 ) ); wp_redirect( add_query_arg( array( 'update' => 'added', 'id' => $id ), 'site-new.php' ) ); diff --git a/wp-admin/network/site-settings.php b/wp-admin/network/site-settings.php index f807fcf2c5..a4ab33b707 100644 --- a/wp-admin/network/site-settings.php +++ b/wp-admin/network/site-settings.php @@ -53,12 +53,14 @@ if ( isset($_REQUEST['action']) && 'update-site' == $_REQUEST['action'] && is_ar $count = count( $_POST['option'] ); $skip_options = array( 'allowedthemes' ); // Don't update these options since they are handled elsewhere in the form. foreach ( (array) $_POST['option'] as $key => $val ) { + $key = wp_unslash( $key ); + $val = wp_unslash( $val ); if ( $key === 0 || is_array( $val ) || in_array($key, $skip_options) ) continue; // Avoids "0 is a protected WP option and may not be modified" error when edit blog options if ( $c == $count ) - update_option( $key, stripslashes( $val ) ); + update_option( $key, $val ); else - update_option( $key, stripslashes( $val ), false ); // no need to refresh blog details yet + update_option( $key, $val, false ); // no need to refresh blog details yet $c++; } diff --git a/wp-admin/network/sites.php b/wp-admin/network/sites.php index 3a102e3100..93341c35e9 100644 --- a/wp-admin/network/sites.php +++ b/wp-admin/network/sites.php @@ -79,7 +79,7 @@ if ( isset( $_GET['action'] ) ) { -

+

diff --git a/wp-admin/options-head.php b/wp-admin/options-head.php index 35d921b920..1c706c87d7 100644 --- a/wp-admin/options-head.php +++ b/wp-admin/options-head.php @@ -2,8 +2,7 @@ /** * WordPress Options Header. * - * Resets variables: 'action', 'standalone', and 'option_group_id'. Displays - * updated message, if updated variable is part of the URL query. + * Displays updated message, if updated variable is part of the URL query. * * @package WordPress * @subpackage Administration diff --git a/wp-admin/options.php b/wp-admin/options.php index 92ae917bf7..80a07190df 100644 --- a/wp-admin/options.php +++ b/wp-admin/options.php @@ -120,16 +120,16 @@ if ( 'update' == $action ) { if ( 'options' == $option_page ) { if ( is_multisite() && ! is_super_admin() ) wp_die( __( 'You do not have sufficient permissions to modify unregistered settings for this site.' ) ); - $options = explode( ',', stripslashes( $_POST[ 'page_options' ] ) ); + $options = explode( ',', wp_unslash( $_POST[ 'page_options' ] ) ); } else { $options = $whitelist_options[ $option_page ]; } // Handle custom date/time formats if ( 'general' == $option_page ) { - if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['date_format'] ) ) + if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['date_format'] ) ) $_POST['date_format'] = $_POST['date_format_custom']; - if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['time_format'] ) ) + if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['time_format'] ) ) $_POST['time_format'] = $_POST['time_format_custom']; // Map UTC+- timezones to gmt_offsets and set timezone_string to empty. if ( !empty($_POST['timezone_string']) && preg_match('/^UTC[+-]/', $_POST['timezone_string']) ) { @@ -150,7 +150,7 @@ if ( 'update' == $action ) { $value = $_POST[ $option ]; if ( ! is_array( $value ) ) $value = trim( $value ); - $value = stripslashes_deep( $value ); + $value = wp_unslash( $value ); } update_option( $option, $value ); } diff --git a/wp-admin/plugin-editor.php b/wp-admin/plugin-editor.php index ac64f1aea1..122362a527 100644 --- a/wp-admin/plugin-editor.php +++ b/wp-admin/plugin-editor.php @@ -28,7 +28,7 @@ if ( empty($plugins) ) wp_die( __('There are no plugins installed on this site.') ); if ( isset($_REQUEST['file']) ) - $plugin = stripslashes($_REQUEST['file']); + $plugin = wp_unslash($_REQUEST['file']); if ( empty($plugin) ) { $plugin = array_keys($plugins); @@ -39,8 +39,6 @@ $plugin_files = get_plugin_files($plugin); if ( empty($file) ) $file = $plugin_files[0]; -else - $file = stripslashes($file); $file = validate_file_to_edit($file, $plugin_files); $real_file = WP_PLUGIN_DIR . '/' . $file; @@ -52,7 +50,7 @@ case 'update': check_admin_referer('edit-plugin_' . $file); - $newcontent = stripslashes($_POST['newcontent']); + $newcontent = wp_unslash( $_POST['newcontent'] ); if ( is_writeable($real_file) ) { $f = fopen($real_file, 'w+'); fwrite($f, $newcontent); diff --git a/wp-admin/press-this.php b/wp-admin/press-this.php index 6542fa31e8..9fa610d2c9 100644 --- a/wp-admin/press-this.php +++ b/wp-admin/press-this.php @@ -91,11 +91,11 @@ if ( isset($_REQUEST['action']) && 'post' == $_REQUEST['action'] ) { } // Set Variables -$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( stripslashes( $_GET['t'] ) , ENT_QUOTES) ) ) : ''; +$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( wp_unslash( $_GET['t'] ) , ENT_QUOTES) ) ) : ''; $selection = ''; if ( !empty($_GET['s']) ) { - $selection = str_replace(''', "'", stripslashes($_GET['s'])); + $selection = str_replace(''', "'", wp_unslash($_GET['s'])); $selection = trim( htmlspecialchars( html_entity_decode($selection, ENT_QUOTES) ) ); } diff --git a/wp-admin/setup-config.php b/wp-admin/setup-config.php index ae8a136ce5..82d06e99dc 100644 --- a/wp-admin/setup-config.php +++ b/wp-admin/setup-config.php @@ -164,7 +164,7 @@ switch($step) { case 2: foreach ( array( 'dbname', 'uname', 'pwd', 'dbhost', 'prefix' ) as $key ) - $$key = trim( stripslashes( $_POST[ $key ] ) ); + $$key = trim( wp_unslash( $_POST[ $key ] ) ); $tryagain_link = '

