WordPress.org

Make WordPress Core

Ticket #4546: sanitize_and_filter.diff

File sanitize_and_filter.diff, 19.4 KB (added by ryan, 11 years ago)

Add sanitize_bookmark_field; cleanup default filters

  • wp-includes/default-filters.php

     
    11<?php
    22
    3 // Some default filters
    4 add_filter('bloginfo','wp_specialchars');
    5 add_filter('term_description', 'wptexturize');
    6 add_filter('category_description', 'wptexturize');
    7 add_filter('list_cats', 'wptexturize');
    8 add_filter('comment_author', 'wptexturize');
    9 add_filter('comment_text', 'wptexturize');
    10 add_filter('single_post_title', 'wptexturize');
    11 add_filter('the_title', 'wptexturize');
    12 add_filter('the_content', 'wptexturize');
    13 add_filter('the_excerpt', 'wptexturize');
    14 add_filter('bloginfo', 'wptexturize');
    15 add_filter('pre_kses', 'wp_pre_kses_less_than');
     3// Strip, trim, kses, special chars for string saves
     4$filters = array('pre_term_name', 'pre_comment_author_name', 'pre_link_name', 'pre_link_target',
     5        'pre_link_rel', 'pre_user_display_name', 'pre_user_first_name', 'pre_user_last_name',
     6        'pre_user_nickname');
     7foreach ( $filters as $filter ) {
     8        add_filter($filter, 'strip_tags');
     9        add_filter($filter, 'trim');
     10        add_filter($filter, 'wp_filter_kses');
     11        add_filter($filter, 'wp_specialchars', 30);
     12}
    1613
    17 // Comments, trackbacks, pingbacks
    18 add_filter('pre_comment_author_name', 'strip_tags');
    19 add_filter('pre_comment_author_name', 'trim');
    20 add_filter('pre_comment_author_name', 'wp_specialchars', 30);
     14// Kses only for textarea saves
     15$filters = array('pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description');
     16foreach ( $filters as $filter ) {
     17        add_filter($filter, 'wp_filter_kses');
     18}
    2119
    22 add_filter('pre_comment_author_email', 'trim');
    23 add_filter('pre_comment_author_email', 'sanitize_email');
     20// Email
     21$filters = array('pre_comment_author_email', 'pre_user_email');
     22foreach ( $filters as $filter ) {
     23        add_filter($filter, 'trim');
     24        add_filter($filter, 'sanitize_email');
     25        add_filter($filter, 'wp_filter_kses');
     26}
    2427
    25 add_filter('pre_comment_author_url', 'strip_tags');
    26 add_filter('pre_comment_author_url', 'trim');
    27 add_filter('pre_comment_author_url', 'clean_url');
     28// URL
     29$filters = array('pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
     30        'pre_link_rss', 'comment_url');
     31foreach ( $filters as $filter ) {
     32        add_filter($filter, 'strip_tags');
     33        add_filter($filter, 'trim');
     34        add_filter($filter, 'clean_url');
     35        add_filter($filter, 'wp_filter_kses');
     36}
    2837
    29 add_filter('pre_comment_content', 'wp_rel_nofollow', 15);
    30 add_filter('pre_comment_content', 'balanceTags', 30);
    31 
    32 add_filter('pre_comment_author_name', 'wp_filter_kses');
    33 add_filter('pre_comment_author_email', 'wp_filter_kses');
    34 add_filter('pre_comment_author_url', 'wp_filter_kses');
    35 
    36 add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');
    37 
    38 // Default filters for these functions
    39 add_filter('comment_author', 'wptexturize');
    40 add_filter('comment_author', 'convert_chars');
    41 add_filter('comment_author', 'wp_specialchars');
    42 
    43 add_filter('comment_email', 'antispambot');
    44 
    45 add_filter('comment_flood_filter', 'wp_throttle_comment_flood', 10, 3);
    46 
    47 add_filter('comment_url', 'clean_url');
    48 
    49 add_filter('comment_text', 'convert_chars');
    50 add_filter('comment_text', 'make_clickable', 9);
    51 add_filter('comment_text', 'force_balance_tags', 25);
    52 add_filter('comment_text', 'wpautop', 30);
    53 add_filter('comment_text', 'convert_smilies', 20);
    54 
    55 add_filter('comment_excerpt', 'convert_chars');
    56 
    57 // Terms
    58 add_filter('pre_term_name', 'strip_tags');
    59 add_filter('pre_term_name', 'trim');
    60 add_filter('pre_term_name', 'wp_filter_kses');
    61 add_filter('pre_term_name', 'wp_specialchars', 30);
    62 add_filter('pre_term_description', 'wp_filter_kses');
    63 
    64 // Categories
    65 add_filter('pre_category_name', 'strip_tags');
    66 add_filter('pre_category_name', 'trim');
    67 add_filter('pre_category_name', 'wp_filter_kses');
    68 add_filter('pre_category_name', 'wp_specialchars', 30);
    69 add_filter('pre_category_description', 'wp_filter_kses');
    70 
    71 //Links
