Ticket #18322: 18322.diff
| File 18322.diff, 45.2 KB (added by , 14 years ago) |
|---|
-
wp-includes/post.php
2553 2553 // expected_slashed (everything!) 2554 2554 $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'guid' ) ); 2555 2555 $data = apply_filters('wp_insert_post_data', $data, $postarr); 2556 $data = stripslashes_deep( $data );2556 $data = wp_unslash( $data ); 2557 2557 $where = array( 'ID' => $post_ID ); 2558 2558 2559 2559 if ( $update ) { … … 3685 3685 3686 3686 // expected_slashed (everything!) 3687 3687 $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'guid' ) ); 3688 $data = stripslashes_deep( $data );3688 $data = wp_unslash( $data ); 3689 3689 3690 3690 if ( $update ) { 3691 3691 $wpdb->update( $wpdb->posts, $data, array( 'ID' => $post_ID ) ); -
wp-includes/comment.php
1214 1214 */ 1215 1215 function wp_insert_comment($commentdata) { 1216 1216 global $wpdb; 1217 extract( stripslashes_deep($commentdata), EXTR_SKIP);1217 extract(wp_unslash($commentdata), EXTR_SKIP); 1218 1218 1219 1219 if ( ! isset($comment_author_IP) ) 1220 1220 $comment_author_IP = ''; … … 1455 1455 $commentarr = wp_filter_comment( $commentarr ); 1456 1456 1457 1457 // Now extract the merged array. 1458 extract( stripslashes_deep($commentarr), EXTR_SKIP);1458 extract(wp_unslash($commentarr), EXTR_SKIP); 1459 1459 1460 1460 $comment_content = apply_filters('comment_save_pre', $comment_content); 1461 1461 -
wp-includes/user.php
1478 1478 } 1479 1479 1480 1480 $data = compact( 'user_pass', 'user_email', 'user_url', 'user_nicename', 'display_name', 'user_registered' ); 1481 $data = stripslashes_deep( $data );1481 $data = wp_unslash( $data ); 1482 1482 1483 1483 if ( $update ) { 1484 1484 $wpdb->update( $wpdb->users, $data, compact( 'ID' ) ); -
wp-includes/load.php
527 527 * @since 3.0.0 528 528 */ 529 529 function wp_magic_quotes() { 530 global $wp_magic_quotes; 531 532 if ( ! isset( $wp_magic_quotes ) ) 533 $wp_magic_quotes = true; 534 530 535 // If already slashed, strip. 531 536 if ( get_magic_quotes_gpc() ) { 532 537 $_GET = stripslashes_deep( $_GET ); … … 535 540 } 536 541 537 542 // Escape with wpdb. 538 $_GET = add_magic_quotes( $_GET ); 539 $_POST = add_magic_quotes( $_POST ); 540 $_COOKIE = add_magic_quotes( $_COOKIE ); 541 $_SERVER = add_magic_quotes( $_SERVER ); 543 if ( $wp_magic_quotes ) { 544 $_GET = add_magic_quotes( $_GET ); 545 $_POST = add_magic_quotes( $_POST ); 546 $_COOKIE = add_magic_quotes( $_COOKIE ); 547 $_SERVER = add_magic_quotes( $_SERVER ); 548 } 542 549 543 550 // Force REQUEST to be GET + POST. 544 551 $_REQUEST = array_merge( $_GET, $_POST ); -
wp-includes/class-wp-xmlrpc-server.php
262 262 if ( isset($meta['id']) ) { 263 263 $meta['id'] = (int) $meta['id']; 264 264 $pmeta = get_metadata_by_mid( 'post', $meta['id'] ); 265 $meta['value'] = stripslashes_deep( $meta['value'] );265 $meta['value'] = wp_unslash( $meta['value'] ); 266 266 if ( isset($meta['key']) ) { 267 267 $meta['key'] = stripslashes( $meta['key'] ); 268 268 if ( $meta['key'] != $pmeta->meta_key ) -
wp-includes/formatting.php
2483 2483 2484 2484 case 'blogdescription': 2485 2485 case 'blogname': 2486 $value = addslashes($value);2487 $value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes2488 $value = stripslashes($value);2486 $value = wp_slash( $value ); 2487 $value = wp_filter_post_kses( $value ); 2488 $value = wp_unslash( $value ); 2489 2489 $value = esc_html( $value ); 2490 2490 break; 2491 2491 … … 2501 2501 case 'ping_sites': 2502 2502 case 'upload_path': 2503 2503 $value = strip_tags($value); 2504 $value = addslashes($value);2505 $value = wp_filter_kses( $value); // calls stripslashes then addslashes2506 $value = stripslashes($value);2504 $value = wp_slash( $value ); 2505 $value = wp_filter_kses( $value ); 2506 $value = wp_unslash( $value ); 2507 2507 break; 2508 2508 2509 2509 case 'gmt_offset': … … 2925 2925 return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type ); 2926 2926 } 2927 2927 2928 function wp_slash( $value ) { 2929 global $wp_magic_quotes; 2930 2931 if ( ! $wp_magic_quotes ) 2932 return $value; 2933 2934 if ( is_array( $value ) ) { 2935 $value = array_map( 'wp_slash', $value); 2936 } elseif ( is_object( $value ) ) { 2937 $vars = get_object_vars( $value ); 2938 foreach ( $vars as $key => $data ) { 2939 $value->{$key} = wp_slash( $data ); 2940 } 2941 } else { 2942 $value = addslashes( $value ); 2943 } 2944 2945 return $value; 2946 } 2947 2948 function wp_unslash( $value ) { 2949 global $wp_magic_quotes; 2950 2951 if ( ! $wp_magic_quotes ) 2952 return $value; 2953 2954 return stripslashes_deep( $value ); 2955 } 2956 2928 2957 ?> -
