Make WordPress Core

Ticket #19373: 19373.2.diff

File 19373.2.diff, 2.6 KB (added by nacin, 8 years ago)

Well, not quite what I was going for... But due to wp_insert_post_data, well, you'll see the patch.

  • wp-includes/post.php

     
    26802680 *
    26812681 * @param array $postarr Elements that make up post to insert.
    26822682 * @param bool $wp_error Optional. Allow return of WP_Error on failure.
     2683 * @param bool $sanitize Optional. Run "current user" sanitization routines on $postarr.
    26832684 * @return int|WP_Error The value 0 or WP_Error on failure. The post ID on success.
    26842685 */
    2685 function wp_insert_post($postarr, $wp_error = false) {
     2686function wp_insert_post( $postarr, $wp_error = false, $sanitize = true ) {
    26862687        global $wpdb, $user_ID;
    26872688
    26882689        $defaults = array('post_status' => 'draft', 'post_type' => 'post', 'post_author' => $user_ID,
     
    26952696
    26962697        unset( $postarr[ 'filter' ] );
    26972698
    2698         $postarr = sanitize_post($postarr, 'db');
     2699        if ( ! $sanitize )
     2700                kses_remove_filters();
     2701        $postarr = sanitize_post( $postarr, 'db' );
     2702        if ( ! $sanitize )
     2703                kses_init();
    26992704
    27002705        // export array as variables
    27012706        extract($postarr, EXTR_SKIP);
     
    27532758                $post_author = $user_ID;
    27542759
    27552760        // Don't allow contributors to set the post slug for pending review posts
    2756         if ( 'pending' == $post_status && !current_user_can( 'publish_posts' ) )
     2761        if ( 'pending' == $post_status && $sanitize && !current_user_can( 'publish_posts' ) )
    27572762                $post_name = '';
    27582763
    27592764        // Create a valid post name. Drafts and pending posts are allowed to have an empty
     
    28482853
    28492854        $post_name = wp_unique_post_slug($post_name, $post_ID, $post_status, $post_type, $post_parent);
    28502855
    2851         // expected_slashed (everything!)
     2856        // expected_slashed, everything, unless $sanitize = false
     2857        if ( ! $sanitize )
     2858                $sanitize = wp_slash( $sanitize ); // That way the wp_insert_post_data filter receives consistent data.
    28522859        $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'guid' ) );
    28532860        $data = apply_filters('wp_insert_post_data', $data, $postarr);
    28542861        $data = wp_unslash( $data );
     
    29012908                        $taxonomy_obj = get_taxonomy($taxonomy);
    29022909                        if ( is_array($tags) ) // array = hierarchical, string = non-hierarchical.
    29032910                                $tags = array_filter($tags);
    2904                         if ( current_user_can($taxonomy_obj->cap->assign_terms) )
     2911                        if ( ! $sanitize || current_user_can( $taxonomy_obj->cap->assign_terms ) )
    29052912                                wp_set_post_terms( $post_ID, $tags, $taxonomy );
    29062913                }
    29072914        }