Ticket #35379: 35379.5.diff
File 35379.5.diff, 10.1 KB (added by , 9 years ago) |
---|
-
src/wp-includes/formatting.php
3627 3627 } 3628 3628 3629 3629 /** 3630 * Sanitises variousoption values based on the nature of the option.3630 * Validates default option values based on the nature of the option. 3631 3631 * 3632 * This is basically a switch statement which will pass $value through a number 3633 * of functions depending on the $option. 3632 * This validation functions are usable for validating WordPress core options in both single-site and multisite-mode 3634 3633 * 3635 * @since 2.0.53634 * @since 4.6.0 3636 3635 * 3637 3636 * @global wpdb $wpdb WordPress database abstraction object. 3638 3637 * 3639 3638 * @param string $option The name of the option. 3640 * @param string $value The unsanitised value .3641 * @return string Sanitized value.3639 * @param string $value The unsanitised value or original value 3640 * @return array Array of validated value or error 3642 3641 */ 3643 function sanitize_option( $option, $value ) { 3642 3643 function wp_validate_default_options( $option , $value ) { 3644 3644 3645 global $wpdb; 3645 3646 3646 3647 $original_value = $value; … … 3659 3660 } 3660 3661 } 3661 3662 break; 3662 3663 3663 3664 case 'thumbnail_size_w': 3664 3665 case 'thumbnail_size_h': 3665 3666 case 'medium_size_w': … … 3684 3685 case 'site_icon': 3685 3686 $value = absint( $value ); 3686 3687 break; 3687 3688 3688 3689 case 'posts_per_page': 3689 3690 case 'posts_per_rss': 3690 3691 $value = (int) $value; 3691 3692 if ( empty($value) ) 3692 3693 $value = 1; 3693 if ( $value < -1 )3694 $value = abs($value);3695 break;3696 3694 if ( $value < -1 ) 3695 $value = abs($value); 3696 break; 3697 3697 3698 case 'default_ping_status': 3698 3699 case 'default_comment_status': 3699 3700 // Options that if not there have 0 value but need to be something like "closed" 3700 3701 if ( $value == '0' || $value == '') 3701 3702 $value = 'closed'; 3702 break;3703 3703 break; 3704 3704 3705 case 'blogdescription': 3705 3706 case 'blogname': 3706 3707 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); … … 3707 3708 if ( $value !== $original_value ) { 3708 3709 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', wp_encode_emoji( $original_value ) ); 3709 3710 } 3710 3711 3711 3712 if ( is_wp_error( $value ) ) { 3712 3713 $error = $value->get_error_message(); 3713 3714 } else { … … 3714 3715 $value = esc_html( $value ); 3715 3716 } 3716 3717 break; 3717 3718 3718 3719 case 'blog_charset': 3719 3720 $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes 3720 3721 break; 3721 3722 3722 3723 case 'blog_public': 3723 3724 // This is the value if the settings checkbox is not checked on POST. Don't rely on this. 3724 3725 if ( null === $value ) 3725 3726 $value = 1; 3726 else3727 $value = intval( $value );3728 break;3729 3727 else 3728 $value = intval( $value ); 3729 break; 3730 3730 3731 case 'date_format': 3731 3732 case 'time_format': 3732 3733 case 'mailserver_url': … … 3741 3742 $value = wp_kses_data( $value ); 3742 3743 } 3743 3744 break; 3744 3745 3745 3746 case 'ping_sites': 3746 3747 $value = explode( "\n", $value ); 3747 3748 $value = array_filter( array_map( 'trim', $value ) ); … … 3748 3749 $value = array_filter( array_map( 'esc_url_raw', $value ) ); 3749 3750 $value = implode( "\n", $value ); 3750 3751 break; 3751 3752 3752 3753 case 'gmt_offset': 3753 3754 $value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes 3754 3755 break; 3755 3756 3756 3757 case 'siteurl': 3757 3758 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 3758 3759 if ( is_wp_error( $value ) ) { … … 3765 3766 } 3766 3767 } 3767 3768 break; 3768 3769 3769 3770 case 'home': 3770 3771 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 3771 3772 if ( is_wp_error( $value ) ) { … … 3778 3779 } 3779 3780 } 3780 3781 break; 3781 3782 3782 3783 case 'WPLANG': 3783 3784 $allowed = get_available_languages(); 3784 3785 if ( ! is_multisite() && defined( 'WPLANG' ) && '' !