Ticket #4546: sanitize_and_filter.diff
File sanitize_and_filter.diff, 19.4 KB (added by , 17 years ago) |
---|
-
wp-includes/default-filters.php
1 1 <?php 2 2 3 // Some default filters 4 add_filter('bloginfo','wp_specialchars'); 5 add_filter('term_description', 'wptexturize'); 6 add_filter('category_description', 'wptexturize'); 7 add_filter('list_cats', 'wptexturize'); 8 add_filter('comment_author', 'wptexturize'); 9 add_filter('comment_text', 'wptexturize'); 10 add_filter('single_post_title', 'wptexturize'); 11 add_filter('the_title', 'wptexturize'); 12 add_filter('the_content', 'wptexturize'); 13 add_filter('the_excerpt', 'wptexturize'); 14 add_filter('bloginfo', 'wptexturize'); 15 add_filter('pre_kses', 'wp_pre_kses_less_than'); 3 // Strip, trim, kses, special chars for string saves 4 $filters = array('pre_term_name', 'pre_comment_author_name', 'pre_link_name', 'pre_link_target', 5 'pre_link_rel', 'pre_user_display_name', 'pre_user_first_name', 'pre_user_last_name', 6 'pre_user_nickname'); 7 foreach ( $filters as $filter ) { 8 add_filter($filter, 'strip_tags'); 9 add_filter($filter, 'trim'); 10 add_filter($filter, 'wp_filter_kses'); 11 add_filter($filter, 'wp_specialchars', 30); 12 } 16 13 17 // Comments, trackbacks, pingbacks 18 add_filter('pre_comment_author_name', 'strip_tags'); 19 add_filter('pre_comment_author_name', 'trim'); 20 add_filter('pre_comment_author_name', 'wp_specialchars', 30); 14 // Kses only for textarea saves 15 $filters = array('pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description'); 16 foreach ( $filters as $filter ) { 17 add_filter($filter, 'wp_filter_kses'); 18 } 21 19 22 add_filter('pre_comment_author_email', 'trim'); 23 add_filter('pre_comment_author_email', 'sanitize_email'); 20 // Email 21 $filters = array('pre_comment_author_email', 'pre_user_email'); 22 foreach ( $filters as $filter ) { 23 add_filter($filter, 'trim'); 24 add_filter($filter, 'sanitize_email'); 25 add_filter($filter, 'wp_filter_kses'); 26 } 24 27 25 add_filter('pre_comment_author_url', 'strip_tags'); 26 add_filter('pre_comment_author_url', 'trim'); 27 add_filter('pre_comment_author_url', 'clean_url'); 28 // URL 29 $filters = array('pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image', 30 'pre_link_rss', 'comment_url'); 31 foreach ( $filters as $filter ) { 32 add_filter($filter, 'strip_tags'); 33 add_filter($filter, 'trim'); 34 add_filter($filter, 'clean_url'); 35 add_filter($filter, 'wp_filter_kses'); 36 } 28 37 29 add_filter('pre_comment_content', 'wp_rel_nofollow', 15);30 add_filter('pre_comment_content', 'balanceTags', 30);31 32 add_filter('pre_comment_author_name', 'wp_filter_kses');33 add_filter('pre_comment_author_email', 'wp_filter_kses');34 add_filter('pre_comment_author_url', 'wp_filter_kses');35 36 add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');37 38 // Default filters for these functions39 add_filter('comment_author', 'wptexturize');40 add_filter('comment_author', 'convert_chars');41 add_filter('comment_author', 'wp_specialchars');42 43 add_filter('comment_email', 'antispambot');44 45 add_filter('comment_flood_filter', 'wp_throttle_comment_flood', 10, 3);46 47 add_filter('comment_url', 'clean_url');48 49 add_filter('comment_text', 'convert_chars');50 add_filter('comment_text', 