Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().

git-svn-id: http://core.svn.wordpress.org/trunk@23567 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Ryan Boren 2013-03-01 17:14:09 +00:00
parent 80f62f3c21
commit f3a83744e9
20 changed files with 51 additions and 52 deletions

View File

@ -20,8 +20,8 @@ if ( $doaction ) {
check_admin_referer( 'bulk-comments' );
if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
$comment_status = $_REQUEST['comment_status'];
$delete_time = $_REQUEST['pagegen_timestamp'];
$comment_status = wp_unslash( $_REQUEST['comment_status'] );
$delete_time = wp_unslash ( $_REQUEST['pagegen_timestamp'] );
$comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
$doaction = 'delete';
} elseif ( isset( $_REQUEST['delete_comments'] ) ) {

View File

@ -1333,7 +1333,7 @@ function _draft_or_post_title( $post = 0 ) {
*
*/
function _admin_search_query() {
echo isset($_REQUEST['s']) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : '';
echo isset($_REQUEST['s']) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : '';
}
/**

View File

@ -50,8 +50,8 @@ function install_themes_feature_list() {
* @since 2.8.0
*/
function install_theme_search_form( $type_selector = true ) {
$type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
$term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : '';
$type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
$term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : '';
if ( ! $type_selector )
echo '<p class="install-help">' . __( 'Search for themes by keyword.' ) . '</p>';
?>
@ -179,7 +179,7 @@ add_action('install_themes_updated', 'display_themes');
function install_theme_information() {
global $tab, $themes_allowedtags, $wp_list_table;
$theme = themes_api( 'theme_information', array( 'slug' => stripslashes( $_REQUEST['theme'] ) ) );
$theme = themes_api( 'theme_information', array( 'slug' => wp_unslash( $_REQUEST['theme'] ) ) );
if ( is_wp_error( $theme ) )
wp_die( $theme );

View File

@ -132,7 +132,7 @@ function wp_install_defaults($user_id) {
$first_post = get_site_option( 'first_post' );
if ( empty($first_post) )
$first_post = stripslashes( __( 'Welcome to <a href="SITE_URL">SITE_NAME</a>. This is your first post. Edit or delete it, then start blogging!' ) );
$first_post = __( 'Welcome to <a href="SITE_URL">SITE_NAME</a>. This is your first post. Edit or delete it, then start blogging!' );
$first_post = str_replace( "SITE_URL", esc_url( network_home_url() ), $first_post );
$first_post = str_replace( "SITE_NAME", $current_site->site_name, $first_post );
@ -636,23 +636,23 @@ function upgrade_160() {
$users = $wpdb->get_results("SELECT * FROM $wpdb->users");
foreach ( $users as $user ) :
if ( !empty( $user->user_firstname ) )
update_user_meta( $user->ID, 'first_name', $wpdb->escape($user->user_firstname) );
update_user_meta( $user->ID, 'first_name', wp_slash($user->user_firstname) );
if ( !empty( $user->user_lastname ) )
update_user_meta( $user->ID, 'last_name', $wpdb->escape($user->user_lastname) );
update_user_meta( $user->ID, 'last_name', wp_slash($user->user_lastname) );
if ( !empty( $user->user_nickname ) )
update_user_meta( $user->ID, 'nickname', $wpdb->escape($user->user_nickname) );
update_user_meta( $user->ID, 'nickname', wp_slash($user->user_nickname) );
if ( !empty( $user->user_level ) )
update_user_meta( $user->ID, $wpdb->prefix . 'user_level', $user->user_level );
if ( !empty( $user->user_icq ) )
update_user_meta( $user->ID, 'icq', $wpdb->escape($user->user_icq) );
update_user_meta( $user->ID, 'icq', wp_slash($user->user_icq) );
if ( !empty( $user->user_aim ) )
update_user_meta( $user->ID, 'aim', $wpdb->escape($user->user_aim) );
update_user_meta( $user->ID, 'aim', wp_slash($user->user_aim) );
if ( !empty( $user->user_msn ) )
update_user_meta( $user->ID, 'msn', $wpdb->escape($user->user_msn) );
update_user_meta( $user->ID, 'msn', wp_slash($user->user_msn) );
if ( !empty( $user->user_yim ) )
update_user_meta( $user->ID, 'yim', $wpdb->escape($user->user_icq) );
update_user_meta( $user->ID, 'yim', wp_slash($user->user_icq) );
if ( !empty( $user->user_description ) )
update_user_meta( $user->ID, 'description', $wpdb->escape($user->user_description) );
update_user_meta( $user->ID, 'description', wp_slash($user->user_description) );
if ( isset( $user->user_idmode ) ):
$idmode = $user->user_idmode;
@ -854,7 +854,7 @@ function upgrade_230() {
foreach ( $link_cats as $category) {
$cat_id = (int) $category->cat_id;
$term_id = 0;
$name = $wpdb->escape($category->cat_name);
$name = wp_slash($category->cat_name);
$slug = sanitize_title($name);
$term_group = 0;