== WPLANG && 'en_US' !== WPLANG ) { 3785 3786 $allowed[] = WPLANG; 3786 3787 } 3787 if ( ! in_array( $value, $allowed ) && ! empty( $value ) ) { 3788 $ value = get_option( $option);3788 if ( ! in_array( $value, $allowed ) && ! empty( $value ) ) { 3789 $error = __( 'The WPLANG seems incorrect.' ); 3789 3790 } 3790 3791 break; 3791 3792 3792 3793 case 'illegal_names': 3793 3794 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); 3794 3795 if ( is_wp_error( $value ) ) { … … 3796 3797 } else { 3797 3798 if ( ! is_array( $value ) ) 3798 3799 $value = explode( ' ', $value ); 3799 3800 $value = array_values( array_filter( array_map( 'trim', $value ) ) );3801 3802 if ( ! $value )3803 $value = '';3800 3801 $value = array_values( array_filter( array_map( 'trim', $value ) ) ); 3802 3803 if ( ! $value ) 3804 $value = ''; 3804 3805 } 3805 3806 break; 3806 3807 3807 3808 case 'limited_email_domains': 3808 3809 case 'banned_email_domains': 3809 3810 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); … … 3812 3813 } else { 3813 3814 if ( ! is_array( $value ) ) 3814 3815 $value = explode( "\n", $value ); 3815 3816 $domains = array_values( array_filter( array_map( 'trim', $value ) ) ); 3817 $value = array(); 3818 3819 foreach ( $domains as $domain ) { 3820 if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\.])+$|', $domain ) ) { 3821 $value[] = $domain; 3816 3817 $domains = array_values( array_filter( array_map( 'trim', $value ) ) ); 3818 $value = array(); 3819 3820 foreach ( $domains as $domain ) { 3821 if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\.])+$|', $domain ) ) { 3822 $value[] = $domain; 3823 } 3822 3824 } 3823 } 3824 if ( ! $value ) 3825 $value = ''; 3825 if ( ! $value ) 3826 $value = ''; 3826 3827 } 3827 3828 break; 3828 3829 3829 3830 case 'timezone_string': 3830 3831 $allowed_zones = timezone_identifiers_list(); 3831 3832 if ( ! in_array( $value, $allowed_zones ) && ! empty( $value ) ) { … … 3832 3833 $error = __( 'The timezone you have entered is not valid. Please select a valid timezone.' ); 3833 3834 } 3834 3835 break; 3835 3836 3836 3837 case 'permalink_structure': 3837 3838 case 'category_base': 3838 3839 case 'tag_base': … … 3844 3845 $value = str_replace( 'http://', '', $value ); 3845 3846 } 3846 3847 break; 3847 3848 3848 3849 case 'default_role' : 3849 3850 if ( ! get_role( $value ) && get_role( 'subscriber' ) ) 3850 3851 $value = 'subscriber'; 3851 break;3852 3852 break; 3853 3853 3854 case 'moderation_keys': 3854 3855 case 'blacklist_keys': 3855 3856 $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); … … 3862 3863 $value = implode( "\n", $value ); 3863 3864 } 3864 3865 break; 3865 } 3866 } 3866 3867 3868 return array( 'value' => $value , 3869 'original_value' => $original_value, 3870 'error' => $error 3871 ); 3872 } 3873 /** 3874 * Sanitises various option values based on the nature of the option. 3875 * @since 2.0.5 3876 * @since 4.6.0 Calls 'wp_validate_default_options' to validate core WordPress default options 3877 * 3878 * @param string $option The name of the option. 3879 * @param string $value The unsanitised value. 