wp-includes/kses.php
1256 1256 */ 1257 1257 function wp_filter_post_kses($data) { 1258 1258 global $allowedposttags; 1259 return addslashes ( wp_kses(stripslashes( $data ), $allowedposttags) );1259 return wp_slash ( wp_kses( wp_unslash( $data ), $allowedposttags) ); 1260 1260 } 1261 1261 1262 1262 /** … … 1285 1285 * @return string Filtered content without any HTML 1286 1286 */ 1287 1287 function wp_filter_nohtml_kses($data) { 1288 return addslashes ( wp_kses(stripslashes( $data ), array()) );1288 return wp_slash ( wp_kses( wp_unslash( $data ), array() ) ); 1289 1289 } 1290 1290 1291 1291 /** -
wp-includes/widgets.php
224 224 } 225 225 226 226 foreach ( $settings as $number => $new_instance ) { 227 $new_instance = stripslashes_deep($new_instance);227 $new_instance = wp_unslash($new_instance); 228 228 $this->_set($number); 229 229 230 230 $old_instance = isset($all_instances[$number]) ? $all_instances[$number] : array(); -
wp-includes/meta.php
44 44 45 45 // expected_slashed ($meta_key) 46 46 $meta_key = stripslashes($meta_key); 47 $meta_value = stripslashes_deep($meta_value);47 $meta_value = wp_unslash($meta_value); 48 48 $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); 49 49 50 50 $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique ); … … 118 118 119 119 // expected_slashed ($meta_key) 120 120 $meta_key = stripslashes($meta_key); 121 $meta_value = stripslashes_deep($meta_value);121 $meta_value = wp_unslash($meta_value); 122 122 $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); 123 123 124 124 $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value ); … … 202 202 $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; 203 203 // expected_slashed ($meta_key) 204 204 $meta_key = stripslashes($meta_key); 205 $meta_value = stripslashes_deep($meta_value);205 $meta_value = wp_unslash($meta_value); 206 206 207 207 $check = apply_filters( "delete_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $delete_all ); 208 208 if ( null !== $check ) -
wp-admin/network.php
308 308 $hostname = get_clean_basedomain(); 309 309 310 310 if ( ! isset( $base ) ) 311 $base = trailingslashit( stripslashes( dirname( dirname( $_SERVER['SCRIPT_NAME'] ) ) ) );311 $base = trailingslashit( wp_unslash( dirname( dirname( $_SERVER['SCRIPT_NAME'] ) ) ) ); 312 312 313 313 // Wildcard DNS message. 314 314 if ( is_wp_error( $errors ) ) … … 515 515 516 516 if ( $_POST ) { 517 517 518 $base = trailingslashit( stripslashes( dirname( dirname( $_SERVER['SCRIPT_NAME'] ) ) ) );518 $base = trailingslashit( wp_unslash( dirname( dirname( $_SERVER['SCRIPT_NAME'] ) ) ) ); 519 519 520 520 check_admin_referer( 'install-network-1' ); 521 521 … … 525 525 $hostname = get_clean_basedomain(); 526 526 $subdomain_install = !allow_subdomain_install() ? false : (bool) $_POST['subdomain_install']; 527 527 if ( ! network_domain_check() ) { 528 $result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), stripslashes( $_POST['sitename'] ), $base, $subdomain_install );528 $result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), wp_unslash( $_POST['sitename'] ), $base, $subdomain_install ); 529 529 if ( is_wp_error( $result ) ) { 530 530 if ( 1 == count( $result->get_error_codes() ) && 'no_wildcard_dns' == $result->get_error_code() ) 531 531 network_step2( $result ); -
wp-admin/users.php
31 31 ); 32 32 33 33 if ( empty($_REQUEST) ) { 34 $referer = '<input type="hidden" name="wp_http_referer" value="'. esc_attr( stripslashes($_SERVER['REQUEST_URI'])) . '" />';34 $referer = '<input type="hidden" name="wp_http_referer" value="'. esc_attr(wp_unslash($_SERVER['REQUEST_URI'])) . '" />'; 35 35 } elseif ( isset($_REQUEST['wp_http_referer']) ) { 36 $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), stripslashes($_REQUEST['wp_http_referer']));36 $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), wp_unslash($_REQUEST['wp_http_referer'])); 37 37 $referer = '<input type="hidden" name="wp_http_referer" value="' . esc_attr($redirect) . '" />'; 38 38 } else { 39 39 $redirect = 'users.php'; … … 294 294 default: 295 295 296 296 if ( !empty($_GET['_wp_http_referer']) ) { 297 wp_redirect(remove_query_arg(array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI'])));297 wp_redirect(remove_query_arg(array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']))); 298 298 exit; 299 299 } 300 300 -