View File

@ -34,7 +34,7 @@ function edit_user( $user_id = 0 ) {
$update = true;
$user->ID = (int) $user_id;
$userdata = get_userdata( $user_id );
$user->user_login = $wpdb->escape( $userdata->user_login );
$user->user_login = wp_slash( $userdata->user_login );
} else {
$update = false;
}

View File

@ -84,10 +84,10 @@ function display_setup_form( $error = null ) {
if ( ! empty( $_POST ) )
$blog_public = isset( $_POST['blog_public'] );
$weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';
$user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';
$admin_password = isset($_POST['admin_password']) ? trim( stripslashes( $_POST['admin_password'] ) ) : '';
$admin_email = isset( $_POST['admin_email'] ) ? trim( stripslashes( $_POST['admin_email'] ) ) : '';
$weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : '';
$user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin';
$admin_password = isset($_POST['admin_password']) ? trim( wp_unslash( $_POST['admin_password'] ) ) : '';
$admin_email = isset( $_POST['admin_email'] ) ? trim( wp_unslash( $_POST['admin_email'] ) ) : '';
if ( ! is_null( $error ) ) {
?>
@ -189,11 +189,11 @@ switch($step) {
display_header();
// Fill in the data we gathered
$weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';
$user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';
$admin_password = isset($_POST['admin_password']) ? $_POST['admin_password'] : '';
$admin_password_check = isset($_POST['admin_password2']) ? $_POST['admin_password2'] : '';
$admin_email = isset( $_POST['admin_email'] ) ?trim( stripslashes( $_POST['admin_email'] ) ) : '';
$weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : '';
$user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin';
$admin_password = isset($_POST['admin_password']) ? wp_unslash( $_POST['admin_password'] ) : '';
$admin_password_check = isset($_POST['admin_password2']) ? wp_unslash( $_POST['admin_password2'] ) : '';
$admin_email = isset( $_POST['admin_email'] ) ?trim( wp_unslash( $_POST['admin_email'] ) ) : '';
$public = isset( $_POST['blog_public'] ) ? (int) $_POST['blog_public'] : 0;
// check e-mail address
$error = false;

View File

@ -31,7 +31,7 @@ if ( $doaction && isset( $_REQUEST['linkcheck'] ) ) {
exit;
}
} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
exit;
}
@ -72,7 +72,7 @@ if ( ! current_user_can('manage_links') )
<?php screen_icon(); ?>
<h2><?php echo esc_html( $title ); ?> <a href="link-add.php" class="add-new-h2"><?php echo esc_html_x('Add New', 'link'); ?></a> <?php
if ( !empty($_REQUEST['s']) )
printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?>
printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( wp_unslash($_REQUEST['s']) ) ); ?>
</h2>
<?php

View File

@ -520,7 +520,7 @@ if ( $_POST ) {
$base = parse_url( trailingslashit( get_option( 'home' ) ), PHP_URL_PATH );
$subdomain_install = allow_subdomain_install() ? !empty( $_POST['subdomain_install'] ) : false;
if ( ! network_domain_check() ) {
$result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), stripslashes( $_POST['sitename'] ), $base, $subdomain_install );
$result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), wp_unslash( $_POST['sitename'] ), $base, $subdomain_install );
if ( is_wp_error( $result ) ) {
if ( 1 == count( $result->get_error_codes() ) && 'no_wildcard_dns' == $result->get_error_code() )
network_step2( $result );

