-
diff --git a/src/wp-admin/edit-tag-form.php b/src/wp-admin/edit-tag-form.php
index d0d8f4af5e..7c22cf471d 100644
|
a
|
b
|
if ( $message ) { |
| 83 | 83 | <div id="message" class="notice notice-<?php echo $class; ?>"> |
| 84 | 84 | <p><strong><?php echo $message; ?></strong></p> |
| 85 | 85 | <?php if ( $wp_http_referer ) { ?> |
| 86 | | <p><a href="<?php echo esc_url( wp_validate_redirect( esc_url_raw( $wp_http_referer ), admin_url( 'term.php?taxonomy=' . $taxonomy ) ) ); ?>"> |
| | 86 | <p><a href="<?php echo esc_url( wp_validate_redirect( sanitize_url( $wp_http_referer ), admin_url( 'term.php?taxonomy=' . $taxonomy ) ) ); ?>"> |
| 87 | 87 | <?php echo esc_html( $tax->labels->back_to_items ); ?> |
| 88 | 88 | </a></p> |
| 89 | 89 | <?php } ?> |
-
diff --git a/src/wp-admin/edit-tags.php b/src/wp-admin/edit-tags.php
index c0bd5b2e35..3111c51069 100644
|
a
|
b
|
switch ( $wp_list_table->current_action() ) { |
| 160 | 160 | wp_die( __( 'You attempted to edit an item that does not exist. Perhaps it was deleted?' ) ); |
| 161 | 161 | } |
| 162 | 162 | |
| 163 | | wp_redirect( esc_url_raw( get_edit_term_link( $term_id, $taxonomy, $post_type ) ) ); |
| | 163 | wp_redirect( sanitize_url( get_edit_term_link( $term_id, $taxonomy, $post_type ) ) ); |
| 164 | 164 | exit; |
| 165 | 165 | |
| 166 | 166 | case 'editedtag': |
-
diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index e39739883e..1714302437 100644
|
a
|
b
|
function _wp_ajax_delete_comment_response( $comment_id, $delta = -1 ) { |
| 431 | 431 | $total = isset( $_POST['_total'] ) ? (int) $_POST['_total'] : 0; |
| 432 | 432 | $per_page = isset( $_POST['_per_page'] ) ? (int) $_POST['_per_page'] : 0; |
| 433 | 433 | $page = isset( $_POST['_page'] ) ? (int) $_POST['_page'] : 0; |
| 434 | | $url = isset( $_POST['_url'] ) ? esc_url_raw( $_POST['_url'] ) : ''; |
| | 434 | $url = isset( $_POST['_url'] ) ? sanitize_url( $_POST['_url'] ) : ''; |
| 435 | 435 | |
| 436 | 436 | // JS didn't send us everything we need to know. Just die with success message. |
| 437 | 437 | if ( ! $total || ! $per_page || ! $page || ! $url ) { |
| … |
… |
function wp_ajax_send_link_to_editor() { |
| 3333 | 3333 | $src = 'http://' . $src; |
| 3334 | 3334 | } |
| 3335 | 3335 | |
| 3336 | | $src = esc_url_raw( $src ); |
| | 3336 | $src = sanitize_url( $src ); |
| 3337 | 3337 | if ( ! $src ) { |
| 3338 | 3338 | wp_send_json_error(); |
| 3339 | 3339 | } |
-
diff --git a/src/wp-admin/includes/class-custom-background.php b/src/wp-admin/includes/class-custom-background.php
index df246313f4..3cb560237c 100644
|
a
|
b
|
class Custom_Background { |
| 526 | 526 | wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) ); |
| 527 | 527 | update_post_meta( $id, '_wp_attachment_is_custom_background', get_option( 'stylesheet' ) ); |
| 528 | 528 | |
| 529 | | set_theme_mod( 'background_image', esc_url_raw( $url ) ); |
| | 529 | set_theme_mod( 'background_image', sanitize_url( $url ) ); |
| 530 | 530 | |
| 531 | 531 | $thumbnail = wp_get_attachment_image_src( $id, 'thumbnail' ); |
| 532 | | set_theme_mod( 'background_image_thumb', esc_url_raw( $thumbnail[0] ) ); |
| | 532 | set_theme_mod( 'background_image_thumb', sanitize_url( $thumbnail[0] ) ); |
| 533 | 533 | |
| 534 | 534 | /** This action is documented in wp-admin/includes/class-custom-image-header.php */ |
| 535 | 535 | do_action( 'wp_create_file_in_uploads', $file, $id ); // For replication. |
| … |
… |
class Custom_Background { |
| 618 | 618 | |
| 619 | 619 | $url = wp_get_attachment_image_src( $attachment_id, $size ); |
| 620 | 620 | $thumbnail = wp_get_attachment_image_src( $attachment_id, 'thumbnail' ); |
| 621 | | set_theme_mod( 'background_image', esc_url_raw( $url[0] ) ); |
| 622 | | set_theme_mod( 'background_image_thumb', esc_url_raw( $thumbnail[0] ) ); |
| | 621 | set_theme_mod( 'background_image', sanitize_url( $url[0] ) ); |