'make_clickable', 9);51 add_filter('comment_text', 'force_balance_tags', 25);52 add_filter('comment_text', 'wpautop', 30);53 add_filter('comment_text', 'convert_smilies', 20);54 55 add_filter('comment_excerpt', 'convert_chars');56 57 // Terms58 add_filter('pre_term_name', 'strip_tags');59 add_filter('pre_term_name', 'trim');60 add_filter('pre_term_name', 'wp_filter_kses');61 add_filter('pre_term_name', 'wp_specialchars', 30);62 add_filter('pre_term_description', 'wp_filter_kses');63 64 // Categories65 add_filter('pre_category_name', 'strip_tags');66 add_filter('pre_category_name', 'trim');67 add_filter('pre_category_name', 'wp_filter_kses');68 add_filter('pre_category_name', 'wp_specialchars', 30);69 add_filter('pre_category_description', 'wp_filter_kses');70 71 //Links72 add_filter('pre_link_name', 'strip_tags');73 add_filter('pre_link_name', 'trim');74 add_filter('pre_link_name', 'wp_filter_kses');75 add_filter('pre_link_name', 'wp_specialchars', 30);76 add_filter('pre_link_description', 'wp_filter_kses');77 add_filter('pre_link_notes', 'wp_filter_kses');78 add_filter('pre_link_url', 'strip_tags');79 add_filter('pre_link_url', 'trim');80 add_filter('pre_link_url', 'clean_url');81 add_filter('pre_link_image', 'strip_tags');82 add_filter('pre_link_image', 'trim');83 add_filter('pre_link_image', 'clean_url');84 add_filter('pre_link_rss', 'strip_tags');85 add_filter('pre_link_rss', 'trim');86 add_filter('pre_link_rss', 'clean_url');87 add_filter('pre_link_target', 'strip_tags');88 add_filter('pre_link_target', 'trim');89 add_filter('pre_link_target', 'wp_filter_kses');90 add_filter('pre_link_target', 'wp_specialchars', 30);91 add_filter('pre_link_rel', 'strip_tags');92 add_filter('pre_link_rel', 'trim');93 add_filter('pre_link_rel', 'wp_filter_kses');94 add_filter('pre_link_rel', 'wp_specialchars', 30);95 96 // Users97 add_filter('pre_user_display_name', 'strip_tags');98 add_filter('pre_user_display_name', 'trim');99 add_filter('pre_user_display_name', 'wp_filter_kses');100 add_filter('pre_user_display_name', 'wp_specialchars', 30);101 add_filter('pre_user_first_name', 'strip_tags');102 add_filter('pre_user_first_name', 'trim');103 add_filter('pre_user_first_name', 'wp_filter_kses');104 add_filter('pre_user_first_name', 'wp_specialchars', 30);105 add_filter('pre_user_last_name', 'strip_tags');106 add_filter('pre_user_last_name', 'trim');107 add_filter('pre_user_last_name', 'wp_filter_kses');108 add_filter('pre_user_last_name', 'wp_specialchars', 30);109 add_filter('pre_user_nickname', 'strip_tags');110 add_filter('pre_user_nickname', 'trim');111 add_filter('pre_user_nickname', 'wp_filter_kses');112 add_filter('pre_user_nickname', 'wp_specialchars', 30);113 add_filter('pre_user_description', 'trim');114 add_filter('pre_user_description', 'wp_filter_kses');115 add_filter('pre_user_url', 'strip_tags');116 add_filter('pre_user_url', 'trim');117 add_filter('pre_user_url', 'clean_url');118 add_filter('pre_user_email', 'trim');119 add_filter('pre_user_email', 'sanitize_email');120 121 38 // Places to balance tags on input 122 add_filter('content_save_pre', 'balanceTags', 50); 123 add_filter('excerpt_save_pre', 'balanceTags', 50); 124 add_filter('comment_save_pre', 'balanceTags', 50); 39 $filters = array('content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content'); 40 foreach ( $filters as $filter ) { 41 add_filter( $filter, 'balanceTags', 50); 42 } 125 43 126 // Misc. title, content, and excerpt filters 44 // Format strings for display. 