WordPress.org

Make WordPress Core

Ticket #12416: 12416.2.diff

File 12416.2.diff, 13.2 KB (added by ryan, 5 years ago)

Refreshed patch

  • wp-includes/theme.php

     
    12001200function get_theme_mod($name, $default = false) { 
    12011201        $theme = get_current_theme(); 
    12021202 
    1203         $mods = get_option( esc_sql( "mods_$theme" ) ); 
     1203        $mods = get_option( "mods_$theme" ); 
    12041204 
    12051205        if ( isset($mods[$name]) ) 
    12061206                return apply_filters( "theme_mod_$name", $mods[$name] ); 
  • wp-includes/functions.php

     
    307307 * @uses apply_filters() Calls 'option_$option', after checking the option, with 
    308308 *      the option value. 
    309309 * 
    310  * @param string $option Name of option to retrieve. Should already be SQL-escaped 
     310 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped. 
    311311 * @return mixed Value set for the option. 
    312312 */ 
    313313function get_option( $option, $default = false ) { 
     
    339339                if ( false === $value ) { 
    340340                        if ( defined( 'WP_INSTALLING' ) ) 
    341341                                $suppress = $wpdb->suppress_errors(); 
    342                         // expected_slashed ($option) 
    343                         $row = $wpdb->get_row( "SELECT option_value FROM $wpdb->options WHERE option_name = '$option' LIMIT 1" ); 
     342                        $row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = '%s' LIMIT 1", $option ) ); 
    344343                        if ( defined( 'WP_INSTALLING' ) ) 
    345344                                $wpdb->suppress_errors( $suppress ); 
    346345 
     
    482481 * @uses do_action() Calls 'update_option' hook before updating the option. 
    483482 * @uses do_action() Calls 'update_option_$option' and 'updated_option' hooks on success. 
    484483 * 
    485  * @param string $option Option name. Expected to not be SQL-escaped 
    486  * @param mixed $newvalue Option value. 
     484 * @param string $option Option name. Expected to not be SQL-escaped. 
     485 * @param mixed $newvalue Option value. Expected to not be SQL-escaped. 
    487486 * @return bool False if value was not updated and true if value was updated. 
    488487 */ 
    489488function update_option( $option, $newvalue ) { 
     
    491490 
    492491        wp_protect_special_option( $option ); 
    493492 
    494         $safe_option = esc_sql( $option ); 
    495493        $newvalue = sanitize_option( $option, $newvalue ); 
    496         $oldvalue = get_option( $safe_option ); 
     494        $oldvalue = get_option( $option ); 
    497495        $newvalue = apply_filters( 'pre_update_option_' . $option, $newvalue, $oldvalue ); 
    498496 
    499497        // If the new and old values are the same, no need to update. 
     
    516514        if ( ! defined( 'WP_INSTALLING' ) ) { 
    517515                $alloptions = wp_load_alloptions(); 
    518516                if ( isset( $alloptions[$option] ) ) { 
    519                         $alloptions[$option] = $newvalue; 
    520                         wp_cache_set( 'alloptions', $alloptions, 'options' ); 
     517                        $alloptions[$option] = $_newvalue; 
     518                        wp_cache_set( 'alloptions', $_alloptions, 'options' ); 
    521519                } else { 
    522                         wp_cache_set( $option, $newvalue, 'options' ); 
     520                        wp_cache_set( $option, $_newvalue, 'options' ); 
    523521                } 
    524522        } 
    525523 
     
    554552 * @uses do_action() Calls 'add_option' hook before adding the option. 
    555553 * @uses do_action() Calls 'add_option_$option' and 'added_option' hooks on success. 
    556554 * 
    557  * @param string $option Name of option to add. Expects to NOT be SQL escaped. 
    558  * @param mixed $value Optional. Option value, can be anything. 
     555 * @param string $option Name of option to add. Expected to not be SQL-escaped. 
     556 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped. 
    559557 * @param mixed $deprecated Optional. Description. Not used anymore. 
    560558 * @param bool $autoload Optional. Default is enabled. Whether to load the option when WordPress starts up. 
    561559 * @return null returns when finished. 
     