| | 622 | set_theme_mod( 'background_image_thumb', sanitize_url( $thumbnail[0] ) ); |
| 623 | 623 | exit; |
| 624 | 624 | } |
| 625 | 625 | } |
-
diff --git a/src/wp-admin/includes/class-custom-image-header.php b/src/wp-admin/includes/class-custom-image-header.php
index c5efc071e1..ffad8879bb 100644
|
a
|
b
|
endif; |
| 1159 | 1159 | return; |
| 1160 | 1160 | } |
| 1161 | 1161 | |
| 1162 | | $choice['url'] = esc_url_raw( $choice['url'] ); |
| | 1162 | $choice['url'] = sanitize_url( $choice['url'] ); |
| 1163 | 1163 | |
| 1164 | 1164 | $header_image_data = (object) array( |
| 1165 | 1165 | 'attachment_id' => $choice['attachment_id'], |
| … |
… |
endif; |
| 1197 | 1197 | } |
| 1198 | 1198 | } |
| 1199 | 1199 | |
| 1200 | | set_theme_mod( 'header_image', esc_url_raw( $header_image_data['url'] ) ); |
| | 1200 | set_theme_mod( 'header_image', sanitize_url( $header_image_data['url'] ) ); |
| 1201 | 1201 | set_theme_mod( 'header_image_data', $header_image_data ); |
| 1202 | 1202 | } |
| 1203 | 1203 | |
-
diff --git a/src/wp-admin/includes/export.php b/src/wp-admin/includes/export.php
index 852f7d54ad..14e21dce38 100644
|
a
|
b
|
function export_wp( $args = array() ) { |
| 632 | 632 | <wp:comment_id><?php echo (int) $c->comment_ID; ?></wp:comment_id> |
| 633 | 633 | <wp:comment_author><?php echo wxr_cdata( $c->comment_author ); ?></wp:comment_author> |
| 634 | 634 | <wp:comment_author_email><?php echo wxr_cdata( $c->comment_author_email ); ?></wp:comment_author_email> |
| 635 | | <wp:comment_author_url><?php echo esc_url_raw( $c->comment_author_url ); ?></wp:comment_author_url> |
| | 635 | <wp:comment_author_url><?php echo sanitize_url( $c->comment_author_url ); ?></wp:comment_author_url> |
| 636 | 636 | <wp:comment_author_IP><?php echo wxr_cdata( $c->comment_author_IP ); ?></wp:comment_author_IP> |
| 637 | 637 | <wp:comment_date><?php echo wxr_cdata( $c->comment_date ); ?></wp:comment_date> |
| 638 | 638 | <wp:comment_date_gmt><?php echo wxr_cdata( $c->comment_date_gmt ); ?></wp:comment_date_gmt> |
-
diff --git a/src/wp-admin/includes/media.php b/src/wp-admin/includes/media.php
index 95a29d5e52..56825012f0 100644
|
a
|
b
|
function wp_media_upload_handler() { |
| 917 | 917 | * @param string $src Media source URL. |
| 918 | 918 | * @param string $title Media title. |
| 919 | 919 | */ |
| 920 | | $html = apply_filters( "{$type}_send_to_editor_url", $html, esc_url_raw( $src ), $title ); |
| | 920 | $html = apply_filters( "{$type}_send_to_editor_url", $html, sanitize_url( $src ), $title ); |
| 921 | 921 | } else { |
| 922 | 922 | $align = ''; |
| 923 | 923 | $alt = esc_attr( wp_unslash( $_POST['alt'] ) ); |
| … |
… |
function wp_media_upload_handler() { |
| 942 | 942 | * @param string $align The image alignment. Default 'alignnone'. Possible values include |
| 943 | 943 | * 'alignleft', 'aligncenter', 'alignright', 'alignnone'. |
| 944 | 944 | */ |
| 945 | | $html = apply_filters( 'image_send_to_editor_url', $html, esc_url_raw( $src ), $alt, $align ); |
| | 945 | $html = apply_filters( 'image_send_to_editor_url', $html, sanitize_url( $src ), $alt, $align ); |
| 946 | 946 | } |
| 947 | 947 | |
| 948 | 948 | return media_send_to_editor( $html ); |
-
diff --git a/src/wp-admin/includes/post.php b/src/wp-admin/includes/post.php
index 6621d8e090..a4dd6a0519 100644
|
a
|
b
|
function edit_post( $post_data = null ) { |
| 322 | 322 | foreach ( $format_meta_urls as $format_meta_url ) { |
| 323 | 323 | $keyed = '_format_' . $format_meta_url; |
| 324 | 324 | if ( isset( $post_data[ $keyed ] ) ) { |
| 325 | | update_post_meta( $post_ID, $keyed, wp_slash( esc_url_raw( wp_unslash( $post_data[ $keyed ] ) ) ) ); |
| | 325 | update_post_meta( $post_ID, $keyed, wp_slash( sanitize_url( wp_unslash( $post_data[ $keyed ] ) ) ) ); |
| 326 | 326 | } |
| 327 | 327 | } |
| 328 | 328 | |
-
diff --git a/src/wp-admin/includes/privacy-tools.php b/src/wp-admin/includes/privacy-tools.php