    72 add_filter('pre_link_name', 'strip_tags');
    73 add_filter('pre_link_name', 'trim');
    74 add_filter('pre_link_name', 'wp_filter_kses');
    75 add_filter('pre_link_name', 'wp_specialchars', 30);
    76 add_filter('pre_link_description', 'wp_filter_kses');
    77 add_filter('pre_link_notes', 'wp_filter_kses');
    78 add_filter('pre_link_url', 'strip_tags');
    79 add_filter('pre_link_url', 'trim');
    80 add_filter('pre_link_url', 'clean_url');
    81 add_filter('pre_link_image', 'strip_tags');
    82 add_filter('pre_link_image', 'trim');
    83 add_filter('pre_link_image', 'clean_url');
    84 add_filter('pre_link_rss', 'strip_tags');
    85 add_filter('pre_link_rss', 'trim');
    86 add_filter('pre_link_rss', 'clean_url');
    87 add_filter('pre_link_target', 'strip_tags');
    88 add_filter('pre_link_target', 'trim');
    89 add_filter('pre_link_target', 'wp_filter_kses');
    90 add_filter('pre_link_target', 'wp_specialchars', 30);
    91 add_filter('pre_link_rel', 'strip_tags');
    92 add_filter('pre_link_rel', 'trim');
    93 add_filter('pre_link_rel', 'wp_filter_kses');
    94 add_filter('pre_link_rel', 'wp_specialchars', 30);
    95 
    96 // Users
    97 add_filter('pre_user_display_name', 'strip_tags');
    98 add_filter('pre_user_display_name', 'trim');
    99 add_filter('pre_user_display_name', 'wp_filter_kses');
    100 add_filter('pre_user_display_name', 'wp_specialchars', 30);
    101 add_filter('pre_user_first_name', 'strip_tags');
    102 add_filter('pre_user_first_name', 'trim');
    103 add_filter('pre_user_first_name', 'wp_filter_kses');
    104 add_filter('pre_user_first_name', 'wp_specialchars', 30);
    105 add_filter('pre_user_last_name', 'strip_tags');
    106 add_filter('pre_user_last_name', 'trim');
    107 add_filter('pre_user_last_name', 'wp_filter_kses');
    108 add_filter('pre_user_last_name', 'wp_specialchars', 30);
    109 add_filter('pre_user_nickname', 'strip_tags');
    110 add_filter('pre_user_nickname', 'trim');
    111 add_filter('pre_user_nickname', 'wp_filter_kses');
    112 add_filter('pre_user_nickname', 'wp_specialchars', 30);
    113 add_filter('pre_user_description', 'trim');
    114 add_filter('pre_user_description', 'wp_filter_kses');
    115 add_filter('pre_user_url', 'strip_tags');
    116 add_filter('pre_user_url', 'trim');
    117 add_filter('pre_user_url', 'clean_url');
    118 add_filter('pre_user_email', 'trim');
    119 add_filter('pre_user_email', 'sanitize_email');
    120 
    12138// Places to balance tags on input
    122 add_filter('content_save_pre', 'balanceTags', 50);
    123 add_filter('excerpt_save_pre', 'balanceTags', 50);
    124 add_filter('comment_save_pre', 'balanceTags', 50);
     39$filters = array('content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content');
     40foreach ( $filters as $filter ) {
     41        add_filter( $filter, 'balanceTags', 50);
     42}
    12543
    126 // Misc. title, content, and excerpt filters
     44// Format strings for display.
     45$filters = array('comment_author', 'term_name', 'term_description', 'link_name', 'link_description',
     46        'link_notes', 'bloginfo');
     47foreach ( $filters as $filter ) {
     48        add_filter($filter, 'wptexturize');
     49        add_filter($filter, 'convert_chars');
     50        add_filter($filter, 'wp_specialchars');
     51}
     52
     53// Display filters
     54add_filter('the_title', 'wptexturize');
    12755add_filter('the_title', 'convert_chars');
    12856add_filter('the_title', 'trim');
    12957
     58add_filter('the_content', 'wptexturize');
    13059add_filter('the_content', 'convert_smilies');
    13160add_filter('the_content', 'convert_chars');
    13261add_filter('the_content', 'wpautop');
    13362
     63add_filter('the_excerpt', 'wptexturize');
    13464add_filter('the_excerpt', 'convert_smilies');
    13565add_filter('the_excerpt', 'convert_chars');
    13666add_filter('the_excerpt', 'wpautop');
    13767add_filter('get_the_excerpt', 'wp_trim_excerpt');
    13868
    139 add_filter('sanitize_title', 'sanitize_title_with_dashes');
     69add_filter('comment_text', 'wptexturize');
     70add_filter('comment_text', 'convert_chars');
     71add_filter('comment_text', 'make_clickable', 9);
     72add_filter('comment_text', 'force_balance_tags', 25);
     73add_filter('comment_text', 'convert_smilies', 20);
     74add_filter('comment_text', 'wpautop', 30);
    14075
     76add_filter('comment_excerpt', 'convert_chars');
     77
     78add_filter('list_cats', 'wptexturize');
     79add_filter('single_post_title', 'wptexturize');
     80
    14181// RSS filters
    14282add_filter('the_title_rss', 'strip_tags');
    14383add_filter('the_title_rss', 'ent2ncr', 8);
     