View File

@ -62,7 +62,7 @@ if ( isset($_REQUEST['action']) && 'update-site' == $_REQUEST['action'] ) {
delete_option( 'rewrite_rules' );
// update blogs table
$blog_data = stripslashes_deep( $_POST['blog'] );
$blog_data = wp_unslash( $_POST['blog'] );
$existing_details = get_blog_details( $id, false );
$blog_data_checkboxes = array( 'public', 'archived', 'spam', 'mature', 'deleted' );
foreach ( $blog_data_checkboxes as $c ) {

View File

@ -88,7 +88,7 @@ if ( isset($_REQUEST['action']) && 'add-site' == $_REQUEST['action'] ) {
$content_mail = sprintf( __( 'New site created by %1$s
Address: %2$s
Name: %3$s' ), $current_user->user_login , get_site_url( $id ), stripslashes( $title ) );
Name: %3$s' ), $current_user->user_login , get_site_url( $id ), wp_unslash( $title ) );
wp_mail( get_site_option('admin_email'), sprintf( __( '[%s] New Site Created' ), $current_site->site_name ), $content_mail, 'From: "Site Admin" <' . get_site_option( 'admin_email' ) . '>' );
wpmu_welcome_notification( $id, $user_id, $password, $title, array( 'public' => 1 ) );
wp_redirect( add_query_arg( array( 'update' => 'added', 'id' => $id ), 'site-new.php' ) );

View File

@ -53,12 +53,14 @@ if ( isset($_REQUEST['action']) && 'update-site' == $_REQUEST['action'] && is_ar
$count = count( $_POST['option'] );
$skip_options = array( 'allowedthemes' ); // Don't update these options since they are handled elsewhere in the form.
foreach ( (array) $_POST['option'] as $key => $val ) {
$key = wp_unslash( $key );
$val = wp_unslash( $val );
if ( $key === 0 || is_array( $val ) || in_array($key, $skip_options) )
continue; // Avoids "0 is a protected WP option and may not be modified" error when edit blog options
if ( $c == $count )
update_option( $key, stripslashes( $val ) );
update_option( $key, $val );
else
update_option( $key, stripslashes( $val ), false ); // no need to refresh blog details yet
update_option( $key, $val, false ); // no need to refresh blog details yet
$c++;
}

View File

@ -79,7 +79,7 @@ if ( isset( $_GET['action'] ) ) {
<input type="hidden" name="id" value="<?php echo esc_attr( $id ); ?>" />
<input type="hidden" name="_wp_http_referer" value="<?php echo esc_attr( wp_get_referer() ); ?>" />
<?php wp_nonce_field( $_GET['action2'], '_wpnonce', false ); ?>
<p><?php echo esc_html( stripslashes( $_GET['msg'] ) ); ?></p>
<p><?php echo esc_html( wp_unslash( $_GET['msg'] ) ); ?></p>
<?php submit_button( __('Confirm'), 'button' ); ?>
</form>
</body>

View File

@ -2,8 +2,7 @@
/**
* WordPress Options Header.
*
* Resets variables: 'action', 'standalone', and 'option_group_id'. Displays
* updated message, if updated variable is part of the URL query.
* Displays updated message, if updated variable is part of the URL query.
*
* @package WordPress
* @subpackage Administration

View File

@ -120,16 +120,16 @@ if ( 'update' == $action ) {
if ( 'options' == $option_page ) {
if ( is_multisite() && ! is_super_admin() )
wp_die( __( 'You do not have sufficient permissions to modify unregistered settings for this site.' ) );
$options = explode( ',', stripslashes( $_POST[ 'page_options' ] ) );
$options = explode( ',', wp_unslash( $_POST[ 'page_options' ] ) );
} else {
$options = $whitelist_options[ $option_page ];
}
// Handle custom date/time formats
if ( 'general' == $option_page ) {
if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['date_format'] ) )
if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['date_format'] ) )
$_POST['date_format'] = $_POST['date_format_custom'];
if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['time_format'] ) )
if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['time_format'] ) )
$_POST['time_format'] = $_POST['time_format_custom'];
// Map UTC+- timezones to gmt_offsets and set timezone_string to empty.
if ( !empty($_POST['timezone_string']) && preg_match('/^UTC[+-]/', $_POST['timezone_string']) ) {
@ -150,7 +150,7 @@ if ( 'update' == $action ) {
$value = $_POST[ $option ];
if ( ! is_array( $value ) )
$value = trim( $value );
$value = stripslashes_deep( $value );
$value = wp_unslash( $value );
}
update_option( $option, $value );
}