index 8b78752a85..f974ea8a5d 100644
|
a
|
b
|
All at ###SITENAME### |
| 706 | 706 | $content = apply_filters( 'wp_privacy_personal_data_email_content', $email_text, $request_id, $email_data ); |
| 707 | 707 | |
| 708 | 708 | $content = str_replace( '###EXPIRATION###', $expiration_date, $content ); |
| 709 | | $content = str_replace( '###LINK###', esc_url_raw( $export_file_url ), $content ); |
| | 709 | $content = str_replace( '###LINK###', sanitize_url( $export_file_url ), $content ); |
| 710 | 710 | $content = str_replace( '###EMAIL###', $request_email, $content ); |
| 711 | 711 | $content = str_replace( '###SITENAME###', $site_name, $content ); |
| 712 | | $content = str_replace( '###SITEURL###', esc_url_raw( $site_url ), $content ); |
| | 712 | $content = str_replace( '###SITEURL###', sanitize_url( $site_url ), $content ); |
| 713 | 713 | |
| 714 | 714 | $headers = ''; |
| 715 | 715 | |
-
diff --git a/src/wp-admin/includes/theme.php b/src/wp-admin/includes/theme.php
index 3886a8eeff..177eb44cf9 100644
|
a
|
b
|
function wp_prepare_themes_for_js( $themes = null ) { |
| 712 | 712 | $customize_action = esc_url( |
| 713 | 713 | add_query_arg( |
| 714 | 714 | array( |
| 715 | | 'return' => urlencode( esc_url_raw( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ), |
| | 715 | 'return' => urlencode( sanitize_url( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ), |
| 716 | 716 | ), |
| 717 | 717 | wp_customize_url( $slug ) |
| 718 | 718 | ) |
-
diff --git a/src/wp-admin/includes/user.php b/src/wp-admin/includes/user.php
index 64b91fce19..ed6a91a4e2 100644
|
a
|
b
|
function edit_user( $user_id = 0 ) { |
| 84 | 84 | if ( empty( $_POST['url'] ) || 'http://' === $_POST['url'] ) { |
| 85 | 85 | $user->user_url = ''; |
| 86 | 86 | } else { |
| 87 | | $user->user_url = esc_url_raw( $_POST['url'] ); |
| | 87 | $user->user_url = sanitize_url( $_POST['url'] ); |
| 88 | 88 | $protocols = implode( '|', array_map( 'preg_quote', wp_allowed_protocols() ) ); |
| 89 | 89 | $user->user_url = preg_match( '/^(' . $protocols . '):/is', $user->user_url ) ? $user->user_url : 'http://' . $user->user_url; |
| 90 | 90 | } |
-
diff --git a/src/wp-admin/network/site-info.php b/src/wp-admin/network/site-info.php
index b99f35ab20..8cad4ead2a 100644
|
a
|
b
|
if ( isset( $_REQUEST['action'] ) && 'update-site' === $_REQUEST['action'] ) { |
| 90 | 90 | $old_home_parsed = parse_url( $old_home_url ); |
| 91 | 91 | |
| 92 | 92 | if ( $old_home_parsed['host'] === $existing_details->domain && $old_home_parsed['path'] === $existing_details->path ) { |
| 93 | | $new_home_url = untrailingslashit( esc_url_raw( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) ); |
| | 93 | $new_home_url = untrailingslashit( sanitize_url( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) ); |
| 94 | 94 | update_option( 'home', $new_home_url ); |
| 95 | 95 | } |
| 96 | 96 | |
| … |
… |
if ( isset( $_REQUEST['action'] ) && 'update-site' === $_REQUEST['action'] ) { |
| 98 | 98 | $old_site_parsed = parse_url( $old_site_url ); |
| 99 | 99 | |
| 100 | 100 | if ( $old_site_parsed['host'] === $existing_details->domain && $old_site_parsed['path'] === $existing_details->path ) { |
| 101 | | $new_site_url = untrailingslashit( esc_url_raw( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) ); |
| | 101 | $new_site_url = untrailingslashit( sanitize_url( $blog_data['scheme'] . '://' . $new_details->domain . $new_details->path ) ); |
| 102 | 102 | update_option( 'siteurl', $new_site_url ); |
| 103 | 103 | } |
| 104 | 104 | |
-
diff --git a/src/wp-admin/term.php b/src/wp-admin/term.php
index 55d1a7eb94..4d29b5d996 100644
|
a
|
b
|
if ( empty( $_REQUEST['tag_ID'] ) ) { |
| 20 | 20 | $sendback = add_query_arg( 'post_type', get_current_screen()->post_type, $sendback ); |
| 21 | 21 | } |
| 22 | 22 | |
| 23 | | wp_redirect( esc_url_raw( $sendback ) ); |
| | 23 | wp_redirect( sanitize_url( $sendback ) ); |
