WordPress.org

Make WordPress Core

Ticket #16600: patch.16600a.diff

File patch.16600a.diff, 3.6 KB (added by jltallon, 7 years ago)

Implement 'sanitize_objectname' and use it for register_post_type and register_taxonomy

  • wordpress/wp-includes/formatting.php

    diff -r 32be5ac4a7b0 wordpress/wp-includes/formatting.php
    a b  
    769769}
    770770
    771771/**
     772 * Sanitize "object" name, stripping out unsafe characters.
     773 *
     774 * Leaves only alphanumeric caracters, underscore and dash
     775 * (a.k.a. 'identifier'); Preserves case
     776 *
     777 * @since 3.1.0
     778 *
     779 * @param string $name The name to be sanitized.
     780 * @return string The sanitized object name.
     781 */
     782function sanitize_objectname( $name ) {
     783        $name = wp_strip_all_tags( $name );
     784        $name = remove_accents( $name );
     785        // Kill octets
     786        $name = preg_replace( '|%([a-fA-F0-9][a-fA-F0-9])|', '', $name );
     787        $name = preg_replace( '/&.+?;/', '', $name ); // Kill entities
     788        // ensure only "alnum"
     789        $name = preg_replace('|[^A-Za-z0-9_]|', '', $name );
     790       
     791        // Remove extra spaces and return
     792        return trim( $name );
     793}
     794
     795
     796/**
    772797 * Sanitize a string key.
    773798 *
    774799 * Keys are used as internal identifiers. Lowercase alphanumeric characters, dashes and underscores are allowed.
  • wordpress/wp-includes/post.php

    diff -r 32be5ac4a7b0 wordpress/wp-includes/post.php
    a b  
    808808function get_post_type_object( $post_type ) {
    809809        global $wp_post_types;
    810810
     811        $post_type = sanitize_objectname($post_type);
    811812        if ( empty($wp_post_types[$post_type]) )
    812813                return null;
    813814
     
    912913        $args = wp_parse_args($args, $defaults);
    913914        $args = (object) $args;
    914915
    915         $post_type = sanitize_key($post_type);
     916        $post_type = sanitize_objectname($post_type);
    916917        $args->name = $post_type;
    917918
    918919        if ( strlen( $post_type ) > 20 )
     
    12241225function add_post_type_support( $post_type, $feature ) {
    12251226        global $_wp_post_type_features;
    12261227
     1228        $post_type = sanitize_objectname($post_type);
    12271229        $features = (array) $feature;
    12281230        foreach ($features as $feature) {
    12291231                if ( func_num_args() == 2 )
     
    12431245function remove_post_type_support( $post_type, $feature ) {
    12441246        global $_wp_post_type_features;
    12451247
     1248        $post_type=sanitize_objectname($post_type);
    12461249        if ( !isset($_wp_post_type_features[$post_type]) )
    12471250                return;
    12481251
     
    12621265function post_type_supports( $post_type, $feature ) {
    12631266        global $_wp_post_type_features;
    12641267
     1268        $post_type=sanitize_objectname($post_type);
    12651269        if ( !isset( $_wp_post_type_features[$post_type][$feature] ) )
    12661270                return false;
    12671271
  • wordpress/wp-includes/taxonomy.php

    diff -r 32be5ac4a7b0 wordpress/wp-includes/taxonomy.php
    a b  
    295295        if ( ! is_array($wp_taxonomies) )
    296296                $wp_taxonomies = array();
    297297
     298        $taxonomy = sanitize_objectname($taxonomy);
     299
    298300        $defaults = array(      'hierarchical' => false,
    299301                                                'update_count_callback' => '',
    300302                                                'rewrite' => true,
     
    352354        unset( $args['capabilities'] );
    353355
    354356        $args['name'] = $taxonomy;
    355         $args['object_type'] = (array) $object_type;
     357
     358        // Setup object types this applies to, sanitizing names
     359        $ot = (array) $object_type;
     360        $args['object_type'] = array_map('sanitize_objectname',$ot);
    356361
    357362        $args['labels'] = get_taxonomy_labels( (object) $args );
    358363        $args['label'] = $args['labels']->name;
     
    429434function register_taxonomy_for_object_type( $taxonomy, $object_type) {
    430435        global $wp_taxonomies;
    431436
     437        $taxonomy = sanitize_objectname($taxonomy);
    432438        if ( !isset($wp_taxonomies[$taxonomy]) )
    433439                return false;
    434440
     441        $object_type = sanitize_objectname($object_type);
    435442        if ( ! get_post_type_object($object_type) )
    436443                return false;
    437444