WordPress.org

Make WordPress Core

Ticket #33732: 33732.diff

File 33732.diff, 8.7 KB (added by westonruter, 6 years ago)

Add late-escaping for data via wxr_cdata() and intval()

  • src/wp-admin/includes/export.php

    diff --git src/wp-admin/includes/export.php src/wp-admin/includes/export.php
    index ffabf52..75d1cf9 100644
    function export_wp( $args = array() ) { 
    270270
    271271                foreach ( $authors as $author ) {
    272272                        echo "\t<wp:author>";
    273                         echo '<wp:author_id>' . $author->ID . '</wp:author_id>';
    274                         echo '<wp:author_login>' . $author->user_login . '</wp:author_login>';
    275                         echo '<wp:author_email>' . $author->user_email . '</wp:author_email>';
     273                        echo '<wp:author_id>' . intval( $author->ID ) . '</wp:author_id>';
     274                        echo '<wp:author_login>' . wxr_cdata( $author->user_login ) . '</wp:author_login>';
     275                        echo '<wp:author_email>' . wxr_cdata( $author->user_email ) . '</wp:author_email>';
    276276                        echo '<wp:author_display_name>' . wxr_cdata( $author->display_name ) . '</wp:author_display_name>';
    277277                        echo '<wp:author_first_name>' . wxr_cdata( $author->user_firstname ) . '</wp:author_first_name>';
    278278                        echo '<wp:author_last_name>' . wxr_cdata( $author->user_lastname ) . '</wp:author_last_name>';
    function export_wp( $args = array() ) { 
    291291                        return;
    292292
    293293                foreach ( $nav_menus as $menu ) {
    294                         echo "\t<wp:term><wp:term_id>{$menu->term_id}</wp:term_id><wp:term_taxonomy>nav_menu</wp:term_taxonomy><wp:term_slug>{$menu->slug}</wp:term_slug>";
     294                        echo "\t<wp:term>";
     295                        echo '<wp:term_id>' . intval( $menu->term_id ) . '</wp:term_id>';
     296                        echo '<wp:term_taxonomy>nav_menu</wp:term_taxonomy>';
     297                        echo '<wp:term_slug>' . wxr_cdata( $menu->slug ) . '</wp:term_slug>';
    295298                        wxr_term_name( $menu );
    296299                        echo "</wp:term>\n";
    297300                }
    function export_wp( $args = array() ) { 
    370373<?php wxr_authors_list( $post_ids ); ?>
    371374
    372375<?php foreach ( $cats as $c ) : ?>
    373         <wp:category><wp:term_id><?php echo $c->term_id ?></wp:term_id><wp:category_nicename><?php echo $c->slug; ?></wp:category_nicename><wp:category_parent><?php echo $c->parent ? $cats[$c->parent]->slug : ''; ?></wp:category_parent><?php wxr_cat_name( $c ); ?><?php wxr_category_description( $c ); ?></wp:category>
     376        <wp:category><wp:term_id><?php echo intval( $c->term_id ); ?></wp:term_id><wp:category_nicename><?php echo wxr_cdata( $c->slug ); ?></wp:category_nicename><wp:category_parent><?php echo wxr_cdata( $c->parent ? $cats[$c->parent]->slug : '' ); ?></wp:category_parent><?php wxr_cat_name( $c ); ?><?php wxr_category_description( $c ); ?></wp:category>
    374377<?php endforeach; ?>
    375378<?php foreach ( $tags as $t ) : ?>
    376         <wp:tag><wp:term_id><?php echo $t->term_id ?></wp:term_id><wp:tag_slug><?php echo $t->slug; ?></wp:tag_slug><?php wxr_tag_name( $t ); ?><?php wxr_tag_description( $t ); ?></wp:tag>
     379        <wp:tag><wp:term_id><?php echo intval( $t->term_id ); ?></wp:term_id><wp:tag_slug><?php echo wxr_cdata( $t->slug ); ?></wp:tag_slug><?php wxr_tag_name( $t ); ?><?php wxr_tag_description( $t ); ?></wp:tag>
    377380<?php endforeach; ?>
    378381<?php foreach ( $terms as $t ) : ?>