45 $filters = array('comment_author', 'term_name', 'term_description', 'link_name', 'link_description', 46 'link_notes', 'bloginfo'); 47 foreach ( $filters as $filter ) { 48 add_filter($filter, 'wptexturize'); 49 add_filter($filter, 'convert_chars'); 50 add_filter($filter, 'wp_specialchars'); 51 } 52 53 // Display filters 54 add_filter('the_title', 'wptexturize'); 127 55 add_filter('the_title', 'convert_chars'); 128 56 add_filter('the_title', 'trim'); 129 57 58 add_filter('the_content', 'wptexturize'); 130 59 add_filter('the_content', 'convert_smilies'); 131 60 add_filter('the_content', 'convert_chars'); 132 61 add_filter('the_content', 'wpautop'); 133 62 63 add_filter('the_excerpt', 'wptexturize'); 134 64 add_filter('the_excerpt', 'convert_smilies'); 135 65 add_filter('the_excerpt', 'convert_chars'); 136 66 add_filter('the_excerpt', 'wpautop'); 137 67 add_filter('get_the_excerpt', 'wp_trim_excerpt'); 138 68 139 add_filter('sanitize_title', 'sanitize_title_with_dashes'); 69 add_filter('comment_text', 'wptexturize'); 70 add_filter('comment_text', 'convert_chars'); 71 add_filter('comment_text', 'make_clickable', 9); 72 add_filter('comment_text', 'force_balance_tags', 25); 73 add_filter('comment_text', 'convert_smilies', 20); 74 add_filter('comment_text', 'wpautop', 30); 140 75 76 add_filter('comment_excerpt', 'convert_chars'); 77 78 add_filter('list_cats', 'wptexturize'); 79 add_filter('single_post_title', 'wptexturize'); 80 141 81 // RSS filters 142 82 add_filter('the_title_rss', 'strip_tags'); 143 83 add_filter('the_title_rss', 'ent2ncr', 8); … … 146 86 add_filter('the_excerpt_rss', 'convert_chars'); 147 87 add_filter('the_excerpt_rss', 'ent2ncr', 8); 148 88 add_filter('comment_author_rss', 'ent2ncr', 8); 149 add_filter('comment_text_rss', 'wp_specialchars');150 89 add_filter('comment_text_rss', 'ent2ncr', 8); 90 add_filter('comment_text_rss', 'wp_specialchars'); 151 91 add_filter('bloginfo_rss', 'ent2ncr', 8); 152 92 add_filter('the_author', 'ent2ncr', 8); 153 93 … … 158 98 add_filter('option_siteurl', '_config_wp_siteurl'); 159 99 add_filter('mce_plugins', '_mce_load_rtl_plugin'); 160 100 add_filter('mce_buttons', '_mce_add_direction_buttons'); 101 add_filter('pre_kses', 'wp_pre_kses_less_than'); 102 add_filter('sanitize_title', 'sanitize_title_with_dashes'); 103 add_filter('comment_flood_filter', 'wp_throttle_comment_flood', 10, 3); 104 add_filter('pre_comment_content', 'wp_rel_nofollow', 15); 105 add_filter('comment_email', 'antispambot'); 161 106 162 // Redirect Old Slugs163 add_action('template_redirect', 'wp_old_slug_redirect');164 add_action('edit_post', 'wp_check_for_changed_slugs');165 add_action('edit_form_advanced', 'wp_remember_old_slug');166 167 107 // Actions 168 108 add_action('wp_head', 'rsd_link'); 169 109 add_action('wp_head', 'locale_stylesheet'); … … 189 129 add_action('future_page', '_future_post_hook', 5, 2); 190 130 add_action('save_post', '_save_post_hook', 5, 2); 191 131 add_action('transition_post_status', '_transition_post_status', 5, 3); 132 add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce'); 133 // Redirect Old Slugs 134 add_action('template_redirect', 'wp_old_slug_redirect'); 135 add_action('edit_post', 'wp_check_for_changed_slugs'); 136 add_action('edit_form_advanced', 'wp_remember_old_slug'); 192 137 193 138 ?> 139 No newline at end of file -
