Ticket #32350: 32350.diff
| File 32350.diff, 7.2 KB (added by , 10 years ago) |
|---|
-
src/wp-includes/formatting.php
3365 3365 global $wpdb; 3366 3366 3367 3367 $original_value = $value; 3368 $error = ''; 3368 3369 3369 3370 switch ( $option ) { 3370 3371 case 'admin_email' : 3371 3372 case 'new_admin_email' : 3372 3373 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 3373 $value = sanitize_email( $value ); 3374 if ( ! is_email( $value ) ) { 3375 $value = get_option( $option ); // Resets option to stored value in the case of failed sanitization 3376 if ( function_exists( 'add_settings_error' ) ) 3377 add_settings_error( $option, 'invalid_admin_email', __( 'The email address entered did not appear to be a valid email address. Please enter a valid email address.' ) ); 3374 if ( is_wp_error( $value ) ) { 3375 $error = $value->get_error_message(); 3376 } else { 3377 $value = sanitize_email( $value ); 3378 if ( ! is_email( $value ) ) { 3379 $error = __( 'The email address entered did not appear to be a valid email address. Please enter a valid email address.' ); 3380 } 3378 3381 } 3379 3382 break; 3380 3383 … … 3419 3422 case 'blogdescription': 3420 3423 case 'blogname': 3421 3424 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 3422 $value = wp_kses_post( $value ); 3423 $value = esc_html( $value ); 3425 if ( is_wp_error( $value ) ) { 3426 $error = $value->get_error_message(); 3427 } else { 3428 $value = wp_kses_post( $value ); 3429 $value = esc_html( $value ); 3430 } 3424 3431 break; 3425 3432 3426 3433 case 'blog_charset': … … 3442 3449 case 'mailserver_pass': 3443 3450 case 'upload_path': 3444 3451 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 3445 $value = strip_tags( $value ); 3446 $value = wp_kses_data( $value ); 3452 if ( is_wp_error( $value ) ) { 3453 $error = $value->get_error_message(); 3454 } else { 3455 $value = strip_tags( $value ); 3456 $value = wp_kses_data( $value ); 3457 } 3447 3458 break; 3448 3459 3449 3460 case 'ping_sites': … … 3459 3470 3460 3471 case 'siteurl': 3461 3472 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 3462 if ( (bool)preg_match( '#http(s?)://(.+)#i', $value) ) {3463 $ value = esc_url_raw($value);3473 if ( is_wp_error( $value ) ) { 3474 $error = $value->get_error_message(); 3464 3475 } else { 3465 $value = get_option( $option ); // Resets option to stored value in the case of failed sanitization 3466 if ( function_exists('add_settings_error') ) 3467 add_settings_error('siteurl', 'invalid_siteurl', __('The WordPress address you entered did not appear to be a valid URL. Please enter a valid URL.')); 3476 if ( preg_match( '#http(s?)://(.+)#i', $value ) ) { 3477 $value = esc_url_raw( $value ); 3478 } else { 3479 $error = __( 'The WordPress address you entered did not appear to be a valid URL. Please enter a valid URL.' ); 3480 } 3468 3481 } 3469 3482 break; 3470 3483 3471 3484 case 'home': 3472 3485 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 3473 if ( (bool)preg_match( '#http(s?)://(.+)#i', $value) ) {3474 $ value = esc_url_raw($value);3486 if ( is_wp_error( $value ) ) { 3487 $error = $value->get_error_message(); 3475 3488 } else { 3476 $value = get_option( $option ); // Resets option to stored value in the case of failed sanitization 3477 if ( function_exists('add_settings_error') ) 3478 add_settings_error('home', 'invalid_home', __('The Site address you entered did not appear to be a valid URL. Please enter a valid URL.')); 3489 if ( preg_match( '#http(s?)://(.