diff -r 32be5ac4a7b0 wordpress/wp-includes/formatting.php
a
|
b
|
|
769 | 769 | } |
770 | 770 | |
771 | 771 | /** |
| 772 | * Sanitize "object" name, stripping out unsafe characters. |
| 773 | * |
| 774 | * Leaves only alphanumeric caracters, underscore and dash |
| 775 | * (a.k.a. 'identifier'); Preserves case |
| 776 | * |
| 777 | * @since 3.1.0 |
| 778 | * |
| 779 | * @param string $name The name to be sanitized. |
| 780 | * @return string The sanitized object name. |
| 781 | */ |
| 782 | function sanitize_objectname( $name ) { |
| 783 | $name = wp_strip_all_tags( $name ); |
| 784 | $name = remove_accents( $name ); |
| 785 | // Kill octets |
| 786 | $name = preg_replace( '|%([a-fA-F0-9][a-fA-F0-9])|', '', $name ); |
| 787 | $name = preg_replace( '/&.+?;/', '', $name ); // Kill entities |
| 788 | // ensure only "alnum" |
| 789 | $name = preg_replace('|[^A-Za-z0-9_]|', '', $name ); |
| 790 | |
| 791 | // Remove extra spaces and return |
| 792 | return trim( $name ); |
| 793 | } |
| 794 | |
| 795 | |
| 796 | /** |
772 | 797 | * Sanitize a string key. |
773 | 798 | * |
774 | 799 | * Keys are used as internal identifiers. Lowercase alphanumeric characters, dashes and underscores are allowed. |
diff -r 32be5ac4a7b0 wordpress/wp-includes/post.php
a
|
b
|
|
808 | 808 | function get_post_type_object( $post_type ) { |
809 | 809 | global $wp_post_types; |
810 | 810 | |
| 811 | $post_type = sanitize_objectname($post_type); |
811 | 812 | if ( empty($wp_post_types[$post_type]) ) |
812 | 813 | return null; |
813 | 814 | |
… |
… |
|
912 | 913 | $args = wp_parse_args($args, $defaults); |
913 | 914 | $args = (object) $args; |
914 | 915 | |
915 | | $post_type = sanitize_key($post_type); |
| 916 | $post_type = sanitize_objectname($post_type); |
916 | 917 | $args->name = $post_type; |
917 | 918 | |
918 | 919 | if ( strlen( $post_type ) > 20 ) |
… |
… |
|
1224 | 1225 | function add_post_type_support( $post_type, $feature ) { |
1225 | 1226 | global $_wp_post_type_features; |
1226 | 1227 | |
| 1228 | $post_type = sanitize_objectname($post_type); |
1227 | 1229 | $features = (array) $feature; |
1228 | 1230 | foreach ($features as $feature) { |
1229 | 1231 | if ( func_num_args() == 2 ) |
… |
… |
|
1243 | 1245 | function remove_post_type_support( $post_type, $feature ) { |
1244 | 1246 | global $_wp_post_type_features; |
1245 | 1247 | |
| 1248 | $post_type=sanitize_objectname($post_type); |
1246 | 1249 | if ( !isset($_wp_post_type_features[$post_type]) ) |
1247 | 1250 | return; |
1248 | 1251 | |
… |
… |
|
1262 | 1265 | function post_type_supports( $post_type, $feature ) { |
1263 | 1266 | global $_wp_post_type_features; |
1264 | 1267 | |
| 1268 | $post_type=sanitize_objectname($post_type); |
1265 | 1269 | if ( !isset( $_wp_post_type_features[$post_type][$feature] ) ) |
1266 | 1270 | return false; |
1267 | 1271 | |
diff -r 32be5ac4a7b0 wordpress/wp-includes/taxonomy.php
a
|
b
|
|
295 | 295 | if ( ! is_array($wp_taxonomies) ) |
296 | 296 | $wp_taxonomies = array(); |
297 | 297 | |
| 298 | $taxonomy = sanitize_objectname($taxonomy); |
| 299 | |
298 | 300 | $defaults = array( 'hierarchical' => false, |
299 | 301 | 'update_count_callback' => '', |
300 | 302 | 'rewrite' => true, |
… |
… |
|
352 | 354 | unset( $args['capabilities'] ); |
353 | 355 | |
354 | 356 | $args['name'] = $taxonomy; |
355 | | $args['object_type'] = (array) $object_type; |
| 357 | |
| 358 | // Setup object types this applies to, sanitizing names |
| 359 | $ot = (array) $object_type; |
| 360 | $args['object_type'] = array_map('sanitize_objectname',$ot); |
356 | 361 | |
357 | 362 | $args['labels'] = get_taxonomy_labels( (object) $args ); |
358 | 363 | $args['label'] = $args['labels']->name; |
… |
… |
|
429 | 434 | function register_taxonomy_for_object_type( $taxonomy, $object_type) { |
430 | 435 | global $wp_taxonomies; |
431 | 436 | |
| 437 | $taxonomy = sanitize_objectname($taxonomy); |
432 | 438 | if ( !isset($wp_taxonomies[$taxonomy]) ) |
433 | 439 | return false; |
434 | 440 | |
| 441 | $object_type = sanitize_objectname($object_type); |
435 | 442 | if ( ! get_post_type_object($object_type) ) |
436 | 443 | return false; |
437 | 444 | |