wp-admin/edit-comments.php
95 95 wp_redirect( $redirect_to ); 96 96 exit; 97 97 } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { 98 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );98 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); 99 99 exit; 100 100 } 101 101 … … 140 140 echo __('Comments'); 141 141 142 142 if ( isset($_REQUEST['s']) && $_REQUEST['s'] ) 143 printf( '<span class="subtitle">' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( esc_html( stripslashes( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?>143 printf( '<span class="subtitle">' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?> 144 144 </h2> 145 145 146 146 <?php -
wp-admin/admin-ajax.php
86 86 die('0'); 87 87 } 88 88 89 $s = stripslashes( $_GET['q'] );89 $s = wp_unslash( $_GET['q'] ); 90 90 91 91 if ( false !== strpos( $s, ',' ) ) { 92 92 $s = explode( ',', $s ); … … 497 497 $cat_id = wp_insert_term( $cat_name, 'link_category' ); 498 498 } 499 499 $cat_id = $cat_id['term_id']; 500 $cat_name = esc_html( stripslashes($cat_name));500 $cat_name = esc_html(wp_unslash($cat_name)); 501 501 $x->add( array( 502 502 'what' => 'link-category', 503 503 'id' => $cat_id, … … 861 861 ) ); 862 862 } else { // Update? 863 863 $mid = (int) array_pop( array_keys($_POST['meta']) ); 864 $key = stripslashes( $_POST['meta'][$mid]['key'] );865 $value = stripslashes( $_POST['meta'][$mid]['value'] );864 $key = wp_unslash( $_POST['meta'][$mid]['key'] ); 865 $value = wp_unslash( $_POST['meta'][$mid]['value'] ); 866 866 if ( '' == trim($key) ) 867 867 die(__('Please provide a custom field name.')); 868 868 if ( '' == trim($value) ) … … 1113 1113 $args = array(); 1114 1114 1115 1115 if ( isset( $_POST['search'] ) ) 1116 $args['s'] = stripslashes( $_POST['search'] );1116 $args['s'] = wp_unslash( $_POST['search'] ); 1117 1117 $args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1; 1118 1118 1119 1119 require(ABSPATH . WPINC . '/class-wp-editor.php'); … … 1276 1276 else 1277 1277 $what = 'post'; 1278 1278 1279 $s = stripslashes($_POST['ps']);1279 $s = wp_unslash($_POST['ps']); 1280 1280 preg_match_all('/".*?("|$)|((?<=[\\s",+])|^)[^\\s",+]+/', $s, $matches); 1281 1281 $search_terms = array_map('_search_terms_tidy', $matches[0]); 1282 1282 -
wp-admin/includes/class-wp-ms-sites-list-table.php
28 28 29 29 $pagenum = $this->get_pagenum(); 30 30 31 $s = isset( $_REQUEST['s'] ) ? stripslashes( trim( $_REQUEST[ 's' ] ) ) : '';31 $s = isset( $_REQUEST['s'] ) ? wp_unslash( trim( $_REQUEST[ 's' ] ) ) : ''; 32 32 $wild = ''; 33 33 if ( false !== strpos($s, '*') ) { 34 34 $wild = '%'; -
wp-admin/includes/bookmark.php
136 136 $linkdata = wp_parse_args( $linkdata, $defaults ); 137 137 $linkdata = sanitize_bookmark( $linkdata, 'db' ); 138 138 139 extract( stripslashes_deep( $linkdata ), EXTR_SKIP );139 extract( wp_unslash( $linkdata ), EXTR_SKIP ); 140 140 141 141 $update = false; 142 142 -
wp-admin/includes/file.php
916 916 $credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => '')); 917 917 918 918 // If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option) 919 $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? stripslashes($_POST['hostname']) : $credentials['hostname']);920 $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? stripslashes($_POST['username']) : $credentials['username']);921 $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? stripslashes($_POST['password']) : '');919 $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? wp_unslash($_POST['hostname']) : $credentials['hostname']); 920 $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? wp_unslash($_POST['username']) : $credentials['username']); 921 $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? wp_unslash($_POST['password']) : ''); 922 922 923 923 // Check to see if we are setting the public/private keys for ssh 924 $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? stripslashes($_POST['public_key']) : '');925 $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? stripslashes($_POST['private_key']) : '');924 $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? wp_unslash($_POST['public_key']) : ''); 925 $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? wp_unslash($_POST['private_key']) : ''); 926 926 927 927 //sanitize the hostname, Some people might pass in odd-data: 928 928 $credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off -