| 24 | 24 | exit; |
| 25 | 25 | } |
| 26 | 26 | |
-
diff --git a/src/wp-admin/upgrade.php b/src/wp-admin/upgrade.php
index e816c69d0b..1b1565aa45 100644
|
a
|
b
|
else : |
| 133 | 133 | case 0: |
| 134 | 134 | $goback = wp_get_referer(); |
| 135 | 135 | if ( $goback ) { |
| 136 | | $goback = esc_url_raw( $goback ); |
| | 136 | $goback = sanitize_url( $goback ); |
| 137 | 137 | $goback = urlencode( $goback ); |
| 138 | 138 | } |
| 139 | 139 | ?> |
-
diff --git a/src/wp-admin/user-edit.php b/src/wp-admin/user-edit.php
index c2e9e0c3a7..49faa4e22b 100644
|
a
|
b
|
switch ( $action ) { |
| 209 | 209 | <p><strong><?php _e( 'User updated.' ); ?></strong></p> |
| 210 | 210 | <?php endif; ?> |
| 211 | 211 | <?php if ( $wp_http_referer && false === strpos( $wp_http_referer, 'user-new.php' ) && ! IS_PROFILE_PAGE ) : ?> |
| 212 | | <p><a href="<?php echo esc_url( wp_validate_redirect( esc_url_raw( $wp_http_referer ), self_admin_url( 'users.php' ) ) ); ?>"><?php _e( '← Go to Users' ); ?></a></p> |
| | 212 | <p><a href="<?php echo esc_url( wp_validate_redirect( sanitize_url( $wp_http_referer ), self_admin_url( 'users.php' ) ) ); ?>"><?php _e( '← Go to Users' ); ?></a></p> |
| 213 | 213 | <?php endif; ?> |
| 214 | 214 | </div> |
| 215 | 215 | <?php endif; ?> |
-
diff --git a/src/wp-includes/class-wp-customize-manager.php b/src/wp-includes/class-wp-customize-manager.php
index 03732ca08a..7809608e69 100644
|
a
|
b
|
final class WP_Customize_Manager { |
| 2111 | 2111 | $exported_setting_validities = array_map( array( $this, 'prepare_setting_validity_for_js' ), $setting_validities ); |
| 2112 | 2112 | |
| 2113 | 2113 | // Note that the REQUEST_URI is not passed into home_url() since this breaks subdirectory installations. |
| 2114 | | $self_url = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ); |
| | 2114 | $self_url = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : sanitize_url( wp_unslash( $_SERVER['REQUEST_URI'] ) ); |
| 2115 | 2115 | $state_query_params = array( |
| 2116 | 2116 | 'customize_theme', |
| 2117 | 2117 | 'customize_changeset_uuid', |
| … |
… |
final class WP_Customize_Manager { |
| 2158 | 2158 | ), |
| 2159 | 2159 | 'url' => array( |
| 2160 | 2160 | 'self' => $self_url, |
| 2161 | | 'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ), |
| | 2161 | 'allowed' => array_map( 'sanitize_url', $this->get_allowed_urls() ), |
| 2162 | 2162 | 'allowedHosts' => array_unique( $allowed_hosts ), |
| 2163 | 2163 | 'isCrossDomain' => $this->is_cross_domain(), |
| 2164 | 2164 | ), |
| … |
… |
final class WP_Customize_Manager { |
| 4574 | 4574 | * @param string $preview_url URL to be previewed. |
| 4575 | 4575 | */ |
| 4576 | 4576 | public function set_preview_url( $preview_url ) { |
| 4577 | | $preview_url = esc_url_raw( $preview_url ); |
| | 4577 | $preview_url = sanitize_url( $preview_url ); |
| 4578 | 4578 | $this->preview_url = wp_validate_redirect( $preview_url, home_url( '/' ) ); |
| 4579 | 4579 | } |
| 4580 | 4580 | |
| … |
… |
final class WP_Customize_Manager { |
| 4662 | 4662 | * @param string $return_url URL for return link. |
| 4663 | 4663 | */ |
| 4664 | 4664 | public function set_return_url( $return_url ) { |
| 4665 | | $return_url = esc_url_raw( $return_url ); |
| | 4665 | $return_url = sanitize_url( $return_url ); |
| 4666 | 4666 | $return_url = remove_query_arg( wp_removable_query_args(), $return_url ); |
| 4667 | 4667 | $return_url = wp_validate_redirect( $return_url ); |
| 4668 | 4668 | $this->return_url = $return_url; |
| … |
… |
final class WP_Customize_Manager { |
| 4894 | 4894 | '_canInstall' => current_user_can( 'install_themes' ), |
| 4895 | 4895 | ), |
| 4896 | 4896 | 'url' => array( |
| 4897 | | 'preview' => esc_url_raw( $this->get_preview_url() ), |
| 4898 | | 'return' => esc_url_raw( $this->get_return_url() ), |
| 4899 | | 'parent' => esc_url_raw( admin_url() ), |