    379         <wp:term><wp:term_id><?php echo $t->term_id ?></wp:term_id><wp:term_taxonomy><?php echo $t->taxonomy; ?></wp:term_taxonomy><wp:term_slug><?php echo $t->slug; ?></wp:term_slug><wp:term_parent><?php echo $t->parent ? $terms[$t->parent]->slug : ''; ?></wp:term_parent><?php wxr_term_name( $t ); ?><?php wxr_term_description( $t ); ?></wp:term>
     382        <wp:term><wp:term_id><?php echo wxr_cdata( $t->term_id ); ?></wp:term_id><wp:term_taxonomy><?php echo wxr_cdata( $t->taxonomy ); ?></wp:term_taxonomy><wp:term_slug><?php echo wxr_cdata( $t->slug ); ?></wp:term_slug><wp:term_parent><?php echo wxr_cdata( $t->parent ? $terms[$t->parent]->slug : '' ); ?></wp:term_parent><?php wxr_term_name( $t ); ?><?php wxr_term_description( $t ); ?></wp:term>
    380383<?php endforeach; ?>
    381384<?php if ( 'all' == $args['content'] ) wxr_nav_menu_terms(); ?>
    382385
    function export_wp( $args = array() ) { 
    434437                         */
    435438                        echo wxr_cdata( apply_filters( 'the_excerpt_export', $post->post_excerpt ) );
    436439                ?></excerpt:encoded>
    437                 <wp:post_id><?php echo $post->ID; ?></wp:post_id>
    438                 <wp:post_date><?php echo $post->post_date; ?></wp:post_date>
    439                 <wp:post_date_gmt><?php echo $post->post_date_gmt; ?></wp:post_date_gmt>
    440                 <wp:comment_status><?php echo $post->comment_status; ?></wp:comment_status>
    441                 <wp:ping_status><?php echo $post->ping_status; ?></wp:ping_status>
    442                 <wp:post_name><?php echo $post->post_name; ?></wp:post_name>
    443                 <wp:status><?php echo $post->post_status; ?></wp:status>
    444                 <wp:post_parent><?php echo $post->post_parent; ?></wp:post_parent>
    445                 <wp:menu_order><?php echo $post->menu_order; ?></wp:menu_order>
    446                 <wp:post_type><?php echo $post->post_type; ?></wp:post_type>
    447                 <wp:post_password><?php echo $post->post_password; ?></wp:post_password>
    448                 <wp:is_sticky><?php echo $is_sticky; ?></wp:is_sticky>
     440                <wp:post_id><?php echo intval( $post->ID ); ?></wp:post_id>
     441                <wp:post_date><?php echo wxr_cdata( $post->post_date ); ?></wp:post_date>
     442                <wp:post_date_gmt><?php echo wxr_cdata( $post->post_date_gmt ); ?></wp:post_date_gmt>
     443                <wp:comment_status><?php echo wxr_cdata( $post->comment_status ); ?></wp:comment_status>
     444                <wp:ping_status><?php echo wxr_cdata( $post->ping_status ); ?></wp:ping_status>
     445                <wp:post_name><?php echo wxr_cdata( $post->post_name ); ?></wp:post_name>
     446                <wp:status><?php echo wxr_cdata( $post->post_status ); ?></wp:status>
     447                <wp:post_parent><?php echo intval( $post->post_parent ); ?></wp:post_parent>
     448                <wp:menu_order><?php echo intval( $post->menu_order ); ?></wp:menu_order>
     449                <wp:post_type><?php echo wxr_cdata( $post->post_type ); ?></wp:post_type>
     450                <wp:post_password><?php echo wxr_cdata( $post->post_password ); ?></wp:post_password>
     451                <wp:is_sticky><?php echo intval( $is_sticky ); ?></wp:is_sticky>
    449452<?php   if ( $post->post_type == 'attachment' ) : ?>
    450                 <wp:attachment_url><?php echo wp_get_attachment_url( $post->ID ); ?></wp:attachment_url>
     453                <wp:attachment_url><?php echo wxr_cdata( wp_get_attachment_url( $post->ID ) ); ?></wp:attachment_url>
    451454<?php   endif; ?>
    452455<?php   wxr_post_taxonomy(); ?>
    453456<?php   $postmeta = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM $wpdb->postmeta WHERE post_id = %d", $post->ID ) );
    function export_wp( $args = array() ) { 
    468471                                continue;
    469472                ?>