wp-includes/bookmark.php
1 1 <?php 2 2 3 function get_bookmark($bookmark_id, $output = OBJECT ) {3 function get_bookmark($bookmark_id, $output = OBJECT, $filter = 'raw') { 4 4 global $wpdb; 5 5 6 6 $bookmark_id = (int) $bookmark_id; 7 7 $link = $wpdb->get_row("SELECT * FROM $wpdb->links WHERE link_id = '$bookmark_id'"); 8 8 $link->link_category = wp_get_link_cats($bookmark_id); 9 9 10 $link = sanitize_bookmark($link, $filter); 11 10 12 if ( $output == OBJECT ) { 11 13 return $link; 12 14 } elseif ( $output == ARRAY_A ) { … … 142 144 return apply_filters('get_bookmarks', $results, $r); 143 145 } 144 146 147 function sanitize_bookmark($bookmark, $context = 'display') { 148 $fields = array('link_id', 'link_url', 'link_name', 'link_image', 'link_target', 'link_category', 149 'link_description', 'link_visible', 'link_owner', 'link_rating', 'link_updated', 150 'link_rel', 'link_notes', 'link_rss', ); 151 152 $do_object = false; 153 if ( is_object($bookmark) ) 154 $do_object = true; 155 156 foreach ( $fields as $field ) { 157 if ( $do_object ) 158 $bookmark->$field = sanitize_bookmark_field($field, $bookmark->$field, $bookmark->link_id, $context); 159 else 160 $bookmark[$field] = sanitize_bookmark_field($field, $bookmark[$field], $bookmark['link_id'], $context); 161 } 162 163 return $bookmark; 164 } 165 166 function sanitize_bookmark_field($field, $value, $bookmark_id, $context) { 167 $int_fields = array('link_id', 'link_rating'); 168 if ( in_array($field, $int_fields) ) 169 $value = (int) $value; 170 171 $yesno = array('link_visible'); 172 if ( in_array($field, $yesno) ) 173 $value = preg_replace('/[^YNyn]/', '', $value); 174 175 if ( 'link_target' == $field ) { 176 $targets = array('_top', '_blank'); 177 if ( ! in_array($value, $targets) ) 178 $value = ''; 179 } 180 181 if ( 'raw' == $context ) 182 return $value; 183 184 if ( 'edit' == $context ) { 185 $format_to_edit = array('link_notes'); 186 $value = apply_filters("edit_$field", $value, $bookmark_id); 187 188 if ( in_array($field, $format_to_edit) ) { 189 $value = format_to_edit($value); 190 } else { 191 $value = attribute_escape($value); 192 } 193 } else if ( 'db' == $context ) { 194 $value = apply_filters("pre_$field", $value); 195 } else { 196 // Use display filters by default. 197 $value = apply_filters($field, $value, $bookmark_id, $context); 198 } 199 200 if ( 'attribute' == $context ) 201 $value = attribute_escape($value); 202 else if ( 'js' == $context ) 203 $value = js_escape($value); 204 205 return $value; 206 } 207 145 208 function delete_get_bookmark_cache() { 146 209 wp_cache_delete( 'get_bookmarks', 'bookmark' ); 147 210 } -
wp-includes/taxonomy.php