    14686add_filter('the_excerpt_rss', 'convert_chars');
    14787add_filter('the_excerpt_rss', 'ent2ncr', 8);
    14888add_filter('comment_author_rss', 'ent2ncr', 8);
    149 add_filter('comment_text_rss', 'wp_specialchars');
    15089add_filter('comment_text_rss', 'ent2ncr', 8);
     90add_filter('comment_text_rss', 'wp_specialchars');
    15191add_filter('bloginfo_rss', 'ent2ncr', 8);
    15292add_filter('the_author', 'ent2ncr', 8);
    15393
     
    15898add_filter('option_siteurl', '_config_wp_siteurl');
    15999add_filter('mce_plugins', '_mce_load_rtl_plugin');
    160100add_filter('mce_buttons', '_mce_add_direction_buttons');
     101add_filter('pre_kses', 'wp_pre_kses_less_than');
     102add_filter('sanitize_title', 'sanitize_title_with_dashes');
     103add_filter('comment_flood_filter', 'wp_throttle_comment_flood', 10, 3);
     104add_filter('pre_comment_content', 'wp_rel_nofollow', 15);
     105add_filter('comment_email', 'antispambot');
    161106
    162 // Redirect Old Slugs
    163 add_action('template_redirect', 'wp_old_slug_redirect');
    164 add_action('edit_post', 'wp_check_for_changed_slugs');
    165 add_action('edit_form_advanced', 'wp_remember_old_slug');
    166 
    167107// Actions
    168108add_action('wp_head', 'rsd_link');
    169109add_action('wp_head', 'locale_stylesheet');
     