    567565        global $wpdb; 
    568566 
    569567        wp_protect_special_option( $option ); 
    570         $safe_option = esc_sql( $option ); 
    571568        $value = sanitize_option( $option, $value ); 
    572569 
    573570        // Make sure the option doesn't already exist. We can check the 'notoptions' cache before we ask for a db query 
    574571        $notoptions = wp_cache_get( 'notoptions', 'options' ); 
    575572        if ( !is_array( $notoptions ) || !isset( $notoptions[$option] ) ) 
    576                 if ( false !== get_option( $safe_option ) ) 
     573                if ( false !== get_option( $option ) ) 
    577574                        return; 
    578575 
    579576        $_value = $value; 
     
    617614 * @uses do_action() Calls 'delete_option' hook before option is deleted. 
    618615 * @uses do_action() Calls 'deleted_option' and 'delete_option_$option' hooks on success. 
    619616 * 
    620  * @param string $option Name of option to remove. 
     617 * @param string $option Name of option to remove. Expected to not be SQL-escaped. 
    621618 * @return bool True, if option is successfully deleted. False on failure. 
    622619 */ 
    623620function delete_option( $option ) { 
     
    626623        wp_protect_special_option( $option ); 
    627624 
    628625        // Get the ID, if no ID then return 
    629         // expected_slashed ($option) 
    630         $row = $wpdb->get_row( "SELECT autoload FROM $wpdb->options WHERE option_name = '$option'" ); 
     626        $row = $wpdb->get_row( $wpdb->prepare( "SELECT autoload FROM $wpdb->options WHERE option_name = '%s'", $option ) ); 
    631627        if ( is_null( $row ) ) 
    632628                return false; 
    633629        do_action( 'delete_option', $option ); 
    634         // expected_slashed ($option) 
    635         $result = $wpdb->query( "DELETE FROM $wpdb->options WHERE option_name = '$option'" ); 
     630        $result = $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->options WHERE option_name = '%s'", $option) ); 
    636631        if ( ! defined( 'WP_INSTALLING' ) ) { 
    637632                if ( 'yes' == $row->autoload ) { 
    638633                        $alloptions = wp_load_alloptions(); 
     
    662657 * @uses do_action() Calls 'delete_transient_$transient' hook before transient is deleted. 
    663658 * @uses do_action() Calls 'deleted_transient' hook on success. 
    664659 * 
    665  * @param string $transient Transient name. Expected to not be SQL-escaped 
     660 * @param string $transient Transient name. Expected to not be SQL-escaped. 
    666661 * @return bool true if successful, false otherwise 
    667662 */ 
    668663function delete_transient( $transient ) { 
     
    673668        if ( $_wp_using_ext_object_cache ) { 
    674669                $result = wp_cache_delete( $transient, 'transient' ); 
    675670        } else { 
    676                 $option = '_transient_' . esc_sql( $transient ); 
     671                $option = '_transient_' . $transient; 
    677672                $result = delete_option( $option ); 
    678673        } 
    679674 
     
    711706        if ( $_wp_using_ext_object_cache ) { 
    712707                $value = wp_cache_get( $transient, 'transient' ); 
    713708        } else { 
    714                 $safe_transient   = esc_sql( $transient ); 
    715                 $transient_option = '_transient_' . $safe_transient; 
     709                $transient_option = '_transient_' . $transient; 
    716710                if ( ! defined( 'WP_INSTALLING' ) ) { 
    717711                        // If option is not in alloptions, it is not autoloaded and thus has a timeout 
    718712                        $alloptions = wp_load_alloptions(); 
    719713                        if ( !isset( $alloptions[$transient_option] ) ) { 
    720                                 $transient_timeout = '_transient_timeout_' . $safe_transient; 
     714                                $transient_timeout = '_transient_timeout_' . $transient; 
    721715                                if ( get_option( $transient_timeout ) < time() ) { 
    722716                                        delete_option( $transient_option  ); 
    723717                                        delete_option( $transient_timeout ); 
     