| 4900 | | 'activated' => esc_url_raw( home_url( '/' ) ), |
| 4901 | | 'ajax' => esc_url_raw( admin_url( 'admin-ajax.php', 'relative' ) ), |
| 4902 | | 'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ), |
| | 4897 | 'preview' => sanitize_url( $this->get_preview_url() ), |
| | 4898 | 'return' => sanitize_url( $this->get_return_url() ), |
| | 4899 | 'parent' => sanitize_url( admin_url() ), |
| | 4900 | 'activated' => sanitize_url( home_url( '/' ) ), |
| | 4901 | 'ajax' => sanitize_url( admin_url( 'admin-ajax.php', 'relative' ) ), |
| | 4902 | 'allowed' => array_map( 'sanitize_url', $this->get_allowed_urls() ), |
| 4903 | 4903 | 'isCrossDomain' => $this->is_cross_domain(), |
| 4904 | | 'home' => esc_url_raw( home_url( '/' ) ), |
| 4905 | | 'login' => esc_url_raw( $login_url ), |
| | 4904 | 'home' => sanitize_url( home_url( '/' ) ), |
| | 4905 | 'login' => sanitize_url( $login_url ), |
| 4906 | 4906 | ), |
| 4907 | 4907 | 'browser' => array( |
| 4908 | 4908 | 'mobile' => wp_is_mobile(), |
| … |
… |
final class WP_Customize_Manager { |
| 6006 | 6006 | return new WP_Error( 'invalid_value', __( 'Invalid value for background size.' ) ); |
| 6007 | 6007 | } |
| 6008 | 6008 | } elseif ( 'background_image' === $setting->id || 'background_image_thumb' === $setting->id ) { |
| 6009 | | $value = empty( $value ) ? '' : esc_url_raw( $value ); |
| | 6009 | $value = empty( $value ) ? '' : sanitize_url( $value ); |
| 6010 | 6010 | } else { |
| 6011 | 6011 | return new WP_Error( 'unrecognized_setting', __( 'Unrecognized background setting.' ) ); |
| 6012 | 6012 | } |
| … |
… |
final class WP_Customize_Manager { |
| 6079 | 6079 | * @return mixed |
| 6080 | 6080 | */ |
| 6081 | 6081 | public function _validate_external_header_video( $validity, $value ) { |
| 6082 | | $video = esc_url_raw( $value ); |
| | 6082 | $video = sanitize_url( $value ); |
| 6083 | 6083 | if ( $video ) { |
| 6084 | 6084 | if ( ! preg_match( '#^https?://(?:www\.)?(?:youtube\.com/watch|youtu\.be/)#', $video ) ) { |
| 6085 | 6085 | $validity->add( 'invalid_url', __( 'Please enter a valid YouTube URL.' ) ); |
| … |
… |
final class WP_Customize_Manager { |
| 6097 | 6097 | * @return string Sanitized URL. |
| 6098 | 6098 | */ |
| 6099 | 6099 | public function _sanitize_external_header_video( $value ) { |
| 6100 | | return esc_url_raw( trim( $value ) ); |
| | 6100 | return sanitize_url( trim( $value ) ); |
| 6101 | 6101 | } |
| 6102 | 6102 | |
| 6103 | 6103 | /** |
-
diff --git a/src/wp-includes/class-wp-theme.php b/src/wp-includes/class-wp-theme.php
index c2398fb4eb..2e313c4c3b 100644
|
a
|
b
|
final class WP_Theme implements ArrayAccess { |
| 888 | 888 | break; |
| 889 | 889 | case 'ThemeURI': |
| 890 | 890 | case 'AuthorURI': |
| 891 | | $value = esc_url_raw( $value ); |
| | 891 | $value = sanitize_url( $value ); |
| 892 | 892 | break; |
| 893 | 893 | case 'Tags': |
| 894 | 894 | $value = array_filter( array_map( 'trim', explode( ',', strip_tags( $value ) ) ) ); |
-
diff --git a/src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php b/src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php
index 8e35e32238..b0e3ae4a5e 100644
|
a
|
b
|
class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting { |
| 726 | 726 | $menu_item_value['description'] = wp_unslash( apply_filters( 'content_save_pre', wp_slash( $menu_item_value['description'] ) ) ); |
| 727 | 727 | |
| 728 | 728 | if ( '' !== $menu_item_value['url'] ) { |
| 729 | | $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] ); |
| | 729 | $menu_item_value['url'] = sanitize_url( $menu_item_value['url'] ); |
| 730 | 730 | if ( '' === $menu_item_value['url'] ) { |
| 731 | 731 | return new WP_Error( 'invalid_url', __( 'Invalid URL.' ) ); // Fail sanitization if URL is invalid. |
| 732 | 732 | } |
-
diff --git a/src/wp-includes/default-filters.php b/src/wp-includes/default-filters.php
index 391796517c..25d98ede38 100644
|
a
|
b
|
