Ticket #32703: FixEditPage.patch
File FixEditPage.patch, 1.7 KB (added by , 10 years ago) |
---|
-
wp-includes/class-wp-xmlrpc-server.php
2747 2747 * @return array|IXR_Error 2748 2748 */ 2749 2749 public function wp_editPage( $args ) { 2750 // Items not escaped here will be escaped in editPost. 2751 $page_id = (int) $this->escape($args[1]); 2752 $username = $this->escape($args[2]); 2753 $password = $this->escape($args[3]); 2750 $page_id = $args[1]; 2751 $username = $args[2]; 2752 $password = $args[3]; 2754 2753 $content = $args[4]; 2755 2754 $publish = $args[5]; 2756 2755 2757 if ( !$user = $this->login($username, $password) ) 2756 // Escape arguments for our own purposes but leave originals intact 2757 // to avoid double-escaping in mw_editPost 2758 $escaped_page_id = (int) $this->escape($page_id); 2759 $escaped_username = $this->escape($username); 2760 $escaped_password = $this->escape($password); 2761 2762 if ( !$user = $this->login($escaped_username, $escaped_password) ) 2758 2763 return $this->error; 2759 2764 2760 2765 /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ 2761 2766 do_action( 'xmlrpc_call', 'wp.editPage' ); 2762 2767 2763 2768 // Get the page data and make sure it is a page. 2764 $actual_page = get_post($ page_id, ARRAY_A);2769 $actual_page = get_post($escaped_page_id, ARRAY_A); 2765 2770 if ( !$actual_page || ($actual_page['post_type'] != 'page') ) 2766 2771 return new IXR_Error( 404, __( 'Sorry, no such page.' ) ); 2767 2772 2768 2773 // Make sure the user is allowed to edit pages. 2769 if ( !current_user_can('edit_page', $ page_id) )2774 if ( !current_user_can('edit_page', $escaped_page_id) ) 2770 2775 return new IXR_Error( 401, __( 'Sorry, you do not have the right to edit this page.' ) ); 2771 2776 2772 2777 // Mark this as content for a page.