wp-admin/includes/class-wp-terms-list-table.php
51 51 $tags_per_page = apply_filters( 'edit_categories_per_page', $tags_per_page ); // Old filter 52 52 } 53 53 54 $search = !empty( $_REQUEST['s'] ) ? trim( stripslashes( $_REQUEST['s'] ) ) : '';54 $search = !empty( $_REQUEST['s'] ) ? trim( wp_unslash( $_REQUEST['s'] ) ) : ''; 55 55 56 56 $args = array( 57 57 'search' => $search, … … 60 60 ); 61 61 62 62 if ( !empty( $_REQUEST['orderby'] ) ) 63 $args['orderby'] = trim( stripslashes( $_REQUEST['orderby'] ) );63 $args['orderby'] = trim( wp_unslash( $_REQUEST['orderby'] ) ); 64 64 65 65 if ( !empty( $_REQUEST['order'] ) ) 66 $args['order'] = trim( stripslashes( $_REQUEST['order'] ) );66 $args['order'] = trim( wp_unslash( $_REQUEST['order'] ) ); 67 67 68 68 $this->callback_args = $args; 69 69 -
wp-admin/includes/post.php
764 764 * @return unknown 765 765 */ 766 766 function update_meta( $meta_id, $meta_key, $meta_value ) { 767 $meta_key = stripslashes( $meta_key );768 $meta_value = stripslashes_deep( $meta_value );767 $meta_key = wp_unslash( $meta_key ); 768 $meta_value = wp_unslash( $meta_value ); 769 769 770 770 return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key ); 771 771 } … … 1303 1303 } 1304 1304 1305 1305 // _wp_put_post_revision() expects unescaped. 1306 $_POST = stripslashes_deep($_POST);1306 $_POST = wp_unslash($_POST); 1307 1307 1308 1308 // Otherwise create the new autosave as a special post revision 1309 1309 return _wp_put_post_revision( $_POST, true ); -
wp-admin/includes/class-wp-users-list-table.php
235 235 if ( get_current_user_id() == $user_object->ID ) { 236 236 $edit_link = 'profile.php'; 237 237 } else { 238 $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ) );238 $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ) ); 239 239 } 240 240 241 241 // Set up the hover actions for this user -
wp-admin/includes/dashboard.php
1109 1109 $widget_options[$widget_id]['number'] = $number; 1110 1110 1111 1111 if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset($_POST['widget-rss'][$number]) ) { 1112 $_POST['widget-rss'][$number] = stripslashes_deep( $_POST['widget-rss'][$number] );1112 $_POST['widget-rss'][$number] = wp_unslash( $_POST['widget-rss'][$number] ); 1113 1113 $widget_options[$widget_id] = wp_widget_rss_process( $_POST['widget-rss'][$number] ); 1114 1114 // title is optional. If black, fill it if possible 1115 1115 if ( !$widget_options[$widget_id]['title'] && isset($_POST['widget-rss'][$number]['title']) ) { -
wp-admin/includes/class-wp-plugin-install-list-table.php
48 48 49 49 switch ( $tab ) { 50 50 case 'search': 51 $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : '';52 $term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : '';51 $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : ''; 52 $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : ''; 53 53 54 54 switch ( $type ) { 55 55 case 'tag': -
wp-admin/includes/class-wp-ms-themes-list-table.php
138 138 function _search_callback( $theme ) { 139 139 static $term; 140 140 if ( is_null( $term ) ) 141 $term = stripslashes( $_REQUEST['s'] );141 $term = wp_unslash( $_REQUEST['s'] ); 142 142 143 143 $search_fields = array( 'Name', 'Title', 'Description', 'Author', 'Author Name', 'Author URI', 'Template', 'Stylesheet' ); 144 144 foreach ( $search_fields as $field ) -
wp-admin/includes/class-wp-theme-install-list-table.php
48 48 49 49 switch ( $tab ) { 50 50 case 'search': 51 $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : '';52 $term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : '';51 $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : ''; 52 $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : ''; 53 53 54 54 switch ( $type ) { 55 55 case 'tag': -
wp-admin/includes/deprecated.php
454 454 function WP_User_Search ($search_term = '', $page = '', $role = '') { 455 455 _deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' ); 456 456 457 $this->search_term = stripslashes( $search_term );457 $this->search_term = wp_unslash( $search_term ); 458 458 $this->raw_page = ( '' == $page ) ? false : (int) $page; 459 459 $this->page = (int) ( '' == $page ) ? 1 : $page; 460 460 $this->role = $role; … … 533 533 * @access public 534 534 */ 535 535 function prepare_vars_for_template_usage() { 536 $this->search_term = stripslashes($this->search_term); // done with DB, from now on we want slashes gone536 $this->search_term = wp_unslash($this->search_term); // done with DB, from now on we want slashes gone 537 537 } 538 538 539 539 /** -
