Commit Graph

188 Commits

Author SHA1 Message Date
Andrew Nacin 96ee267343 Better validation of the URL used in core HTTP requests.
git-svn-id: http://core.svn.wordpress.org/trunk@24480 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-06-21 06:07:47 +00:00
Andrew Nacin be01fce99f Show a relative path in an upload error message.
git-svn-id: http://core.svn.wordpress.org/trunk@24463 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-06-21 02:29:26 +00:00
Ryan Boren 469d1a3099 Escape form action urls with esc_url() rather than esc_attr().
Props SergeyBiryukov
fixes #23266


git-svn-id: http://core.svn.wordpress.org/trunk@23739 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-18 14:01:25 +00:00
Sergey Biryukov 28248c1b08 Make get_home_path() return consistent slashes. fixes #23175.
git-svn-id: http://core.svn.wordpress.org/trunk@23669 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-12 11:04:14 +00:00
Ryan Boren 5f809d1d22 Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().
see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23563 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 17:00:25 +00:00
Ryan Boren 43a7e695e9 Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 16:28:40 +00:00
Ryan Boren cc5ed3a485 Change all core API to expect unslashed rather than slashed arguments.
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.

Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.

Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.

Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.

Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.

Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.

Plugins should use wp_unslash() on data being passed to core API.

Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.

Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.

Remove many no longer necessary calls to $wpdb->escape() and esc_sql().

In wp_get_referer() and wp_get_original_referer(), return unslashed data.

Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.

Switch several queries over to prepare().

Expect something to break.

Props alexkingorg
see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-14 22:51:06 +00:00
Helen Hou-Sandí b1f1579604 its <=> it's in documentation, along with a rogue the, The, and looses. props trepmal. fixes #22665.
git-svn-id: http://core.svn.wordpress.org/trunk@23191 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-12-20 15:55:32 +00:00
Dion Hulse bcbfb232f7 Correct get_home_path() for cases where WordPress is installed in a subdirectory called /wp/, previously it would match on /wp-admin instead of /wp causing an incorrect return path. Props SergeyBiryukov. Fixes #20449
git-svn-id: http://core.svn.wordpress.org/trunk@22800 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-21 22:39:59 +00:00
Andrew Nacin 4cbc20ada1 Pass the post date to wp_upload_dir() during sideloads, just as we do uploads. Ensures that sideloaded images make it into the right uploads directory.
props solarisssmoke, fixes #16777.



git-svn-id: http://core.svn.wordpress.org/trunk@22105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-03 18:49:37 +00:00
ryan 2417e42fe5 Improved phpdoc for file.php. Props tommcfarlin. fixes #21328
git-svn-id: http://core.svn.wordpress.org/trunk@21350 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-07-26 15:08:30 +00:00
dd32 509b845abc Make get_home_path() work in more cases by being case insensitive and sanitzing Windows paths. In some cases (such as differing case of hostnames or paths in the site/home options, or when SCRIPT_FILENAME contains forward slashes) the function was failing to return the correct path, and would instead return /. Props to SergeyBiryukov for the initial patch. Fixes #20449 Fixes #10447
git-svn-id: http://core.svn.wordpress.org/trunk@21224 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-07-06 13:54:15 +00:00
nacin 23abe58a59 Rewrite theme-editor.php to use the new WP_Theme API. see #20103.
git-svn-id: http://svn.automattic.com/wordpress/trunk@20313 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-03-29 03:00:38 +00:00
dd32 86577f34ea Fix a small typo.
git-svn-id: http://svn.automattic.com/wordpress/trunk@20070 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-03-02 11:00:51 +00:00
duck_ bb94e702f8 Drop image resizing code from wp_handle_upload(). Fixes #19800.
This code stops wp_handle_upload() from reporting errors when the upload couldn't be moved to its final local and it was a non-JS fallback that is unused.