    746740 *      transient value to be stored. 
    747741 * @uses do_action() Calls 'set_transient_$transient' and 'setted_transient' hooks on success. 
    748742 * 
    749  * @param string $transient Transient name. Expected to not be SQL-escaped 
    750  * @param mixed $value Transient value. 
     743 * @param string $transient Transient name. Expected to not be SQL-escaped. 
     744 * @param mixed $value Transient value. Expected to not be SQL-escaped. 
    751745 * @param int $expiration Time until expiration in seconds, default 0 
    752746 * @return bool False if value was not set and true if value was set. 
    753747 */ 
     
    761755        } else { 
    762756                $transient_timeout = '_transient_timeout_' . $transient; 
    763757                $transient = '_transient_' . $transient; 
    764                 $safe_transient = esc_sql( $transient ); 
    765                 if ( false === get_option( $safe_transient ) ) { 
     758                if ( false === get_option( $transient ) ) { 
    766759                        $autoload = 'yes'; 
    767760                        if ( $expiration ) { 
    768761                                $autoload = 'no'; 
     
    1000993 * @return mixed A scalar data 
    1001994 */ 
    1002995function maybe_serialize( $data ) { 
    1003         if ( is_array( $data ) || is_object( $data ) ) 
     996        if ( !is_scalar( $data ) ) 
    1004997                return serialize( $data ); 
    1005998 
    1006         if ( is_serialized( $data ) ) 
    1007                 return serialize( $data ); 
    1008  
    1009999        return $data; 
    10101000} 
    10111001 
     
    33843374 * @uses apply_filters() Calls 'site_option_$option', after checking the  option, with 
    33853375 *      the option value. 
    33863376 * 
    3387  * @param string $option Name of option to retrieve. Should already be SQL-escaped 
     3377 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped. 
    33883378 * @param mixed $default Optional value to return if option doesn't exist. Default false. 
    33893379 * @param bool $use_cache Whether to use cache. Multisite only. Default true. 
    33903380 * @return mixed Value set for the option. 
     
    34313421 *      option value to be stored. 
    34323422 * @uses do_action() Calls 'add_site_option_$option' and 'add_site_option' hooks on success. 
    34333423 * 
    3434  * @param string $option Name of option to add. Expects to not be SQL escaped. 
    3435  * @param mixed $value Optional. Option value, can be anything. 
     3424 * @param string $option Name of option to add. Expected to not be SQL-escaped. 
     3425 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped. 
    34363426 * @return bool False if option was not added and true if option was added. 
    34373427 */ 
    34383428function add_site_option( $option, $value ) { 
     
    34753465 * @uses do_action() Calls 'delete_site_option' and 'delete_site_option_$option' 
    34763466 *      hooks on success. 
    34773467 * 
    3478  * @param string $option Name of option to remove. Expected to be SQL-escaped. 
     3468 * @param string $option Name of option to remove. Expected to not be SQL-escaped. 
    34793469 * @return bool True, if succeed. False, if failure. 
    34803470 */ 
    34813471function delete_site_option( $option ) { 
     
    35173507 *      option value to be stored. 
    35183508 * @uses do_action() Calls 'update_site_option_$option' and 'update_site_option' hooks on success. 
    35193509 * 
    3520  * @param string $option Name of option. Expected to not be SQL-escaped 
    3521  * @param mixed $value Option value. 
     3510 * @param string $option Name of option. Expected to not be SQL-escaped. 
     3511 * @param mixed $value Option value. Expected to not be SQL-escaped. 
    35223512 * @return bool False if value was not updated and true if value was updated. 
    35233513 */ 
    35243514function update_site_option( $option, $value ) { 
     