foreach ( array( |
| 72 | 72 | 'pre_post_guid', |
| 73 | 73 | ) as $filter ) { |
| 74 | 74 | add_filter( $filter, 'wp_strip_all_tags' ); |
| 75 | | add_filter( $filter, 'esc_url_raw' ); |
| | 75 | add_filter( $filter, 'sanitize_url' ); |
| 76 | 76 | add_filter( $filter, 'wp_filter_kses' ); |
| 77 | 77 | } |
| 78 | 78 | |
-
diff --git a/src/wp-includes/deprecated.php b/src/wp-includes/deprecated.php
index ec4c4678f5..ff6ce82497 100644
|
a
|
b
|
function get_link( $bookmark_id, $output = OBJECT, $filter = 'raw' ) { |
| 2041 | 2041 | */ |
| 2042 | 2042 | function clean_url( $url, $protocols = null, $context = 'display' ) { |
| 2043 | 2043 | if ( $context == 'db' ) |
| 2044 | | _deprecated_function( 'clean_url( $context = \'db\' )', '3.0.0', 'esc_url_raw()' ); |
| | 2044 | _deprecated_function( 'clean_url( $context = \'db\' )', '3.0.0', 'sanitize_url()' ); |
| 2045 | 2045 | else |
| 2046 | 2046 | _deprecated_function( __FUNCTION__, '3.0.0', 'esc_url()' ); |
| 2047 | 2047 | return esc_url( $url, $protocols, $context ); |
-
diff --git a/src/wp-includes/embed.php b/src/wp-includes/embed.php
index bc0806e1e2..f894578ad8 100644
|
a
|
b
|
function get_post_embed_url( $post = null ) { |
| 426 | 426 | * @param string $embed_url The post embed URL. |
| 427 | 427 | * @param WP_Post $post The corresponding post object. |
| 428 | 428 | */ |
| 429 | | return esc_url_raw( apply_filters( 'post_embed_url', $embed_url, $post ) ); |
| | 429 | return sanitize_url( apply_filters( 'post_embed_url', $embed_url, $post ) ); |
| 430 | 430 | } |
| 431 | 431 | |
| 432 | 432 | /** |
-
diff --git a/src/wp-includes/general-template.php b/src/wp-includes/general-template.php
index d2ad7373f2..6ab4f4dd39 100644
|
a
|
b
|
function get_the_generator( $type = '' ) { |
| 4759 | 4759 | $gen = '<generator uri="https://wordpress.org/" version="' . esc_attr( get_bloginfo_rss( 'version' ) ) . '">WordPress</generator>'; |
| 4760 | 4760 | break; |
| 4761 | 4761 | case 'rss2': |
| 4762 | | $gen = '<generator>' . esc_url_raw( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '</generator>'; |
| | 4762 | $gen = '<generator>' . sanitize_url( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '</generator>'; |
| 4763 | 4763 | break; |
| 4764 | 4764 | case 'rdf': |
| 4765 | | $gen = '<admin:generatorAgent rdf:resource="' . esc_url_raw( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '" />'; |
| | 4765 | $gen = '<admin:generatorAgent rdf:resource="' . sanitize_url( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '" />'; |
| 4766 | 4766 | break; |
| 4767 | 4767 | case 'comment': |
| 4768 | 4768 | $gen = '<!-- generator="WordPress/' . esc_attr( get_bloginfo( 'version' ) ) . '" -->'; |
-
diff --git a/src/wp-includes/link-template.php b/src/wp-includes/link-template.php
index dbebd3bded..fc1a89fd29 100644
|
a
|
b
|
function adjacent_post_link( $format, $link, $in_same_term = false, $excluded_te |
| 2343 | 2343 | * |
| 2344 | 2344 | * @param int $pagenum Optional. Page number. Default 1. |
| 2345 | 2345 | * @param bool $escape Optional. Whether to escape the URL for display, with esc_url(). Defaults to true. |
| 2346 | | * Otherwise, prepares the URL with esc_url_raw(). |
| | 2346 | * Otherwise, prepares the URL with sanitize_url(). |
| 2347 | 2347 | * @return string The link URL for the given page number. |
| 2348 | 2348 | */ |
| 2349 | 2349 | function get_pagenum_link( $pagenum = 1, $escape = true ) { |
| … |
… |
function get_pagenum_link( $pagenum = 1, $escape = true ) { |
| 2410 | 2410 | if ( $escape ) { |
| 2411 | 2411 | return esc_url( $result ); |
| 2412 | 2412 | } else { |
| 2413 | | return esc_url_raw( $result ); |
| | 2413 | return sanitize_url( $result ); |
| 2414 | 2414 | } |
| 2415 | 2415 | } |
| 2416 | 2416 | |
-
diff --git a/src/wp-includes/ms-deprecated.php b/src/wp-includes/ms-deprecated.php
index c06f35ddc5..9085545bdd 100644
|
a
|
b
|