    189129add_action('future_page', '_future_post_hook', 5, 2);
    190130add_action('save_post', '_save_post_hook', 5, 2);
    191131add_action('transition_post_status', '_transition_post_status', 5, 3);
     132add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');
     133// Redirect Old Slugs
     134add_action('template_redirect', 'wp_old_slug_redirect');
     135add_action('edit_post', 'wp_check_for_changed_slugs');
     136add_action('edit_form_advanced', 'wp_remember_old_slug');
    192137
    193138?>
     139 No newline at end of file
  • wp-includes/bookmark.php

     
    11<?php
    22
    3 function get_bookmark($bookmark_id, $output = OBJECT) {
     3function get_bookmark($bookmark_id, $output = OBJECT, $filter = 'raw') {
    44        global $wpdb;
    55
    66        $bookmark_id = (int) $bookmark_id;
    77        $link = $wpdb->get_row("SELECT * FROM $wpdb->links WHERE link_id = '$bookmark_id'");
    88        $link->link_category = wp_get_link_cats($bookmark_id);
    99
     10        $link = sanitize_bookmark($link, $filter);
     11       
    1012        if ( $output == OBJECT ) {
    1113                return $link;
    1214        } elseif ( $output == ARRAY_A ) {
     
    142144        return apply_filters('get_bookmarks', $results, $r);
    143145}
    144146
     147function sanitize_bookmark($bookmark, $context = 'display') {
     148        $fields = array('link_id', 'link_url', 'link_name', 'link_image', 'link_target', 'link_category',
     149                'link_description', 'link_visible', 'link_owner', 'link_rating', 'link_updated',
     150                'link_rel', 'link_notes', 'link_rss', );
     151
     152        $do_object = false;
     153        if ( is_object($bookmark) )
     154                $do_object = true;
     155
     156        foreach ( $fields as $field ) {
     157                if ( $do_object )
     158                        $bookmark->$field = sanitize_bookmark_field($field, $bookmark->$field, $bookmark->link_id, $context);
     159                else
     160                        $bookmark[$field] = sanitize_bookmark_field($field, $bookmark[$field], $bookmark['link_id'], $context);
     161        }
     162
     163        return $bookmark;
     164}
     165
     166function sanitize_bookmark_field($field, $value, $bookmark_id, $context) {
     167        $int_fields = array('link_id', 'link_rating');
     168        if ( in_array($field, $int_fields) )
     169                $value = (int) $value;
     170
     171        $yesno = array('link_visible');
     172        if ( in_array($field, $yesno) )
     173                $value = preg_replace('/[^YNyn]/', '', $value);
     174
     175        if ( 'link_target' == $field ) {
     176                $targets = array('_top', '_blank');
     177                if ( ! in_array($value, $targets) )
     178                        $value = '';           
     179        }
     180
     181        if ( 'raw' == $context )
     182                return $value;
     183
     184        if ( 'edit' == $context ) {
     185                $format_to_edit = array('link_notes');
     186                $value = apply_filters("edit_$field", $value, $bookmark_id);
     187
     188                if ( in_array($field, $format_to_edit) ) {
     189                        $value = format_to_edit($value);
     190                } else {
     191                        $value = attribute_escape($value);
     192                }
     193        } else if ( 'db' == $context ) {
     194                $value = apply_filters("pre_$field", $value);
     195        } else {
     196                // Use display filters by default.
     197                $value = apply_filters($field, $value, $bookmark_id, $context);
     198        }
     199
     200        if ( 'attribute' == $context )
     201                $value = attribute_escape($value);
     202        else if ( 'js' == $context )
     203                $value = js_escape($value);
     204
     205        return $value;
     206}
     207
    145208function delete_get_bookmark_cache() {
    146209        wp_cache_delete( 'get_bookmarks', 'bookmark' );
    147210}
  • wp-includes/taxonomy.php

     
    229229 *      This won't appear but just a note to say that this is all conjecture and parts or whole
    230230 *      might be inaccurate or wrong.
    231231 */
    232 function &get_term(&$term, $taxonomy, $output = OBJECT) {
     232function &get_term(&$term, $taxonomy, $output = OBJECT, $filter = 'raw') {
    233233        global $wpdb;
    234234
    235235        if ( empty($term) )
     
