WordPress.org

Make WordPress Core

Ticket #17560: 17560.second.diff

File 17560.second.diff, 1.8 KB (added by xknown, 7 years ago)

Second try. Clean also the urls returned by get_to_ping. Not tested.

  • wp-includes/post.php

     
    25192519                $ping_status = get_option('default_ping_status');
    25202520
    25212521        if ( isset($to_ping) )
    2522                 $to_ping = preg_replace('|\s+|', "\n", $to_ping);
     2522                $to_ping = sanitize_trackback_urls( $to_ping );
    25232523        else
    25242524                $to_ping = '';
    25252525
     
    30523052function get_to_ping($post_id) {
    30533053        global $wpdb;
    30543054        $to_ping = $wpdb->get_var( $wpdb->prepare( "SELECT to_ping FROM $wpdb->posts WHERE ID = %d", $post_id ));
    3055         $to_ping = trim($to_ping);
     3055        $to_ping = sanitize_trackback_urls( trim( $to_ping ) );
    30563056        $to_ping = preg_split('/\s/', $to_ping, -1, PREG_SPLIT_NO_EMPTY);
    30573057        $to_ping = apply_filters('get_to_ping',  $to_ping);
    30583058        return $to_ping;
  • wp-includes/formatting.php

     
    29022902        return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
    29032903}
    29042904
     2905/**
     2906 * Sanitize space or carriage return separated urls that are used to send trackbacks.
     2907 *
     2908 * @since 3.2.0
     2909 *
     2910 * @param string $to_ping Space or carriage return separated urls
     2911 * @return string Urls starting with the http or https protocol, separated by a carriage return.
     2912 */
     2913function sanitize_trackback_urls( $to_ping ) {
     2914    $urls_to_ping = preg_split('/\s/', $to_ping, -1, PREG_SPLIT_NO_EMPTY);
     2915    foreach( $urls_to_ping as $k => $url ) {
     2916        if ( !preg_match('#^https?://.#i', $url) )
     2917            unset($urls_to_ping[$k]);
     2918    }
     2919    $sani_to_ping = implode( "\n", $urls_to_ping );
     2920    return apply_filters( 'sanitize_trackback_urls', $sani_to_ping, $to_ping );
     2921}
     2922
    29052923?>