wp-admin/includes/class-wp-upgrader.php
1274 1274 1275 1275 $install_actions = array(); 1276 1276 1277 $from = isset($_GET['from']) ? stripslashes($_GET['from']) : 'plugins';1277 $from = isset($_GET['from']) ? wp_unslash($_GET['from']) : 'plugins'; 1278 1278 1279 1279 if ( 'import' == $from ) 1280 1280 $install_actions['activate_plugin'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&from=import&plugin=' . $plugin_file, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" target="_parent">' . __('Activate Plugin & Run Importer') . '</a>'; -
wp-admin/includes/comment.php
19 19 function comment_exists($comment_author, $comment_date) { 20 20 global $wpdb; 21 21 22 $comment_author = stripslashes($comment_author);23 $comment_date = stripslashes($comment_date);22 $comment_author = wp_unslash($comment_author); 23 $comment_date = wp_unslash($comment_date); 24 24 25 25 return $wpdb->get_var( $wpdb->prepare("SELECT comment_post_ID FROM $wpdb->comments 26 26 WHERE comment_author = %s AND comment_date = %s", $comment_author, $comment_date) ); -
wp-admin/includes/class-wp-ms-users-list-table.php
175 175 if ( get_current_user_id() == $user->ID ) { 176 176 $edit_link = esc_url( network_admin_url( 'profile.php' ) ); 177 177 } else { 178 $edit_link = esc_url( network_admin_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), 'user-edit.php?user_id=' . $user->ID ) ) );178 $edit_link = esc_url( network_admin_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), 'user-edit.php?user_id=' . $user->ID ) ) ); 179 179 } 180 180 181 181 echo "<td $attributes>"; ?> … … 189 189 $actions['edit'] = '<a href="' . $edit_link . '">' . __( 'Edit' ) . '</a>'; 190 190 191 191 if ( current_user_can( 'delete_user', $user->ID) && ! in_array( $user->user_login, $super_admins ) ) { 192 $actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'edit.php', 'deleteuser' ) . '&action=deleteuser&id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>';192 $actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'edit.php', 'deleteuser' ) . '&action=deleteuser&id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>'; 193 193 } 194 194 195 195 $actions = apply_filters( 'ms_user_row_actions', $actions, $user ); -
wp-admin/includes/class-wp-plugins-list-table.php
23 23 24 24 25 25 if ( isset($_REQUEST['s']) ) 26 $_SERVER['REQUEST_URI'] = add_query_arg('s', stripslashes($_REQUEST['s']) );26 $_SERVER['REQUEST_URI'] = add_query_arg('s', wp_unslash($_REQUEST['s']) ); 27 27 28 28 $page = $this->get_pagenum(); 29 29 … … 152 152 function _search_callback( $plugin ) { 153 153 static $term; 154 154 if ( is_null( $term ) ) 155 $term = stripslashes( $_REQUEST['s'] );155 $term = wp_unslash( $_REQUEST['s'] ); 156 156 157 157 foreach ( $plugin as $value ) 158 158 if ( stripos( $value, $term ) !== false ) -
wp-admin/includes/class-wp-themes-list-table.php
25 25 $themes = get_allowed_themes(); 26 26 27 27 if ( ! empty( $_REQUEST['s'] ) ) { 28 $search = strtolower( stripslashes( $_REQUEST['s'] ) );28 $search = strtolower( wp_unslash( $_REQUEST['s'] ) ); 29 29 $this->search = array_merge( $this->search, array_filter( array_map( 'trim', explode( ',', $search ) ) ) ); 30 30 $this->search = array_unique( $this->search ); 31 31 } -
wp-admin/includes/class-wp-comments-list-table.php
168 168 /* 169 169 // I toyed with this, but decided against it. Leaving it in here in case anyone thinks it is a good idea. ~ Mark 170 170 if ( !empty( $_REQUEST['s'] ) ) 171 $link = add_query_arg( 's', esc_attr( stripslashes( $_REQUEST['s'] ) ), $link );171 $link = add_query_arg( 's', esc_attr( wp_unslash( $_REQUEST['s'] ) ), $link ); 172 172 */ 173 173 $status_links[$status] = "<a href='$link'$class>" . sprintf( 174 174 translate_nooped_plural( $label, $num_comments->$status ), -
wp-admin/includes/media.php
487 487 } 488 488 489 489 if ( isset($send_id) ) { 490 $attachment = stripslashes_deep( $_POST['attachments'][$send_id] );490 $attachment = wp_unslash( $_POST['attachments'][$send_id] ); 491 491 492 492 $html = $attachment['post_title']; 493 493 if ( !empty($attachment['url']) ) { -
wp-admin/edit-tags.php