    251251
    252252        $_term = apply_filters('get_term', $_term, $taxonomy);
    253253        $_term = apply_filters("get_$taxonomy", $_term, $taxonomy);
     254        $_term = sanitize_term($_term, $taxonomy, $filter);
    254255
    255256        if ( $output == OBJECT ) {
    256257                return $_term;
     
    559560}
    560561
    561562function sanitize_term($term, $taxonomy, $context = 'display') {
    562         $fields = array('term_id', 'name', 'description', 'slug', 'count', 'term_group');
     563        $fields = array('term_id', 'name', 'description', 'slug', 'count', 'parent', 'term_group');
    563564
    564565        $do_object = false;
    565566        if ( is_object($term) )
  • wp-includes/post.php

     
    477477                }
    478478        } else {
    479479                // Use display filters by default.
    480                 $value = apply_filters("post_$field", $value, $post_id, $context);
     480                if ( $prefixed )
     481                        $value = apply_filters($field, $value, $post_id, $context);
     482                else
     483                        $value = apply_filters("post_$field", $value, $post_id, $context);
    481484        }
    482485
    483486        if ( 'attribute' == $context )
  • wp-admin/includes/bookmark.php

     
    6060}
    6161
    6262function get_link_to_edit( $link_id ) {
    63         $link = get_link( $link_id );
    64 
    65         $link->link_url         = clean_url($link->link_url);
    66         $link->link_name        = attribute_escape($link->link_name);
    67         $link->link_image       = attribute_escape($link->link_image);
    68         $link->link_description = attribute_escape($link->link_description);
    69         $link->link_rss         = clean_url($link->link_rss);
    70         $link->link_rel         = attribute_escape($link->link_rel);
    71         $link->link_notes       =  wp_specialchars($link->link_notes);
    72         $link->post_category    = $link->link_category;
    73 
    74         return $link;
     63        return get_link( $link_id, OBJECT, 'edit' );
    7564}
    7665
    7766function wp_insert_link($linkdata) {
    7867        global $wpdb, $current_user;
    7968
     69        $defaults = array('link_id' => 0, 'link_name' => '', 'link_url' => '', 'link_rating' => 0 );
     70
     71        $linkdata = wp_parse_args($linkdata, $defaults);
     72        $linkdata = sanitize_bookmark($linkdata, 'db');
     73
    8074        extract($linkdata, EXTR_SKIP);
    8175
    8276        $update = false;
     
    8478        if ( !empty($link_id) )
    8579                $update = true;
    8680
    87         $link_id = (int) $link_id;
    88 
    89         if( trim( $link_name ) == '' )
     81        if ( trim( $link_name ) == '' )
    9082                return 0;
    91         $link_name = apply_filters('pre_link_name', $link_name);
    9283
    93         if( trim( $link_url ) == '' )
     84        if ( trim( $link_url ) == '' )
    9485                return 0;
    95         $link_url = apply_filters('pre_link_url', $link_url);
    9686
    9787        if ( empty($link_rating) )
    9888                $link_rating = 0;
    99         else
    100                 $link_rating = (int) $link_rating;
    10189
    10290        if ( empty($link_image) )
    10391                $link_image = '';
    104         $link_image = apply_filters('pre_link_image', $link_image);
    10592
    10693        if ( empty($link_target) )
    10794                $link_target = '';
    108         $link_target = apply_filters('pre_link_target', $link_target);
    10995
    11096        if ( empty($link_visible) )
    11197                $link_visible = 'Y';
    112         $link_visibile = preg_replace('/[^YNyn]/', '', $link_visible);
    11398
    11499        if ( empty($link_owner) )
    115100                $link_owner = $current_user->id;
    116         else
    117                 $link_owner = (int) $link_owner;
    118101
    119102        if ( empty($link_notes) )
    120103                $link_notes = '';
    121         $link_notes = apply_filters('pre_link_notes', $link_notes);
    122104
    123105        if ( empty($link_description) )
    124106                $link_description = '';
    125         $link_description = apply_filters('pre_link_description', $link_description);
    126107
    127108        if ( empty($link_rss) )
    128109                $link_rss = '';
    129         $link_rss = apply_filters('pre_link_rss', $link_rss);
    130110
    131111        if ( empty($link_rel) )
    132112                $link_rel = '';
    133         $link_rel = apply_filters('pre_link_rel', $link_rel);
    134113
    135114        // Make sure we set a valid category
    136115        if (0 == count($link_category) || !is_array($link_category)) {
  • wp-admin/includes/upgrade.php