function get_blogaddress_by_domain( $domain, $path ) { |
| 378 | 378 | $url = 'http://' . $domain . $path; |
| 379 | 379 | } |
| 380 | 380 | } |
| 381 | | return esc_url_raw( $url ); |
| | 381 | return sanitize_url( $url ); |
| 382 | 382 | } |
| 383 | 383 | |
| 384 | 384 | /** |
-
diff --git a/src/wp-includes/nav-menu.php b/src/wp-includes/nav-menu.php
index 24a7fc66ef..63969287d7 100644
|
a
|
b
|
function wp_update_nav_menu_item( $menu_id = 0, $menu_item_db_id = 0, $menu_item |
| 573 | 573 | $args['menu-item-xfn'] = implode( ' ', array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-xfn'] ) ) ); |
| 574 | 574 | update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] ); |
| 575 | 575 | update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] ); |
| 576 | | update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw( $args['menu-item-url'] ) ); |
| | 576 | update_post_meta( $menu_item_db_id, '_menu_item_url', sanitize_url( $args['menu-item-url'] ) ); |
| 577 | 577 | |
| 578 | 578 | if ( 0 == $menu_id ) { |
| 579 | 579 | update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() ); |
-
diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php
index f05142baac..81156911c3 100644
|
a
|
b
|
function rest_send_cors_headers( $value ) { |
| 710 | 710 | if ( $origin ) { |
| 711 | 711 | // Requests from file:// and data: URLs send "Origin: null". |
| 712 | 712 | if ( 'null' !== $origin ) { |
| 713 | | $origin = esc_url_raw( $origin ); |
| | 713 | $origin = sanitize_url( $origin ); |
| 714 | 714 | } |
| 715 | 715 | header( 'Access-Control-Allow-Origin: ' . $origin ); |
| 716 | 716 | header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' ); |
| … |
… |
function rest_output_link_header() { |
| 993 | 993 | return; |
| 994 | 994 | } |
| 995 | 995 | |
| 996 | | header( sprintf( 'Link: <%s>; rel="https://api.w.org/"', esc_url_raw( $api_root ) ), false ); |
| | 996 | header( sprintf( 'Link: <%s>; rel="https://api.w.org/"', sanitize_url( $api_root ) ), false ); |
| 997 | 997 | |
| 998 | 998 | $resource = rest_get_queried_resource_route(); |
| 999 | 999 | |
| 1000 | 1000 | if ( $resource ) { |
| 1001 | | header( sprintf( 'Link: <%s>; rel="alternate"; type="application/json"', esc_url_raw( rest_url( $resource ) ) ), false ); |
| | 1001 | header( sprintf( 'Link: <%s>; rel="alternate"; type="application/json"', sanitize_url( rest_url( $resource ) ) ), false ); |
| 1002 | 1002 | } |
| 1003 | 1003 | } |
| 1004 | 1004 | |
| … |
… |
function rest_sanitize_value_from_schema( $value, $args, $param = '' ) { |
| 2795 | 2795 | return sanitize_text_field( $value ); |
| 2796 | 2796 | |
| 2797 | 2797 | case 'uri': |
| 2798 | | return esc_url_raw( $value ); |
| | 2798 | return sanitize_url( $value ); |
| 2799 | 2799 | |
| 2800 | 2800 | case 'ip': |
| 2801 | 2801 | return sanitize_text_field( $value ); |
-
diff --git a/src/wp-includes/rest-api/class-wp-rest-server.php b/src/wp-includes/rest-api/class-wp-rest-server.php
index c38914c7bf..19b362a4ca 100644
|
a
|
b
|
class WP_REST_Server { |
| 284 | 284 | |
| 285 | 285 | $api_root = get_rest_url(); |
| 286 | 286 | if ( ! empty( $api_root ) ) { |
| 287 | | $this->send_header( 'Link', '<' . esc_url_raw( $api_root ) . '>; rel="https://api.w.org/"' ); |
| | 287 | $this->send_header( 'Link', '<' . sanitize_url( $api_root ) . '>; rel="https://api.w.org/"' ); |
| 288 | 288 | } |
| 289 | 289 | |
| 290 | 290 | /* |
-
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php
index f25be71bef..825833505d 100644
|
a
|
b
|
class WP_REST_Menu_Items_Controller extends WP_REST_Posts_Controller { |
| 860 | 860 | return true; |
| 861 | 861 | } |
| 862 | 862 | |
| 863 | | if ( esc_url_raw( $url ) ) { |
| | 863 | if ( sanitize_url( $url ) ) { |
| 864 | 864 | return true; |
| 865 | 865 | } |
| 866 | 866 | |
-
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-url-details-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-url-details-controller.php