View File

@ -28,7 +28,7 @@ if ( empty($plugins) )
wp_die( __('There are no plugins installed on this site.') );
if ( isset($_REQUEST['file']) )
$plugin = stripslashes($_REQUEST['file']);
$plugin = wp_unslash($_REQUEST['file']);
if ( empty($plugin) ) {
$plugin = array_keys($plugins);
@ -39,8 +39,6 @@ $plugin_files = get_plugin_files($plugin);
if ( empty($file) )
$file = $plugin_files[0];
else
$file = stripslashes($file);
$file = validate_file_to_edit($file, $plugin_files);
$real_file = WP_PLUGIN_DIR . '/' . $file;
@ -52,7 +50,7 @@ case 'update':
check_admin_referer('edit-plugin_' . $file);
$newcontent = stripslashes($_POST['newcontent']);
$newcontent = wp_unslash( $_POST['newcontent'] );
if ( is_writeable($real_file) ) {
$f = fopen($real_file, 'w+');
fwrite($f, $newcontent);

View File

@ -91,11 +91,11 @@ if ( isset($_REQUEST['action']) && 'post' == $_REQUEST['action'] ) {
}
// Set Variables
$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( stripslashes( $_GET['t'] ) , ENT_QUOTES) ) ) : '';
$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( wp_unslash( $_GET['t'] ) , ENT_QUOTES) ) ) : '';
$selection = '';
if ( !empty($_GET['s']) ) {
$selection = str_replace('&apos;', "'", stripslashes($_GET['s']));
$selection = str_replace('&apos;', "'", wp_unslash($_GET['s']));
$selection = trim( htmlspecialchars( html_entity_decode($selection, ENT_QUOTES) ) );
}

View File

@ -164,7 +164,7 @@ switch($step) {
case 2:
foreach ( array( 'dbname', 'uname', 'pwd', 'dbhost', 'prefix' ) as $key )
$$key = trim( stripslashes( $_POST[ $key ] ) );
$$key = trim( wp_unslash( $_POST[ $key ] ) );
$tryagain_link = '</p><p class="step"><a href="setup-config.php?step=1" onclick="javascript:history.go(-1);return false;" class="button button-large">' . __( 'Try again' ) . '</a>';

View File

@ -68,7 +68,7 @@ if ( empty( $file ) ) {
$relative_file = 'style.css';
$file = $allowed_files['style.css'];
} else {
$relative_file = stripslashes( $file );
$relative_file = wp_unslash( $file );
$file = $theme->get_stylesheet_directory() . '/' . $relative_file;
}
@ -78,7 +78,7 @@ $scrollto = isset( $_REQUEST['scrollto'] ) ? (int) $_REQUEST['scrollto'] : 0;
switch( $action ) {
case 'update':
check_admin_referer( 'edit-theme_' . $file . $stylesheet );
$newcontent = stripslashes( $_POST['newcontent'] );
$newcontent = wp_unslash( $_POST['newcontent'] );
$location = 'theme-editor.php?file=' . urlencode( $relative_file ) . '&theme=' . urlencode( $stylesheet ) . '&scrollto=' . $scrollto;
if ( is_writeable( $file ) ) {
//is_writable() not always reliable, check return value. see comments @ http://uk.php.net/is_writable

View File

@ -77,7 +77,7 @@ else
<?php else :
switch ( $step ) :
case 0:
$goback = stripslashes( wp_get_referer() );
$goback = wp_unslash( wp_get_referer() );
$goback = esc_url_raw( $goback );
$goback = urlencode( $goback );
?>
@ -90,7 +90,7 @@ switch ( $step ) :
case 1:
wp_upgrade();
$backto = !empty($_GET['backto']) ? stripslashes( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/';
$backto = !empty($_GET['backto']) ? wp_unslash( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/';
$backto = esc_url( $backto );
$backto = wp_validate_redirect($backto, __get_option( 'home' ) . '/');
?>

View File

@ -132,7 +132,7 @@ if ( $doaction ) {
wp_redirect( $location );
exit;
} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
exit;
}