150 150 151 151 default: 152 152 if ( ! empty($_REQUEST['_wp_http_referer']) ) { 153 $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) );153 $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) ); 154 154 155 155 if ( ! empty( $_REQUEST['paged'] ) ) 156 156 $location = add_query_arg( 'paged', (int) $_REQUEST['paged'] ); … … 239 239 <?php screen_icon(); ?> 240 240 <h2><?php echo esc_html( $title ); 241 241 if ( !empty($_REQUEST['s']) ) 242 printf( '<span class="subtitle">' . __('Search results for “%s”') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?>242 printf( '<span class="subtitle">' . __('Search results for “%s”') . '</span>', esc_html( wp_unslash($_REQUEST['s']) ) ); ?> 243 243 </h2> 244 244 245 245 <?php if ( isset($_REQUEST['message']) && ( $msg = (int) $_REQUEST['message'] ) ) : ?> -
wp-admin/update.php
26 26 check_admin_referer( 'bulk-update-plugins' ); 27 27 28 28 if ( isset( $_GET['plugins'] ) ) 29 $plugins = explode( ',', stripslashes($_GET['plugins']) );29 $plugins = explode( ',', wp_unslash($_GET['plugins']) ); 30 30 elseif ( isset( $_POST['checked'] ) ) 31 31 $plugins = (array) $_POST['checked']; 32 32 else … … 109 109 $nonce = 'install-plugin_' . $plugin; 110 110 $url = 'update.php?action=install-plugin&plugin=' . $plugin; 111 111 if ( isset($_GET['from']) ) 112 $url .= '&from=' . urlencode( stripslashes($_GET['from']));112 $url .= '&from=' . urlencode(wp_unslash($_GET['from'])); 113 113 114 114 $type = 'web'; //Install plugin type, From Web or an Upload. 115 115 … … 170 170 check_admin_referer( 'bulk-update-themes' ); 171 171 172 172 if ( isset( $_GET['themes'] ) ) 173 $themes = explode( ',', stripslashes($_GET['themes']) );173 $themes = explode( ',', wp_unslash($_GET['themes']) ); 174 174 elseif ( isset( $_POST['checked'] ) ) 175 175 $themes = (array) $_POST['checked']; 176 176 else -
wp-admin/theme-editor.php
45 45 if (empty($theme)) { 46 46 $theme = get_current_theme(); 47 47 } else { 48 $theme = stripslashes($theme);48 $theme = wp_unslash($theme); 49 49 } 50 50 51 51 if ( ! isset($themes[$theme]) ) … … 59 59 else 60 60 $file = $allowed_files[0]; 61 61 } else { 62 $file = stripslashes($file);62 $file = wp_unslash($file); 63 63 if ( 'theme' == $dir ) { 64 64 $file = dirname(dirname($themes[$theme]['Template Dir'])) . $file ; 65 65 } else if ( 'style' == $dir) { … … 77 77 78 78 check_admin_referer('edit-theme_' . $file . $theme); 79 79 80 $newcontent = stripslashes($_POST['newcontent']);80 $newcontent = wp_unslash($_POST['newcontent']); 81 81 $theme = urlencode($theme); 82 82 if (is_writeable($file)) { 83 83 //is_writable() not always reliable, check return value. see comments @ http://uk.php.net/is_writable -
wp-admin/admin.php
41 41 do_action('after_db_upgrade'); 42 42 } elseif ( get_option('db_version') != $wp_db_version ) { 43 43 if ( !is_multisite() ) { 44 wp_redirect(admin_url('upgrade.php?_wp_http_referer=' . urlencode( stripslashes($_SERVER['REQUEST_URI']))));44 wp_redirect(admin_url('upgrade.php?_wp_http_referer=' . urlencode(wp_unslash($_SERVER['REQUEST_URI'])))); 45 45 exit; 46 46 } elseif ( apply_filters( 'do_mu_upgrade', true ) ) { 47 47 /** … … 84 84 $editing = false; 85 85 86 86 if ( isset($_GET['page']) ) { 87 $plugin_page = stripslashes($_GET['page']);87 $plugin_page = wp_unslash($_GET['page']); 88 88 $plugin_page = plugin_basename($plugin_page); 89 89 } 90 90 -
wp-admin/user-new.php
92 92 $add_user_errors = $user_id; 93 93 } else { 94 94 if ( current_user_can('edit_users') ) { 95 $new_user_login = apply_filters('pre_user_login', sanitize_user( stripslashes($_REQUEST['user_login']), true));95 $new_user_login = apply_filters('pre_user_login', sanitize_user(wp_unslash($_REQUEST['user_login']), true)); 96 96 $redirect = 'users.php?usersearch='. urlencode($new_user_login) . '&update=add' . '#user-' . $user_id; 97 97 } else { 98 98 $redirect = add_query_arg( 'update', 'add', 'user-new.php' ); … … 107 107 if ( is_wp_error( $user_details[ 'errors' ] ) && !empty( $user_details[ 'errors' ]->errors ) ) { 108 108 $add_user_errors = $user_details[ 'errors' ]; 109 109 } else { 110 $new_user_login = apply_filters('pre_user_login', sanitize_user( stripslashes($_REQUEST['user_login']), true));110 $new_user_login = apply_filters('pre_user_login', sanitize_user(wp_unslash($_REQUEST['user_login']), true)); 111 111 if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { 112 112 add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email 113 113 } … … 275 275 $var = "new_user_$var"; 276 276 if( isset( $_POST['createuser'] ) ) { 277 277 if ( ! isset($$var) ) 278 $$var = isset( $_POST[$post_field] ) ? stripslashes( $_POST[$post_field] ) : '';278 $$var = isset( $_POST[$post_field] ) ? wp_unslash( $_POST[$post_field] ) : ''; 279 279 } else { 280 280 $$var = false; 281 281 } -