     
    538538
    539539                // Associate terms with the same slug in a term group and make slugs unique.
    540540                if ( $exists = $wpdb->get_results("SELECT term_id, term_group FROM $wpdb->terms WHERE slug = '$slug'") ) {
    541                         $num = count($exists);
    542                         $num++;
    543                         $slug = $slug . "-$num";
    544541                        $term_group = $exists[0]->term_group;
    545542                        $id = $exists[0]->term_id;
     543                        $num = 2;
     544                        do {
     545                                $alt_slug = $slug . "-$num";
     546                                $num++;
     547                                $slug_check = wpdb->get_var("SELECT slug FROM $wpdb->terms WHERE slug = '$alt_slug'");
     548                        } while ( $slug_check );
     549
     550                        $slug = $alt_slug;
     551
    546552                        if ( empty( $term_group ) ) {
    547553                                $term_group = $wpdb->get_var("SELECT MAX(term_group) FROM $wpdb->terms GROUP BY term_group") + 1;
    548554                                $wpdb->query("UPDATE $wpdb->terms SET term_group = '$term_group' WHERE term_id = '$id'");
  • wp-admin/link-manager.php

     
    8080$select_cat = "<select name=\"cat_id\">\n";
    8181$select_cat .= '<option value="all"'  . (($cat_id == 'all') ? " selected='selected'" : '') . '>' . __('All') . "</option>\n";
    8282foreach ((array) $categories as $cat)
    83         $select_cat .= '<option value="' . $cat->term_id . '"' . (($cat->term_id == $cat_id) ? " selected='selected'" : '') . '>' . wp_specialchars(apply_filters('link_category', $cat->name)) . "</option>\n";
     83        $select_cat .= '<option value="' . $cat->term_id . '"' . (($cat->term_id == $cat_id) ? " selected='selected'" : '') . '>' . sanitize_term_field('name', $cat->name, $cat->term_id, 'link_category', 'display') . "</option>\n";
    8484$select_cat .= "</select>\n";
    8585
    8686$select_order = "<select name=\"order_by\">\n";
     
    131131        <tbody id="the-list">
    132132<?php
    133133        foreach ($links as $link) {
    134                 $link->link_name = attribute_escape(apply_filters('link_title', $link->link_name));
    135                 $link->link_description = wp_specialchars(apply_filters('link_description', $link->link_description));
    136                 $link->link_url = clean_url($link->link_url);
     134                $link = sanitize_bookmark($link);
     135                $link->link_name = attribute_escape($link->link_name);
    137136                $link->link_category = wp_get_link_cats($link->link_id);
    138137                $short_url = str_replace('http://', '', $link->link_url);
    139138                $short_url = str_replace('www.', '', $short_url);
     
    159158                                        ?><td><?php
    160159                                        $cat_names = array();
    161160                                        foreach ($link->link_category as $category) {
    162                                                 $cat = get_term($category, 'link_category');
    163                                                 $cat_name = wp_specialchars(apply_filters('link_category', $cat->name));
     161                                                $cat = get_term($category, 'link_category', OBJECT, 'display');
     162                                                $cat_name = sanitize_term_field('name', $cat->name, $cat->term_id, 'link_category', 'display');
    164163                                                if ( $cat_id != $category )
    165164                                                        $cat_name = "<a href='link-manager.php?cat_id=$category'>$cat_name</a>";
    166165                                                $cat_names[] = $cat_name;