+)#i', $value ) ) { 3490 $value = esc_url_raw( $value ); 3491 } else { 3492 $error = __( 'The Site address you entered did not appear to be a valid URL. Please enter a valid URL.' ); 3493 } 3479 3494 } 3480 3495 break; 3481 3496 … … 3491 3506 3492 3507 case 'illegal_names': 3493 3508 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 3494 if ( ! is_array( $value ) ) 3495 $value = explode( ' ', $value ); 3509 if ( is_wp_error( $value ) ) { 3510 $error = $value->get_error_message(); 3511 } else { 3512 if ( ! is_array( $value ) ) 3513 $value = explode( ' ', $value ); 3496 3514 3497 $value = array_values( array_filter( array_map( 'trim', $value ) ) );3515 $value = array_values( array_filter( array_map( 'trim', $value ) ) ); 3498 3516 3499 if ( ! $value ) 3500 $value = ''; 3517 if ( ! $value ) 3518 $value = ''; 3519 } 3501 3520 break; 3502 3521 3503 3522 case 'limited_email_domains': 3504 3523 case 'banned_email_domains': 3505 3524 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 3506 if ( ! is_array( $value ) ) 3507 $value = explode( "\n", $value ); 3525 if ( is_wp_error( $value ) ) { 3526 $error = $value->get_error_message(); 3527 } else { 3528 if ( ! is_array( $value ) ) 3529 $value = explode( "\n", $value ); 3508 3530 3509 $domains = array_values( array_filter( array_map( 'trim', $value ) ) );3510 $value = array();3531 $domains = array_values( array_filter( array_map( 'trim', $value ) ) ); 3532 $value = array(); 3511 3533 3512 foreach ( $domains as $domain ) { 3513 if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\.])+$|', $domain ) ) 3514 $value[] = $domain; 3534 foreach ( $domains as $domain ) { 3535 if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\.])+$|', $domain ) ) { 3536 $value[] = $domain; 3537 } 3538 } 3539 if ( ! $value ) 3540 $value = ''; 3515 3541 } 3516 if ( ! $value )3517 $value = '';3518 3542 break; 3519 3543 3520 3544 case 'timezone_string': 3521 3545 $allowed_zones = timezone_identifiers_list(); 3522 3546 if ( ! in_array( $value, $allowed_zones ) && ! empty( $value ) ) { 3523 $value = get_option( $option ); // Resets option to stored value in the case of failed sanitization 3524 if ( function_exists('add_settings_error') ) 3525 add_settings_error('timezone_string', 'invalid_timezone_string', __('The timezone you have entered is not valid. Please select a valid timezone.') ); 3547 $error = __( 'The timezone you have entered is not valid. Please select a valid timezone.' ); 3526 3548 } 3527 3549 break; 3528 3550 … … 3530 3552 case 'category_base': 3531 3553 case 'tag_base': 3532 3554 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 3533 $value = esc_url_raw( $value ); 3534 $value = str_replace( 'http://', '', $value ); 3555 if ( is_wp_error( $value ) ) { 3556 $error = $value->get_error_message(); 3557 } else { 3558 $value = esc_url_raw( $value ); 3559 $value = str_replace( 'http://', '', $value ); 3560 } 3535 3561 break; 3536 3562 3537 3563 case 'default_role' : … … 3542 3568 case 'moderation_keys': 3543 3569 case 'blacklist_keys': 3544 3570 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 3545 $value = explode( "\n", $value ); 3546 $value = array_filter( array_map( 'trim', $value ) ); 3547 $value = array_unique( $value ); 3548 $value = implode( "\n", $value ); 3571 if ( is_wp_error( $value ) ) { 3572 $error = $value->get_error_message(); 3573 } else { 3574 $value = explode( "\n", $value ); 3575 $value = array_filter( array_map( 'trim', $value ) ); 3576 $value = array_unique( $value ); 3577 $value = implode( "\n", $value ); 3578 } 3549 3579 break; 3550 3580 } 3551 3581 3582 if ( ! empty( $error ) ) { 3583 $value = get_option( $option ); 3584 if ( function_exists( 'add_settings_error' ) ) { 3585 add_settings_error( $option, "invalid_{$option}", $error ); 3586 } 3587 } 3588 3552 3589 /** 3553 3590 * Filter an option value following sanitization. 3554 3591 *