WordPress.org

Make WordPress Core

Ticket #2458: importfilenotescaped.diff

File importfilenotescaped.diff, 879 bytes (added by bungeman, 12 years ago)

escapes the values before creating the post

  • admin-functions.php

     
    18551855}
    18561856
    18571857function wp_import_handle_upload() {
     1858        global $wpdb;
     1859
    18581860        $overrides = array('test_form' => false, 'test_type' => false);
    18591861        $file = wp_handle_upload($_FILES['import'], $overrides);
    18601862
     
    18671869
    18681870        // Construct the object array
    18691871        $object = array(
    1870                 'post_title' => $filename,
    1871                 'post_content' => $url,
     1872                'post_title' => $wpdb->escape($filename),
     1873                'post_content' => $wpdb->escape($url),
    18721874                'post_mime_type' => 'import',
    1873                 'guid' => $url
     1875                'guid' => $wpdb->escape($url)
    18741876        );
    18751877
    18761878        // Save the data
    1877         $id = wp_insert_attachment($object, $file);
     1879        $id = wp_insert_attachment($object, $wpdb->escape($file));
    18781880
    18791881        return array('file' => $file, 'id' => $id);
    18801882}