Ticket #4411: sanitize_url.diff

File sanitize_url.diff, 3.0 KB (added by ryan, 5 years ago)

  • wp-includes/default-filters.php

     
    2525        add_filter($filter, 'wp_filter_kses'); 
    2626} 
    2727 
    28 // URL 
     28// Save URL 
    2929$filters = array('pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image', 
    30         'pre_link_rss', 'comment_url'); 
     30        'pre_link_rss'); 
    3131foreach ( $filters as $filter ) { 
    3232        add_filter($filter, 'strip_tags'); 
    3333        add_filter($filter, 'trim'); 
     34        add_filter($filter, 'sanitize_url'); 
     35        add_filter($filter, 'wp_filter_kses'); 
     36} 
     37 
     38// Display URL 
     39$filters = array('user_url', 'link_url', 'link_image', 'link_rss', 'comment_url'); 
     40foreach ( $filters as $filter ) { 
     41        add_filter($filter, 'strip_tags'); 
     42        add_filter($filter, 'trim'); 
    3443        add_filter($filter, 'clean_url'); 
    3544        add_filter($filter, 'wp_filter_kses'); 
    3645} 

  • wp-includes/formatting.php

     
    10871087        return apply_filters('richedit_pre', $output); 
    10881088} 
    10891089 
    1090 function clean_url( $url, $protocols = null ) { 
     1090function clean_url( $url, $protocols = null, $context = 'display' ) { 
    10911091        $original_url = $url; 
    10921092 
    10931093        if ('' == $url) return $url; 
     
    11031103                substr( $url, 0, 1 ) != '/' && !preg_match('/^[a-z0-9-]+?\.php/i', $url) ) 
    11041104                $url = 'http://' . $url; 
    11051105 
    1106         $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); 
     1106        // Replace ampersands ony when displaying. 
     1107        if ( 'display' == $context ) 
     1108                $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); 
     1109 
    11071110        if ( !is_array($protocols) ) 
    11081111                $protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet'); 
    11091112        if ( wp_kses_bad_protocol( $url, $protocols ) != $url ) 
    11101113                return ''; 
    11111114 
    1112         return apply_filters('clean_url', $url, $original_url); 
     1115        return apply_filters('clean_url', $url, $original_url, $context); 
    11131116} 
    11141117 
     1118function sanitize_url( $url, $protocols = null ) { 
     1119        return clean_url( $url, $protocols, 'db'); 
     1120} 
     1121 
    11151122// Borrowed from the PHP Manual user notes. Convert entities, while 
    11161123// preserving already-encoded entities: 
    11171124function htmlentities2($myHTML) { 

  • wp-includes/widgets.php

     
    10011001        $options = $newoptions = get_option('widget_rss'); 
    10021002        if ( $_POST["rss-submit-$number"] ) { 
    10031003                $newoptions[$number]['items'] = (int) $_POST["rss-items-$number"]; 
    1004                 $url = clean_url(strip_tags(stripslashes($_POST["rss-url-$number"]))); 
     1004                $url = sanitize_url(strip_tags(stripslashes($_POST["rss-url-$number"]))); 
    10051005                $newoptions[$number]['title'] = trim(strip_tags(stripslashes($_POST["rss-title-$number"]))); 
    10061006                if ( $url !== $options[$number]['url'] ) { 
    10071007                        require_once(ABSPATH . WPINC . '/rss.php');