WordPress.org

Make WordPress Core

Ticket #10751: 10751.diff

File 10751.diff, 9.0 KB (added by ryan, 9 years ago)

Add kses to display filters. Add sanitize_user_object() and sanitize_user_field(). First cut.

  • wp-includes/default-filters.php

     
    2323        add_filter($filter, '_wp_specialchars', 30);
    2424}
    2525
    26 // Kses only for textarea saves
    27 $filters = array('pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description');
     26// Strip, kses, special chars for string display
     27$filters = array('term_name', 'comment_author_name', 'link_name', 'link_target', 'link_rel', 'user_display_name', 'user_first_name', 'user_last_name', 'user_nickname');
    2828foreach ( $filters as $filter ) {
     29        add_filter($filter, 'strip_tags');
    2930        add_filter($filter, 'wp_filter_kses');
     31        add_filter($filter, '_wp_specialchars', 30);
    3032}
    3133
    32 // Email
     34// Kses only for textarea saves and displays
     35$filters = array('pre_term_description', 'term_description', 'pre_link_description', 'link_description', 'pre_link_notes', 'link_notes', 'pre_user_description', 'user_description');
     36foreach ( $filters as $filter ) {
     37        add_filter($filter, 'wp_filter_kses');
     38}
     39
     40// Email saves
    3341$filters = array('pre_comment_author_email', 'pre_user_email');
    3442foreach ( $filters as $filter ) {
    3543        add_filter($filter, 'trim');
     
    3745        add_filter($filter, 'wp_filter_kses');
    3846}
    3947
     48// Email display
     49$filters = array('comment_author_email', 'user_email');
     50foreach ( $filters as $filter ) {
     51        add_filter($filter, 'sanitize_email');
     52        add_filter($filter, 'wp_filter_kses');
     53}
     54
    4055// Save URL
    4156$filters = array('pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
    4257        'pre_link_rss');
  • wp-includes/registration.php

     
    201201        foreach (_wp_get_user_contactmethods() as $method => $name) {
    202202                if ( empty($$method) )
    203203                        $$method = '';
    204                
     204
    205205                update_usermeta( $user_id, $method, $$method );
    206206        }
    207207
  • wp-includes/user.php

     
    600600        wp_cache_add($user->user_nicename, $user->ID, 'userslugs');
    601601}
    602602
     603/**
     604 * Sanitize every user field.
     605 *
     606 * If the context is 'raw', then the user object or array will get minimal santization of the int fields.
     607 *
     608 * @since 2.3.0
     609 * @uses sanitize_user_field() Used to sanitize the fields.
     610 *
     611 * @param object|array $user The User Object or Array
     612 * @param string $context Optional, default is 'display'. How to sanitize user fields.
     613 * @return object|array The now sanitized User Object or Array (will be the same type as $user)
     614 */
     615function sanitize_user_object($user, $context = 'display') {
     616        if ( is_object($user) ) {
     617                if ( !isset($user->ID) )
     618                        $user->ID = 0;
     619                if ( isset($user->data) )
     620                        $vars = get_object_vars( $user->data );
     621                else
     622                        $vars = get_object_vars($user);
     623                foreach ( array_keys($vars) as $field ) {
     624                        if ( is_array($user->$field) )
     625                                continue;
     626                        $user->$field = sanitize_user_field($field, $user->$field, $user->ID, $context);
     627                }
     628                $user->filter = $context;
     629        } else {
     630                if ( !isset($user['ID']) )
     631                        $user['ID'] = 0;
     632                foreach ( array_keys($user) as $field )
     633                        $user[$field] = sanitize_user_field($field, $user[$field], $user['ID'], $context);
     634                $user['filter'] = $context;
     635        }
     636
     637        return $user;
     638}
     639
     640/**
     641 * Sanitize user field based on context.
     642 *
     643 * Possible context values are:  'raw', 'edit', 'db', 'display', 'attribute' and 'js'. The
     644 * 'display' context is used by default. 'attribute' and 'js' contexts are treated like 'display'
     645 * when calling filters.
     646 *
     647 * @since 2.3.0
     648 * @uses apply_filters() Calls 'edit_$field' and '${field_no_prefix}_edit_pre' passing $value and
     649 *  $user_id if $context == 'edit' and field name prefix == 'user_'.
     650 *
     651 * @uses apply_filters() Calls 'edit_user_$field' passing $value and $user_id if $context == 'db'.
     652 * @uses apply_filters() Calls 'pre_$field' passing $value if $context == 'db' and field name prefix == 'user_'.
     653 * @uses apply_filters() Calls '${field}_pre' passing $value if $context == 'db' and field name prefix != 'user_'.
     654 *
     655 * @uses apply_filters() Calls '$field' passing $value, $user_id and $context if $context == anything
     656 *  other than 'raw', 'edit' and 'db' and field name prefix == 'user_'.
     657 * @uses apply_filters() Calls 'user_$field' passing $value if $context == anything other than 'raw',
     658 *  'edit' and 'db' and field name prefix != 'user_'.
     659 *
     660 * @param string $field The user Object field name.
     661 * @param mixed $value The user Object value.
     662 * @param int $user_id user ID.
     663 * @param string $context How to sanitize user fields. Looks for 'raw', 'edit', 'db', 'display',
     664 *               'attribute' and 'js'.
     665 * @return mixed Sanitized value.
     666 */
     667function sanitize_user_field($field, $value, $user_id, $context) {
     668        $int_fields = array('ID');
     669        if ( in_array($field, $int_fields) )
     670                $value = (int) $value;
     671
     672        if ( 'raw' == $context )
     673                return $value;
     674
     675        if ( is_array($value) )
     676                return $value;
     677
     678        $prefixed = false;
     679        if ( false !== strpos($field, 'user_') ) {
     680                $prefixed = true;
     681                $field_no_prefix = str_replace('user_', '', $field);
     682        }
     683
     684        if ( 'edit' == $context ) {
     685                if ( $prefixed ) {
     686                        $value = apply_filters("edit_$field", $value, $user_id);
     687                } else {
     688                        $value = apply_filters("edit_user_$field", $value, $user_id);
     689                }
     690
     691                if ( 'description' == $field )
     692                        $value = esc_html($value);
     693                else
     694                        $value = esc_attr($value);
     695        } else if ( 'db' == $context ) {
     696                if ( $prefixed ) {
     697                        $value = apply_filters("pre_$field", $value);
     698                } else {
     699                        $value = apply_filters("pre_user_$field", $value);
     700                }
     701        } else {
     702                // Use display filters by default.
     703                if ( $prefixed )
     704                        $value = apply_filters($field, $value, $user_id, $context);
     705                else
     706                        $value = apply_filters("user_$field", $value, $user_id, $context);
     707        }
     708
     709        if ( 'user_url' == $field )
     710                $value = esc_url($value);
     711
     712        if ( 'attribute' == $context )
     713                $value = esc_attr($value);
     714        else if ( 'js' == $context )
     715                $value = esc_js($value);
     716
     717        return $value;
     718}
     719
    603720?>
  • wp-includes/capabilities.php