wp-admin/upload.php
124 124 wp_redirect( $location ); 125 125 exit; 126 126 } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { 127 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );127 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); 128 128 exit; 129 129 } 130 130 -
wp-admin/edit-form-comment.php
134 134 ?> 135 135 <input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID) ?>" /> 136 136 <input type="hidden" name="p" value="<?php echo esc_attr($comment->comment_post_ID) ?>" /> 137 <input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url( stripslashes(wp_get_referer())); ?>" />137 <input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(wp_unslash(wp_get_referer())); ?>" /> 138 138 <?php wp_original_referer_field(true, 'previous'); ?> 139 139 <input type="hidden" name="noredir" value="1" /> 140 140 -
wp-admin/edit-form-advanced.php
210 210 <input type="hidden" id="post_author" name="post_author" value="<?php echo esc_attr( $post->post_author ); ?>" /> 211 211 <input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr( $post_type ) ?>" /> 212 212 <input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr( $post->post_status) ?>" /> 213 <input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url( stripslashes(wp_get_referer())); ?>" />213 <input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url(wp_unslash(wp_get_referer())); ?>" /> 214 214 <?php 215 215 if ( 'draft' != $post->post_status ) 216 216 wp_original_referer_field(true, 'previous'); -
wp-admin/network/site-info.php
56 56 delete_option( 'rewrite_rules' ); 57 57 58 58 // update blogs table 59 $blog_data = stripslashes_deep( $_POST['blog'] );59 $blog_data = wp_unslash( $_POST['blog'] ); 60 60 $existing_details = get_blog_details( $id, false ); 61 61 $blog_data_checkboxes = array( 'public', 'archived', 'spam', 'mature', 'deleted' ); 62 62 foreach ( $blog_data_checkboxes as $c ) { -
wp-admin/network/edit.php
154 154 foreach ( $options as $option_name ) { 155 155 if ( ! isset($_POST[$option_name]) ) 156 156 continue; 157 $value = stripslashes_deep( $_POST[$option_name] );157 $value = wp_unslash( $_POST[$option_name] ); 158 158 update_site_option( $option_name, $value ); 159 159 } 160 160 -
wp-admin/edit.php
138 138 wp_redirect($sendback); 139 139 exit(); 140 140 } elseif ( ! empty($_REQUEST['_wp_http_referer']) ) { 141 wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ) );141 wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) ) ); 142 142 exit; 143 143 } 144 144 -
wp-admin/upgrade.php
72 72 <?php else : 73 73 switch ( $step ) : 74 74 case 0: 75 $goback = stripslashes( wp_get_referer() );75 $goback = wp_unslash( wp_get_referer() ); 76 76 $goback = esc_url_raw( $goback ); 77 77 $goback = urlencode( $goback ); 78 78 ?> … … 85 85 case 1: 86 86 wp_upgrade(); 87 87 88 $backto = !empty($_GET['backto']) ? stripslashes( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/';88 $backto = !empty($_GET['backto']) ? wp_unslash( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/'; 89 89 $backto = esc_url( $backto ); 90 90 $backto = wp_validate_redirect($backto, __get_option( 'home' ) . '/'); 91 91 ?> -
wp-admin/options.php
115 115 if ( 'options' == $option_page ) { 116 116 if ( is_multisite() && ! is_super_admin() ) 117 117 wp_die( __( 'You do not have sufficient permissions to modify unregistered settings for this site.' ) ); 118 $options = explode( ',', stripslashes( $_POST[ 'page_options' ] ) );118 $options = explode( ',', wp_unslash( $_POST[ 'page_options' ] ) ); 119 119 } else { 120 120 $options = $whitelist_options[ $option_page ]; 121 121 } 122 122 123 123 // Handle custom date/time formats 124 124 if ( 'general' == $option_page ) { 125 if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['date_format'] ) )125 if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['date_format'] ) ) 126 126 $_POST['date_format'] = $_POST['date_format_custom']; 127 if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['time_format'] ) )127 if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['time_format'] ) ) 128 128 $_POST['time_format'] = $_POST['time_format_custom']; 129 129 // Map UTC+- timezones to gmt_offsets and set timezone_string to empty. 130 130 if ( !empty($_POST['timezone_string']) && preg_match('/^UTC[+-]/', $_POST['timezone_string']) ) { … … 145 145 $value = $_POST[$option]; 146 146 if ( !is_array($value) ) 147 147 $value = trim($value); 148 $value = stripslashes_deep($value);148 $value = wp_unslash($value); 149 149 update_option($option, $value); 150 150 } 151 151 } -
