Opened 13 years ago
Closed 13 years ago
#19399 closed defect (bug) (fixed)
New uploader doesn't show if the options for large image sizes are not numbers
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 3.3 | Priority: | high |
| Severity: | major | Version: | 3.3 |
| Component: | Upload | Keywords: | has-patch |
| Focuses: | Cc: |
Description
Error: syntax error Source File: ...wp-admin/media-upload.php?post_id=xxx& Line: 132, Column: 20 Source Code: var resize_height = , resize_width = ,
We blindly output the data returned from get_option:
We should:
- Validate it is an integer
- Sanitize what we output
Attachments (5)
Change History (17)
#2
@
13 years ago
- Keywords has-patch added; needs-patch removed
Check that the get_option is a whole number before echoing, and if not echo 1024 that is the standard WordPress size.
#5
@
13 years ago
Patch won't work quite right. That doesn't sanitize get_option( 'large_size_h' ), it only confirms it can be sanitized to a non-zero value.
You want:
$large_size_h = absint( get_option('large_size_h') );
if ( ! $large_size_h )
$large_size_h = 1024;
#6
@
13 years ago
Added new patch. absint( '3asdf' ) will return int(3), and I added a preg_match that checks that the option only contains numbers.
#8
@
13 years ago
Probably, but "1e4" and "9.6" is also numeric. I not sure if that would break the upload script. The size should be a whole number. It might be better to use the ctype_digit() function then?
#10
@
13 years ago
We can't use ctype_digit(), as it's not available everywhere.
I think absint() is sufficient. We do it all over the place to fine effect. A bit of sanitization followed by validating that it is not 0 (if such a value is invalid in that context).
sanitize_option() sanitizes all of these options with absint() anyway, which leads me to A) wonder how westi did this :-) and B) not at all care about this beyond the JS error and empty/0 values.
Buggy code is here: http://core.trac.wordpress.org/browser/trunk/wp-admin/includes/media.php#L1352