git-svn-id: http://svn.automattic.com/wordpress/trunk@20019 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-02-28 20:02:43 +00:00
ryan e3b46b25d3 Lose EOF ?>. Clean up EOF newlines. fixes #12307
git-svn-id: http://svn.automattic.com/wordpress/trunk@19712 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-01-08 17:01:11 +00:00
dd32 e15f5275a8 Fix edge case in get_home_path() where the incorrect path may be returned. Props ptahdunbar. Fixes #18768
git-svn-id: http://svn.automattic.com/wordpress/trunk@19697 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-01-06 13:46:22 +00:00
ryan 340e93324c Remove extraneous spaces. Props kenan3008, dimadin. fixes #19501 #19433
git-svn-id: http://svn.automattic.com/wordpress/trunk@19596 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-12-14 17:36:38 +00:00
ryan 07ff8b216b Use one space, not two, after trailing punctuation. fixes #19537
git-svn-id: http://svn.automattic.com/wordpress/trunk@19593 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-12-13 23:45:31 +00:00
azaozz 331b242bcd Revert [19223] and only stop showing the checkbox, props nacin, see #19174
git-svn-id: http://svn.automattic.com/wordpress/trunk@19225 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-11-08 22:34:09 +00:00
azaozz 623220187a Remove the Resize files checkbox for now (revisit in 3.4), fixes #19174
git-svn-id: http://svn.automattic.com/wordpress/trunk@19223 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-11-08 22:23:40 +00:00
ryan 62afab8db3 Pinking shears
git-svn-id: http://svn.automattic.com/wordpress/trunk@19054 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-10-24 19:13:23 +00:00
markjaquith 37e23be4ed Be more consistent with ERROR: messages. fixes #15887
git-svn-id: http://svn.automattic.com/wordpress/trunk@18841 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-09-30 17:18:35 +00:00
duck_ c1d1590171 Fix typos in documentation (wp-admin/). See #18560.
git-svn-id: http://svn.automattic.com/wordpress/trunk@18632 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-09-03 14:18:10 +00:00
azaozz 9a65f6e237 Fix handling of resizing images after upload, props ocean90, see #18206
git-svn-id: http://svn.automattic.com/wordpress/trunk@18517 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-08-06 21:04:15 +00:00
azaozz 91a8720fff Pluploader take 1, props jacobwg, see #18206
git-svn-id: http://svn.automattic.com/wordpress/trunk@18482 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-07-29 08:59:35 +00:00
ryan a117773fc8 Typo fix. Props kawauso. fixes #18177
git-svn-id: http://svn.automattic.com/wordpress/trunk@18447 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-07-21 17:46:01 +00:00
markjaquith 029a8d1bef Remove code formatting from uploaded file size error messages, for now. props JohnONolan. fixes #17674
git-svn-id: http://svn.automattic.com/wordpress/trunk@18193 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-06-08 16:27:57 +00:00
nacin da2732c7de Use wp_remote_retrieve_* helper functions instead of the raw HTTP response array. props aaroncampbell, fixes #17416.
git-svn-id: http://svn.automattic.com/wordpress/trunk@17928 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-05-14 19:45:07 +00:00
westi 80f4e83a8c Introduce WP_MAX_MEMORY_LIMIT constant for the high memory limit we set when image processing and unzipping.
Ensure it is always filterable by plugins as well as configurable in wp-config
Fixes #13847 props hakre