wp-admin/user-edit.php
49 49 ); 50 50 51 51 52 $wp_http_referer = remove_query_arg(array('update', 'delete_count'), stripslashes($wp_http_referer));52 $wp_http_referer = remove_query_arg(array('update', 'delete_count'), wp_unslash($wp_http_referer)); 53 53 54 54 $user_can_edit = current_user_can( 'edit_posts' ) || current_user_can( 'edit_pages' ); 55 55 -
wp-admin/press-this.php
96 96 } 97 97 98 98 // Set Variables 99 $title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( stripslashes( $_GET['t'] ) , ENT_QUOTES) ) ) : '';99 $title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( wp_unslash( $_GET['t'] ) , ENT_QUOTES) ) ) : ''; 100 100 101 101 $selection = ''; 102 102 if ( !empty($_GET['s']) ) { 103 $selection = str_replace(''', "'", stripslashes($_GET['s']));103 $selection = str_replace(''', "'", wp_unslash($_GET['s'])); 104 104 $selection = trim( htmlspecialchars( html_entity_decode($selection, ENT_QUOTES) ) ); 105 105 } 106 106 -
wp-admin/link-manager.php
31 31 exit; 32 32 } 33 33 } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { 34 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );34 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); 35 35 exit; 36 36 } 37 37 … … 61 61 <?php screen_icon(); ?> 62 62 <h2><?php echo esc_html( $title ); ?> <a href="link-add.php" class="add-new-h2"><?php echo esc_html_x('Add New', 'link'); ?></a> <?php 63 63 if ( !empty($_REQUEST['s']) ) 64 printf( '<span class="subtitle">' . __('Search results for “%s”') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?>64 printf( '<span class="subtitle">' . __('Search results for “%s”') . '</span>', esc_html( wp_unslash($_REQUEST['s']) ) ); ?> 65 65 </h2> 66 66 67 67 <?php -
wp-admin/install.php
82 82 if ( ! empty( $_POST ) ) 83 83 $blog_public = isset( $_POST['blog_public'] ); 84 84 85 $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';86 $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';87 $admin_password = isset($_POST['admin_password']) ? trim( stripslashes( $_POST['admin_password'] ) ) : '';88 $admin_email = isset( $_POST['admin_email'] ) ? trim( stripslashes( $_POST['admin_email'] ) ) : '';85 $weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : ''; 86 $user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin'; 87 $admin_password = isset($_POST['admin_password']) ? trim( wp_unslash( $_POST['admin_password'] ) ) : ''; 88 $admin_email = isset( $_POST['admin_email'] ) ? trim( wp_unslash( $_POST['admin_email'] ) ) : ''; 89 89 90 90 if ( ! is_null( $error ) ) { 91 91 ?> … … 181 181 182 182 display_header(); 183 183 // Fill in the data we gathered 184 $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';185 $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';184 $weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : ''; 185 $user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin'; 186 186 $admin_password = isset($_POST['admin_password']) ? $_POST['admin_password'] : ''; 187 187 $admin_password_check = isset($_POST['admin_password2']) ? $_POST['admin_password2'] : ''; 188 $admin_email = isset( $_POST['admin_email'] ) ?trim( stripslashes( $_POST['admin_email'] ) ) : '';188 $admin_email = isset( $_POST['admin_email'] ) ?trim( wp_unslash( $_POST['admin_email'] ) ) : ''; 189 189 $public = isset( $_POST['blog_public'] ) ? (int) $_POST['blog_public'] : 0; 190 190 // check e-mail address 191 191 $error = false; -
wp-admin/plugin-editor.php
30 30 wp_die( __('There are no plugins installed on this site.') ); 31 31 32 32 if ( isset($_REQUEST['file']) ) 33 $plugin = stripslashes($_REQUEST['file']);33 $plugin = wp_unslash($_REQUEST['file']); 34 34 35 35 if ( empty($plugin) ) { 36 36 $plugin = array_keys($plugins); … … 42 42 if ( empty($file) ) 43 43 $file = $plugin_files[0]; 44 44 else 45 $file = stripslashes($file);45 $file = wp_unslash($file); 46 46 47 47 $file = validate_file_to_edit($file, $plugin_files); 48 48 $real_file = WP_PLUGIN_DIR . '/' . $file; … … 54 54 55 55 check_admin_referer('edit-plugin_' . $file); 56 56 57 $newcontent = stripslashes($_POST['newcontent']);57 $newcontent = wp_unslash($_POST['newcontent']); 58 58 if ( is_writeable($real_file) ) { 59 59 $f = fopen($real_file, 'w+'); 60 60 fwrite($f, $newcontent);