     
    449449        var $last_name = '';
    450450
    451451        /**
     452         * The filter context applied to user data fields.
     453         *
     454         * @since 2.9.0
     455         * @access private
     456         * @var string
     457         */
     458        var $filter = null;
     459
     460        /**
    452461         * PHP4 Constructor - Sets up the object properties.
    453462         *
    454463         * Retrieves the userdata and then assigns all of the data keys to direct
  • wp-admin/users.php

     
    385385</form>
    386386</div>
    387387
    388 <?php
    389         foreach ( array('user_login' => 'user_login', 'first_name' => 'user_firstname', 'last_name' => 'user_lastname', 'email' => 'user_email', 'url' => 'user_uri', 'role' => 'user_role') as $formpost => $var ) {
    390                 $var = 'new_' . $var;
    391                 $$var = isset($_REQUEST[$formpost]) ? esc_attr(stripslashes($_REQUEST[$formpost])) : '';
    392         }
    393         unset($name);
    394 ?>
    395 
    396388<br class="clear" />
    397389<?php
    398390break;
  • wp-admin/includes/template.php

     
    18921892
    18931893        if ( !( is_object( $user_object) && is_a( $user_object, 'WP_User' ) ) )
    18941894                $user_object = new WP_User( (int) $user_object );
     1895        $user_object = sanitize_user_object($user_object);
    18951896        $email = $user_object->user_email;
    18961897        $url = $user_object->user_url;
    18971898        $short_url = str_replace( 'http://', '', $url );
  • wp-admin/includes/user.php

     
    370370 */
    371371function get_user_to_edit( $user_id ) {
    372372        $user = new WP_User( $user_id );
    373         $user->user_login   = esc_attr($user->user_login);
    374         $user->user_email   = esc_attr($user->user_email);
    375         $user->user_url     = esc_url($user->user_url);
    376         $user->first_name   = esc_attr($user->first_name);
    377         $user->last_name    = esc_attr($user->last_name);
    378         $user->display_name = esc_attr($user->display_name);
    379         $user->nickname     = esc_attr($user->nickname);
    380373
    381374        $user_contactmethods = _wp_get_user_contactmethods();
    382375        foreach ($user_contactmethods as $method => $name) {
    383                 $user->{$method} = isset( $user->{$method} ) && !empty( $user->{$method} ) ? esc_attr($user->{$method}) : '';
     376                if ( empty( $user->{$method} ) )
     377                        $user->{$method} = '';
    384378        }
    385        
    386         $user->description  = isset( $user->description ) && !empty( $user->description ) ? esc_html($user->description) : '';
    387379
     380        if ( empty($user->description) )
     381                $user->description = '';
     382
     383        $user = sanitize_user_object($user, 'edit');
     384
    388385        return $user;
    389386}
    390387