git-svn-id: http://svn.automattic.com/wordpress/trunk@17749 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-04-28 16:25:36 +00:00
dd32 bed23730dc Handle zip error's in PclZip better. PclZip::extract() returns an array on success, 0 on failure. Fixes #17224
git-svn-id: http://svn.automattic.com/wordpress/trunk@17693 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-04-23 14:30:44 +00:00
dd32 9081c7636c Set the mb_string internal encoding to ISO-8859-1 whilst uncompressing archives using PclZip. Fixes 'PCLZIP_ERR_BAD_FORMAT (-10) : Invalid block size' errors on systems utilising mbstring.func_overload. Fixes #15789
git-svn-id: http://svn.automattic.com/wordpress/trunk@17592 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-04-03 12:32:06 +00:00
dd32 5b12ecb83d Be a party-pooper; No more Akismet Dancing upon upgrade; Respect custom WP_CONTENT_DIR for bundled plugins/theme installation; Respect custom WP_CONTENT_DIR/WP_LANG_DIR for Language files when upgrading; Standardise WP_Filesystem path method returns (They're trailing slash'd). Adds an exclusion list to copy_dir() as well as WP_Filesystem_Base::wp_lang_dir(). See #14484 See #11495
git-svn-id: http://svn.automattic.com/wordpress/trunk@17576 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-03-31 13:28:36 +00:00
dd32 00dc7a57d6 First run of introducing Stream-To-File for the WP_HTTP API. Reduces memory consumption during file downloads. Implemented in download_url() for upgraders. Props sivel. See #16236
git-svn-id: http://svn.automattic.com/wordpress/trunk@17555 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-03-25 02:42:20 +00:00
dd32 a83a2842ea Optimisations to WP_Filesystem; Pass known information to called functions. Props aldenta (John Ford) for investigation and patch. See #10913
git-svn-id: http://svn.automattic.com/wordpress/trunk@17525 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-03-22 00:04:15 +00:00
nacin 53d0af84b0 Don't esc_html the default error string. props SergeyBiryukov, fixes #16058.
git-svn-id: http://svn.automattic.com/wordpress/trunk@17200 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-01-01 22:14:42 +00:00
nacin e5b099a459 Add missing translation for 'Page Template' in the theme editor. props SergeyBiryukov, fixes #15933.
git-svn-id: http://svn.automattic.com/wordpress/trunk@17098 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-12-21 14:58:54 +00:00
westi 1bb4914c3a Allow for the callee of download_url() to specify a different timeout if they want to - maybe they don't want to wait that long.
git-svn-id: http://svn.automattic.com/wordpress/trunk@16763 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-12-07 12:45:24 +00:00
nacin 5021403b9d Add 'Visual Editor RTL Stylesheet' to the list of theme file descriptions. see #15672.
git-svn-id: http://svn.automattic.com/wordpress/trunk@16717 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-12-04 04:22:48 +00:00
markjaquith ad6e83136d Improve the wording of the file upload security message. props janeforshort. fixes #13550
git-svn-id: http://svn.automattic.com/wordpress/trunk@16577 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-11-24 20:45:21 +00:00
ryan 847499e531 Pinking shears
git-svn-id: http://svn.automattic.com/wordpress/trunk@16438 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-11-17 18:47:34 +00:00
nacin d81d7b7f4a Some escaping
git-svn-id: http://svn.automattic.com/wordpress/trunk@16366 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-11-14 17:33:16 +00:00
markjaquith fc6e89da45 Expand submit_button() capabilities. Replace all (or almost all) manual HTML instances in WP. props sbressler. see #15064
git-svn-id: http://svn.automattic.com/wordpress/trunk@16061 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-10-28 21:56:43 +00:00
nacin 82b1349664 Docs for wp-admin/includes/file.php. props sivel, see #14783.
git-svn-id: http://svn.automattic.com/wordpress/trunk@16024 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-10-27 22:24:06 +00:00
nacin 1dee100f3a Fix typo. props mrmist, fixes #14571.
git-svn-id: http://svn.automattic.com/wordpress/trunk@15593 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-09-07 15:11:43 +00:00
dd32 fe5e3d0fb6 Do not check to see if parents of folders outside of the Destination folder exist within the Archive extractors, unzip_file() will take care of that area. Fixes #13741
git-svn-id: http://svn.automattic.com/wordpress/trunk@15156 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-06-07 11:19:51 +00:00
nacin 3ba9fc235c More request_filesystem_credentials() string improvements.
git-svn-id: http://svn.automattic.com/wordpress/trunk@15130 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-06-03 18:58:41 +00:00
nacin 80437ca9e1 Add missing spaces.
git-svn-id: http://svn.automattic.com/wordpress/trunk@15099 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-06-01 21:57:26 +00:00
nacin 09c448f63e Clarify the connection information requested in request_filesystem_credentials() to reduce confusion surrounding FTP information versus your WordPress login. see #13467, props jane.
git-svn-id: http://svn.automattic.com/wordpress/trunk@15098 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-06-01 20:35:59 +00:00
dd32 92eeafce24 Always fallback to PclZip in the event that ZipArchive does not return true. The PHP Zip extension is hit-and-miss with OSX generated zip files, sometimes 0 will be emitted and extraction will succeed, others it will fail with. Reverts r14346, r14377, partially r14800. See #12637. See #13491
git-svn-id: http://svn.automattic.com/wordpress/trunk@15052 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-05-29 13:16:35 +00:00