229 229 * This won't appear but just a note to say that this is all conjecture and parts or whole 230 230 * might be inaccurate or wrong. 231 231 */ 232 function &get_term(&$term, $taxonomy, $output = OBJECT ) {232 function &get_term(&$term, $taxonomy, $output = OBJECT, $filter = 'raw') { 233 233 global $wpdb; 234 234 235 235 if ( empty($term) ) … … 251 251 252 252 $_term = apply_filters('get_term', $_term, $taxonomy); 253 253 $_term = apply_filters("get_$taxonomy", $_term, $taxonomy); 254 $_term = sanitize_term($_term, $taxonomy, $filter); 254 255 255 256 if ( $output == OBJECT ) { 256 257 return $_term; … … 559 560 } 560 561 561 562 function sanitize_term($term, $taxonomy, $context = 'display') { 562 $fields = array('term_id', 'name', 'description', 'slug', 'count', ' term_group');563 $fields = array('term_id', 'name', 'description', 'slug', 'count', 'parent', 'term_group'); 563 564 564 565 $do_object = false; 565 566 if ( is_object($term) ) -
wp-includes/post.php
477 477 } 478 478 } else { 479 479 // Use display filters by default. 480 $value = apply_filters("post_$field", $value, $post_id, $context); 480 if ( $prefixed ) 481 $value = apply_filters($field, $value, $post_id, $context); 482 else 483 $value = apply_filters("post_$field", $value, $post_id, $context); 481 484 } 482 485 483 486 if ( 'attribute' == $context ) -
wp-admin/includes/bookmark.php
60 60 } 61 61 62 62 function get_link_to_edit( $link_id ) { 63 $link = get_link( $link_id ); 64 65 $link->link_url = clean_url($link->link_url); 66 $link->link_name = attribute_escape($link->link_name); 67 $link->link_image = attribute_escape($link->link_image); 68 $link->link_description = attribute_escape($link->link_description); 69 $link->link_rss = clean_url($link->link_rss); 70 $link->link_rel = attribute_escape($link->link_rel); 71 $link->link_notes = wp_specialchars($link->link_notes); 72 $link->post_category = $link->link_category; 73 74 return $link; 63 return get_link( $link_id, OBJECT, 'edit' ); 75 64 } 76 65 77 66 function wp_insert_link($linkdata) { 78 67 global $wpdb, $current_user; 79 68 69 $defaults = array('link_id' => 0, 'link_name' => '', 'link_url' => '', 'link_rating' => 0 ); 70 71 $linkdata = wp_parse_args($linkdata, $defaults); 72 $linkdata = sanitize_bookmark($linkdata, 'db'); 73 80 74 extract($linkdata, EXTR_SKIP); 81 75 82 76 $update = false; … … 84 78 if ( !empty($link_id) ) 85 79 $update = true; 86 80 87 $link_id = (int) $link_id; 88 89 if( trim( $link_name ) == '' ) 81 if ( trim( $link_name ) == '' ) 90 82 return 0; 91 $link_name = apply_filters('pre_link_name', $link_name);92 83 93 if ( trim( $link_url ) == '' )84 if ( trim( $link_url ) == '' ) 94 85 return 0; 95 $link_url = apply_filters('pre_link_url', $link_url);96 86 97 87 if ( empty($link_rating) ) 98 88 $link_rating = 0; 99 else100 $link_rating = (int) $link_rating;101 89 102 90 if ( empty($link_image) ) 103 91 $link_image = ''; 104 $link_image = apply_filters('pre_link_image', $link_image);105 92 106 93 if ( empty($link_target) ) 107 94 $link_target = ''; 108 $link_target = apply_filters('pre_link_target', $link_target);109 95 110 96 if ( empty($link_visible) ) 111 97 $link_visible = 'Y'; 112 $link_visibile = preg_replace('/[^YNyn]/', '', $link_visible);113 98 114 99 if ( empty($link_owner) ) 115 100 $link_owner = $current_user->id; 116 else117 $link_owner = (int) $link_owner;118 101 119 102 if ( empty($link_notes) ) 120 103 $link_notes = ''; 121 $link_notes = apply_filters('pre_link_notes', $link_notes);122 104 123 105 if ( empty($link_description) ) 124 106 $link_description = ''; 125 $link_description = apply_filters('pre_link_description', $link_description);126 107 127 108 if ( empty($link_rss) ) 128 109 $link_rss = ''; 129 $link_rss = apply_filters('pre_link_rss', $link_rss);130 110 131 111 if ( empty($link_rel) ) 132 112 $link_rel = ''; 133 $link_rel = apply_filters('pre_link_rel', $link_rel);134 113 135 114 // Make sure we set a valid category 136 115 if (0 == count($link_category) || !is_array($link_category)) { -