    35643554 * @uses do_action() Calls 'delete_site_transient_$transient' hook before transient is deleted. 
    35653555 * @uses do_action() Calls 'deleted_site_transient' hook on success. 
    35663556 * 
    3567  * @param string $transient Transient name. Expected to not be SQL-escaped 
     3557 * @param string $transient Transient name. Expected to not be SQL-escaped. 
    35683558 * @return bool True if successful, false otherwise 
    35693559 */ 
    35703560function delete_site_transient( $transient ) { 
     
    35743564        if ( $_wp_using_ext_object_cache ) { 
    35753565                $result = wp_cache_delete( $transient, 'site-transient' ); 
    35763566        } else { 
    3577                 $option = '_site_transient_' . esc_sql( $transient ); 
     3567                $option = '_site_transient_' . $transient; 
    35783568                $result = delete_site_option( $option ); 
    35793569        } 
    35803570        if ( $result ) 
     
    35993589 * @uses apply_filters() Calls 'site_transient_$option' hook, after checking the transient, with 
    36003590 *      the transient value. 
    36013591 * 
    3602  * @param string $transient Transient name. Expected to not be SQL-escaped 
     3592 * @param string $transient Transient name. Expected to not be SQL-escaped. 
    36033593 * @return mixed Value of transient 
    36043594 */ 
    36053595function get_site_transient( $transient ) { 
     
    36143604        } else { 
    36153605                // Core transients that do not have a timeout. Listed here so querying timeouts can be avoided. 
    36163606                $no_timeout = array('update_core', 'update_plugins', 'update_themes'); 
    3617                 $transient_option = '_site_transient_' . esc_sql( $transient ); 
     3607                $transient_option = '_site_transient_' . $transient; 
    36183608                if ( ! in_array( $transient, $no_timeout ) ) { 
    3619                         $transient_timeout = '_site_transient_timeout_' . esc_sql( $transient ); 
     3609                        $transient_timeout = '_site_transient_timeout_' . $transient; 
    36203610                        $timeout = get_site_option( $transient_timeout ); 
    36213611                        if ( false !== $timeout && $timeout < time() ) { 
    36223612                                delete_site_option( $transient_option  ); 
     
    36463636 *      transient value to be stored. 
    36473637 * @uses do_action() Calls 'set_site_transient_$transient' and 'setted_site_transient' hooks on success. 
    36483638 * 
    3649  * @param string $transient Transient name. Expected to not be SQL-escaped 
    3650  * @param mixed $value Transient value. 
     3639 * @param string $transient Transient name. Expected to not be SQL-escaped. 
     3640 * @param mixed $value Transient value. Expected to not be SQL-escaped. 
    36513641 * @param int $expiration Time until expiration in seconds, default 0 
    36523642 * @return bool False if value was not set and true if value was set. 
    36533643 */ 
     
    36613651        } else { 
    36623652                $transient_timeout = '_site_transient_timeout_' . $transient; 
    36633653                $transient = '_site_transient_' . $transient; 
    3664                 $safe_transient = esc_sql( $transient ); 
    3665                 if ( false === get_site_option( $safe_transient ) ) { 
     3654                if ( false === get_site_option( $transient ) ) { 
    36663655                        if ( $expiration ) 
    36673656                                add_site_option( $transient_timeout, time() + $expiration ); 
    36683657                        $result = add_site_option( $transient, $value ); 
  • wp-includes/formatting.php

     
    24412441 
    24422442                case 'siteurl': 
    24432443                case 'home': 
    2444                         $value = stripslashes($value); 
    2445                         $value = esc_url($value); 
     2444                        $value = esc_url_raw($value); 
    24462445                        break; 
    24472446                default : 
    24482447                        $value = apply_filters("sanitize_option_{$option}", $value, $option);