WordPress.org

Make WordPress Core

Ticket #16600: patch.16600a.diff

File patch.16600a.diff, 3.6 KB (added by jltallon, 4 years ago)

Implement 'sanitize_objectname' and use it for register_post_type and register_taxonomy

  • wordpress/wp-includes/formatting.php

    diff -r 32be5ac4a7b0 wordpress/wp-includes/formatting.php
    a b  
    769769} 
    770770 
    771771/** 
     772 * Sanitize "object" name, stripping out unsafe characters. 
     773 * 
     774 * Leaves only alphanumeric caracters, underscore and dash  
     775 * (a.k.a. 'identifier'); Preserves case 
     776 * 
     777 * @since 3.1.0 
     778 * 
     779 * @param string $name The name to be sanitized. 
     780 * @return string The sanitized object name. 
     781 */ 
     782function sanitize_objectname( $name ) { 
     783        $name = wp_strip_all_tags( $name ); 
     784        $name = remove_accents( $name ); 
     785        // Kill octets 
     786        $name = preg_replace( '|%([a-fA-F0-9][a-fA-F0-9])|', '', $name ); 
     787        $name = preg_replace( '/&.+?;/', '', $name ); // Kill entities 
     788        // ensure only "alnum" 
     789        $name = preg_replace('|[^A-Za-z0-9_]|', '', $name ); 
     790         
     791        // Remove extra spaces and return 
     792        return trim( $name ); 
     793} 
     794 
     795 
     796/** 
    772797 * Sanitize a string key. 
    773798 * 
    774799 * Keys are used as internal identifiers. Lowercase alphanumeric characters, dashes and underscores are allowed. 
  • wordpress/wp-includes/post.php

    diff -r 32be5ac4a7b0 wordpress/wp-includes/post.php
    a b  
    808808function get_post_type_object( $post_type ) { 
    809809        global $wp_post_types; 
    810810 
     811        $post_type = sanitize_objectname($post_type); 
    811812        if ( empty($wp_post_types[$post_type]) ) 
    812813                return null; 
    813814 
     
    912913        $args = wp_parse_args($args, $defaults); 
    913914        $args = (object) $args; 
    914915 
    915         $post_type = sanitize_key($post_type); 
     916        $post_type = sanitize_objectname($post_type); 
    916917        $args->name = $post_type; 
    917918 
    918919        if ( strlen( $post_type ) > 20 ) 
     
    12241225function add_post_type_support( $post_type, $feature ) { 
    12251226        global $_wp_post_type_features; 
    12261227 
     1228        $post_type = sanitize_objectname($post_type); 
    12271229        $features = (array) $feature; 
    12281230        foreach ($features as $feature) { 
    12291231                if ( func_num_args() == 2 ) 
     
    12431245function remove_post_type_support( $post_type, $feature ) { 
    12441246        global $_wp_post_type_features; 
    12451247 
     1248        $post_type=sanitize_objectname($post_type); 
    12461249        if ( !isset($_wp_post_type_features[$post_type]) ) 
    12471250                return; 
    12481251 
     
    12621265function post_type_supports( $post_type, $feature ) { 
    12631266        global $_wp_post_type_features; 
    12641267 
     1268        $post_type=sanitize_objectname($post_type); 
    12651269        if ( !isset( $_wp_post_type_features[$post_type][$feature] ) ) 
    12661270                return false; 
    12671271 
  • wordpress/wp-includes/taxonomy.php

    diff -r 32be5ac4a7b0 wordpress/wp-includes/taxonomy.php
    a b  
    295295        if ( ! is_array($wp_taxonomies) ) 
    296296                $wp_taxonomies = array(); 
    297297 
     298        $taxonomy = sanitize_objectname($taxonomy); 
     299 
    298300        $defaults = array(      'hierarchical' => false, 
    299301                                                'update_count_callback' => '', 
    300302                                                'rewrite' => true, 
     
    352354        unset( $args['capabilities'] ); 
    353355 
    354356        $args['name'] = $taxonomy; 
    355         $args['object_type'] = (array) $object_type; 
     357 
     358        // Setup object types this applies to, sanitizing names 
     359        $ot = (array) $object_type; 
     360        $args['object_type'] = array_map('sanitize_objectname',$ot); 
    356361 
    357362        $args['labels'] = get_taxonomy_labels( (object) $args ); 
    358363        $args['label'] = $args['labels']->name; 
     
    429434function register_taxonomy_for_object_type( $taxonomy, $object_type) { 
    430435        global $wp_taxonomies; 
    431436 
     437        $taxonomy = sanitize_objectname($taxonomy); 
    432438        if ( !isset($wp_taxonomies[$taxonomy]) ) 
    433439                return false; 
    434440 
     441        $object_type = sanitize_objectname($object_type); 
    435442        if ( ! get_post_type_object($object_type) ) 
    436443                return false; 
    437444