3880 * @return string Sanitized value. 3881 */ 3882 function sanitize_option( $option, $value ) { 3883 3884 $result = wp_validate_default_options( $option , $value ); 3885 $error = $result['error']; 3886 $original_value = $result['original_value']; 3887 $value = $result['value']; 3888 3867 3889 if ( ! empty( $error ) ) { 3868 3890 $value = get_option( $option ); 3869 3891 if ( function_exists( 'add_settings_error' ) ) { … … 3885 3907 } 3886 3908 3887 3909 /** 3910 * Sanitises various network option values based on the nature of the option. 3911 * 3912 * Calls 'wp_validate_default_options' to validate core WordPress default options 3913 * 3914 * If called on a non-multisite mode, it will fallback to sanitize_option function. 3915 * 3916 * @since 4.6 3917 * 3918 * @global wpdb $wpdb WordPress database abstraction object. 3919 * @param int $network_id ID of the network. Can be null to default to the current network ID. 3920 * @param string $option The name of the network option. 3921 * @param string $value The unsanitised network value. 3922 * @return string Sanitized value. 3923 */ 3924 3925 function sanitize_network_option( $network_id, $option, $value ) { 3926 3927 if ( is_multisite() ) { 3928 //Multisite 3929 if ( ! $network_id ) { 3930 global $current_site; 3931 $network_id = $current_site->id; 3932 } 3933 3934 } else { 3935 //Not in multisite, fallback to 'sanitize_option' 3936 return sanitize_option( $option, $value ); 3937 } 3938 3939 $result = wp_validate_default_options( $option , $value ); 3940 3941 /** 3942 * We can add specialized 'case' statement here if needed for sanitizing network options 3943 * that do not match the names of site options that exists in single site mode. 3944 */ 3945 3946 $error = $result['error']; 3947 $original_value = $result['original_value']; 3948 $value = $result['value']; 3949 3950 if ( ! empty( $error ) ) { 3951 $value = get_network_option( $network_id, $option, false ); 3952 if ( function_exists( 'add_settings_error' ) ) { 3953 add_settings_error( $option, "invalid_{$option}", $error ); 3954 } 3955 } 3956 3957 /** 3958 * Filters an network option value following sanitization. 3959 * 3960 * @since 4.6 3961 * @param string $value The sanitized network option value. 3962 * @param string $option The network option name. 3963 * @param string $original_value The original value passed to the function. 3964 */ 3965 return apply_filters( "sanitize_network_option_{$option}", $value, $option, $original_value ); 3966 3967 } 3968 3969 /** 3888 3970 * Maps a function to all non-iterable elements of an array or an object. 3889 3971 * 3890 3972 * This is similar to `array_walk_recursive()` but acts upon objects too. -
src/wp-includes/option.php
1239 1239 } 1240 1240 } 1241 1241 1242 $value = sanitize_ option($option, $value );1242 $value = sanitize_network_option( $network_id, $option, $value ); 1243 1243 1244 1244 $serialized_value = maybe_serialize( $value ); 1245 1245 $result = $wpdb->insert( $wpdb->sitemeta, array( 'site_id' => $network_id, 'meta_key' => $option, 'meta_value' => $serialized_value ) ); … … 1437 1437 if ( ! is_multisite() ) { 1438 1438 $result = update_option( $option, $value, 'no' ); 1439 1439 } else { 1440 $value = sanitize_ option($option, $value );1440 $value = sanitize_network_option( $network_id, $option, $value ); 1441 1441 1442 1442 $serialized_value = maybe_serialize( $value ); 1443 1443 $result = $wpdb->update( $wpdb->sitemeta, array( 'meta_value' => $serialized_value ), array( 'site_id' => $network_id, 'meta_key' => $option ) );