wp-admin/includes/upgrade.php
538 538 539 539 // Associate terms with the same slug in a term group and make slugs unique. 540 540 if ( $exists = $wpdb->get_results("SELECT term_id, term_group FROM $wpdb->terms WHERE slug = '$slug'") ) { 541 $num = count($exists);542 $num++;543 $slug = $slug . "-$num";544 541 $term_group = $exists[0]->term_group; 545 542 $id = $exists[0]->term_id; 543 $num = 2; 544 do { 545 $alt_slug = $slug . "-$num"; 546 $num++; 547 $slug_check = wpdb->get_var("SELECT slug FROM $wpdb->terms WHERE slug = '$alt_slug'"); 548 } while ( $slug_check ); 549 550 $slug = $alt_slug; 551 546 552 if ( empty( $term_group ) ) { 547 553 $term_group = $wpdb->get_var("SELECT MAX(term_group) FROM $wpdb->terms GROUP BY term_group") + 1; 548 554 $wpdb->query("UPDATE $wpdb->terms SET term_group = '$term_group' WHERE term_id = '$id'"); -
wp-admin/link-manager.php
80 80 $select_cat = "<select name=\"cat_id\">\n"; 81 81 $select_cat .= '<option value="all"' . (($cat_id == 'all') ? " selected='selected'" : '') . '>' . __('All') . "</option>\n"; 82 82 foreach ((array) $categories as $cat) 83 $select_cat .= '<option value="' . $cat->term_id . '"' . (($cat->term_id == $cat_id) ? " selected='selected'" : '') . '>' . wp_specialchars(apply_filters('link_category', $cat->name)) . "</option>\n";83 $select_cat .= '<option value="' . $cat->term_id . '"' . (($cat->term_id == $cat_id) ? " selected='selected'" : '') . '>' . sanitize_term_field('name', $cat->name, $cat->term_id, 'link_category', 'display') . "</option>\n"; 84 84 $select_cat .= "</select>\n"; 85 85 86 86 $select_order = "<select name=\"order_by\">\n"; … … 131 131 <tbody id="the-list"> 132 132 <?php 133 133 foreach ($links as $link) { 134 $link->link_name = attribute_escape(apply_filters('link_title', $link->link_name)); 135 $link->link_description = wp_specialchars(apply_filters('link_description', $link->link_description)); 136 $link->link_url = clean_url($link->link_url); 134 $link = sanitize_bookmark($link); 135 $link->link_name = attribute_escape($link->link_name); 137 136 $link->link_category = wp_get_link_cats($link->link_id); 138 137 $short_url = str_replace('http://', '', $link->link_url); 139 138 $short_url = str_replace('www.', '', $short_url); … … 159 158 ?><td><?php 160 159 $cat_names = array(); 161 160 foreach ($link->link_category as $category) { 162 $cat = get_term($category, 'link_category' );163 $cat_name = wp_specialchars(apply_filters('link_category', $cat->name));161 $cat = get_term($category, 'link_category', OBJECT, 'display'); 162 $cat_name = sanitize_term_field('name', $cat->name, $cat->term_id, 'link_category', 'display'); 164 163 if ( $cat_id != $category ) 165 164 $cat_name = "<a href='link-manager.php?cat_id=$category'>$cat_name</a>"; 166 165 $cat_names[] = $cat_name;