' . __( 'Try again' ) . ''; diff --git a/wp-admin/theme-editor.php b/wp-admin/theme-editor.php index 7f814d28eb..c8298d0c3b 100644 --- a/wp-admin/theme-editor.php +++ b/wp-admin/theme-editor.php @@ -68,7 +68,7 @@ if ( empty( $file ) ) { $relative_file = 'style.css'; $file = $allowed_files['style.css']; } else { - $relative_file = stripslashes( $file ); + $relative_file = wp_unslash( $file ); $file = $theme->get_stylesheet_directory() . '/' . $relative_file; } @@ -78,7 +78,7 @@ $scrollto = isset( $_REQUEST['scrollto'] ) ? (int) $_REQUEST['scrollto'] : 0; switch( $action ) { case 'update': check_admin_referer( 'edit-theme_' . $file . $stylesheet ); - $newcontent = stripslashes( $_POST['newcontent'] ); + $newcontent = wp_unslash( $_POST['newcontent'] ); $location = 'theme-editor.php?file=' . urlencode( $relative_file ) . '&theme=' . urlencode( $stylesheet ) . '&scrollto=' . $scrollto; if ( is_writeable( $file ) ) { //is_writable() not always reliable, check return value. see comments @ http://uk.php.net/is_writable diff --git a/wp-admin/upgrade.php b/wp-admin/upgrade.php index 73933db424..32f448c4cb 100644 --- a/wp-admin/upgrade.php +++ b/wp-admin/upgrade.php @@ -77,7 +77,7 @@ else @@ -90,7 +90,7 @@ switch ( $step ) : case 1: wp_upgrade(); - $backto = !empty($_GET['backto']) ? stripslashes( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/'; + $backto = !empty($_GET['backto']) ? wp_unslash( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/'; $backto = esc_url( $backto ); $backto = wp_validate_redirect($backto, __get_option( 'home' ) . '/'); ?> diff --git a/wp-admin/upload.php b/wp-admin/upload.php index 7d50d5290d..db4c5220f3 100644 --- a/wp-admin/upload.php +++ b/wp-admin/upload.php @@ -132,7 +132,7 @@ if ( $doaction ) { wp_redirect( $location ); exit; } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { - wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) ); + wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); exit; }