    470473                <wp:postmeta>
    471                         <wp:meta_key><?php echo $meta->meta_key; ?></wp:meta_key>
     474                        <wp:meta_key><?php echo wxr_cdata( $meta->meta_key ); ?></wp:meta_key>
    472475                        <wp:meta_value><?php echo wxr_cdata( $meta->meta_value ); ?></wp:meta_value>
    473476                </wp:postmeta>
    474477<?php   endforeach;
    function export_wp( $args = array() ) { 
    477480                $comments = array_map( 'get_comment', $_comments );
    478481                foreach ( $comments as $c ) : ?>
    479482                <wp:comment>
    480                         <wp:comment_id><?php echo $c->comment_ID; ?></wp:comment_id>
     483                        <wp:comment_id><?php echo intval( $c->comment_ID ); ?></wp:comment_id>
    481484                        <wp:comment_author><?php echo wxr_cdata( $c->comment_author ); ?></wp:comment_author>
    482                         <wp:comment_author_email><?php echo $c->comment_author_email; ?></wp:comment_author_email>
     485                        <wp:comment_author_email><?php echo wxr_cdata( $c->comment_author_email ); ?></wp:comment_author_email>
    483486                        <wp:comment_author_url><?php echo esc_url_raw( $c->comment_author_url ); ?></wp:comment_author_url>
    484                         <wp:comment_author_IP><?php echo $c->comment_author_IP; ?></wp:comment_author_IP>
    485                         <wp:comment_date><?php echo $c->comment_date; ?></wp:comment_date>
    486                         <wp:comment_date_gmt><?php echo $c->comment_date_gmt; ?></wp:comment_date_gmt>
     487                        <wp:comment_author_IP><?php echo wxr_cdata( $c->comment_author_IP ); ?></wp:comment_author_IP>
     488                        <wp:comment_date><?php echo wxr_cdata( $c->comment_date ); ?></wp:comment_date>
     489                        <wp:comment_date_gmt><?php echo wxr_cdata( $c->comment_date_gmt ); ?></wp:comment_date_gmt>
    487490                        <wp:comment_content><?php echo wxr_cdata( $c->comment_content ) ?></wp:comment_content>
    488                         <wp:comment_approved><?php echo $c->comment_approved; ?></wp:comment_approved>
    489                         <wp:comment_type><?php echo $c->comment_type; ?></wp:comment_type>
    490                         <wp:comment_parent><?php echo $c->comment_parent; ?></wp:comment_parent>
    491                         <wp:comment_user_id><?php echo $c->user_id; ?></wp:comment_user_id>
     491                        <wp:comment_approved><?php echo wxr_cdata( $c->comment_approved ); ?></wp:comment_approved>
     492                        <wp:comment_type><?php echo wxr_cdata( $c->comment_type ); ?></wp:comment_type>
     493                        <wp:comment_parent><?php echo intval( $c->comment_parent ); ?></wp:comment_parent>
     494                        <wp:comment_user_id><?php echo intval( $c->user_id ); ?></wp:comment_user_id>
    492495<?php           $c_meta = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM $wpdb->commentmeta WHERE comment_id = %d", $c->comment_ID ) );
    493496                        foreach ( $c_meta as $meta ) :
    494497                                /**
    function export_wp( $args = array() ) { 
    508511                                }
    509512                        ?>
    510513                        <wp:commentmeta>
    511                                 <wp:meta_key><?php echo $meta->meta_key; ?></wp:meta_key>
     514                                <wp:meta_key><?php echo wxr_cdata( $meta->meta_key ); ?></wp:meta_key>
    512515                                <wp:meta_value><?php echo wxr_cdata( $meta->meta_value ); ?></wp:meta_value>
    513516                        </wp:commentmeta>
    514517<?php           endforeach; ?>