Ticket #24248: 24248-updated.diff
File 24248-updated.diff, 2.8 KB (added by , 10 years ago) |
---|
-
src/wp-includes/post.php
3106 3106 3107 3107 unset( $postarr[ 'filter' ] ); 3108 3108 3109 if( ! empty( $postarr['guid'] ) ) 3110 $guid = esc_url_raw( $postarr['guid'] ); 3111 3109 3112 $postarr = sanitize_post($postarr, 'db'); 3110 3113 3111 3114 // Are we updating or creating? 3112 3115 $post_ID = 0; 3113 3116 $update = false; 3114 $guid = $postarr['guid'];3115 3117 3116 3118 if ( ! empty( $postarr['ID'] ) ) { 3117 3119 $update = true; … … 3126 3128 return 0; 3127 3129 } 3128 3130 3129 $guid = get_post_field( 'guid', $post_ID );3130 $previous_status = get_post_field( 'post_status', $post_ID);3131 $guid = get_post_field( 'guid', $post_ID, 'raw' ); 3132 $previous_status = get_post_field( 'post_status', $post_ID, 'raw' ); 3131 3133 } else { 3132 3134 $previous_status = 'new'; 3133 3135 } … … 3209 3211 } else { 3210 3212 // On updates, we need to check to see if it's using the old, fixed sanitization context. 3211 3213 $check_name = sanitize_title( $post_name, '', 'old-save' ); 3212 if ( $update && strtolower( urlencode( $post_name ) ) == $check_name && get_post_field( 'post_name', $post_ID ) == $check_name ) {3214 if ( $update && strtolower( urlencode( $post_name ) ) == $check_name && get_post_field( 'post_name', $post_ID, 'raw' ) == $check_name ) { 3213 3215 $post_name = $check_name; 3214 3216 } else { // new post, or slug has changed. 3215 3217 $post_name = sanitize_title($post_name); … … 3430 3432 } 3431 3433 } 3432 3434 3433 $current_guid = get_post_field( 'guid', $post_ID );3435 $current_guid = get_post_field( 'guid', $post_ID, 'raw' ); 3434 3436 3435 3437 // Set GUID. 3436 3438 if ( ! $update && '' == $current_guid ) { -
tests/phpunit/tests/post.php
1068 1068 $this->assertEquals( $value, $post->$field ); 1069 1069 } 1070 1070 } 1071 1072 1073 /** 1074 * Tests 'guid' not properly escaped 1075 * @ticket 24248 1076 */ 1077 function test_wp_guid_escaped_properly() { 1078 1079 $guid = 'http://example.org/?p=77&test=blah'; 1080 1081 //Insert new post with guid 1082 $id = wp_insert_post( array( 1083 'post_author' => $this->author_id, 1084 'post_status' => 'new', 1085 'post_content' => rand_str(), 1086 'post_title' => rand_str(), 1087 'guid' => $guid, 1088 ) ); 1089 $post = get_post( $id ); 1090 1091 $this->assertEquals( $guid, $post->guid ); 1092 1093 //Update post 1094 $id = wp_update_post( array( 1095 'ID' => $id, 1096 'post_status' => 'publish', 1097 'post_content' => rand_str(), 1098 'post_title' => rand_str(), 1099 ) ); 1100 $post = get_post( $id ); 1101 1102 $this->assertEquals( $guid, $post->guid ); 1103 } 1104 1071 1105 }