index b7d58faefa..c9ac6675d0 100644
|
a
|
b
|
class WP_REST_URL_Details_Controller extends WP_REST_Controller { |
| 45 | 45 | 'required' => true, |
| 46 | 46 | 'description' => __( 'The URL to process.' ), |
| 47 | 47 | 'validate_callback' => 'wp_http_validate_url', |
| 48 | | 'sanitize_callback' => 'esc_url_raw', |
| | 48 | 'sanitize_callback' => 'sanitize_url', |
| 49 | 49 | 'type' => 'string', |
| 50 | 50 | 'format' => 'uri', |
| 51 | 51 | ), |
-
diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
index ae68e688f8..61e8a1d210 100644
|
a
|
b
|
function wp_default_packages_inline_scripts( $scripts ) { |
| 337 | 337 | 'wp-api-fetch', |
| 338 | 338 | sprintf( |
| 339 | 339 | 'wp.apiFetch.use( wp.apiFetch.createRootURLMiddleware( "%s" ) );', |
| 340 | | esc_url_raw( get_rest_url() ) |
| | 340 | sanitize_url( get_rest_url() ) |
| 341 | 341 | ), |
| 342 | 342 | 'after' |
| 343 | 343 | ); |
| … |
… |
function wp_default_scripts( $scripts ) { |
| 750 | 750 | 'wp-api-request', |
| 751 | 751 | 'wpApiSettings', |
| 752 | 752 | array( |
| 753 | | 'root' => esc_url_raw( get_rest_url() ), |
| | 753 | 'root' => sanitize_url( get_rest_url() ), |
| 754 | 754 | 'nonce' => wp_installing() ? '' : wp_create_nonce( 'wp_rest' ), |
| 755 | 755 | 'versionString' => 'wp/v2/', |
| 756 | 756 | ) |
-
diff --git a/src/wp-includes/theme.php b/src/wp-includes/theme.php
index 55e2d13789..2e7e1dbbb8 100644
|
a
|
b
|
function get_header_image() { |
| 1179 | 1179 | $url = get_random_header_image(); |
| 1180 | 1180 | } |
| 1181 | 1181 | |
| 1182 | | return esc_url_raw( set_url_scheme( $url ) ); |
| | 1182 | return sanitize_url( set_url_scheme( $url ) ); |
| 1183 | 1183 | } |
| 1184 | 1184 | |
| 1185 | 1185 | /** |
| … |
… |
function get_uploaded_header_images() { |
| 1428 | 1428 | } |
| 1429 | 1429 | |
| 1430 | 1430 | foreach ( (array) $headers as $header ) { |
| 1431 | | $url = esc_url_raw( wp_get_attachment_url( $header->ID ) ); |
| | 1431 | $url = sanitize_url( wp_get_attachment_url( $header->ID ) ); |
| 1432 | 1432 | $header_data = wp_get_attachment_metadata( $header->ID ); |
| 1433 | 1433 | $header_index = $header->ID; |
| 1434 | 1434 | |
| … |
… |
function get_header_video_url() { |
| 1589 | 1589 | return false; |
| 1590 | 1590 | } |
| 1591 | 1591 | |
| 1592 | | return esc_url_raw( set_url_scheme( $url ) ); |
| | 1592 | return sanitize_url( set_url_scheme( $url ) ); |
| 1593 | 1593 | } |
| 1594 | 1594 | |
| 1595 | 1595 | /** |
| … |
… |
function _custom_background_cb() { |
| 1806 | 1806 | $style = $color ? "background-color: #$color;" : ''; |
| 1807 | 1807 | |
| 1808 | 1808 | if ( $background ) { |
| 1809 | | $image = ' background-image: url("' . esc_url_raw( $background ) . '");'; |
| | 1809 | $image = ' background-image: url("' . sanitize_url( $background ) . '");'; |
| 1810 | 1810 | |
| 1811 | 1811 | // Background Position. |
| 1812 | 1812 | $position_x = get_theme_mod( 'background_position_x', get_theme_support( 'custom-background', 'default-position-x' ) ); |
| … |
… |
function get_editor_stylesheets() { |
| 2146 | 2146 | // Support externally referenced styles (like, say, fonts). |
| 2147 | 2147 | foreach ( $editor_styles as $key => $file ) { |
| 2148 | 2148 | if ( preg_match( '~^(https?:)?//~', $file ) ) { |
| 2149 | | $stylesheets[] = esc_url_raw( $file ); |
| | 2149 | $stylesheets[] = sanitize_url( $file ); |
| 2150 | 2150 | unset( $editor_styles[ $key ] ); |
| 2151 | 2151 | } |
| 2152 | 2152 | } |
-
diff --git a/src/wp-includes/update.php b/src/wp-includes/update.php
index 1c9a7cbeb6..04c8aa3ec2 100644
|
a
|
b
|
function wp_update_plugins( $extra_stats = array() ) { |
| 430 | 430 | continue; |
| 431 | 431 | } |
| 432 | 432 | |
| 433 | | $hostname = wp_parse_url( esc_url_raw( $plugin_data['UpdateURI'] ), PHP_URL_HOST ); |
| | 433 | $hostname = wp_parse_url( sanitize_url( $plugin_data['UpdateURI'] ), PHP_URL_HOST ); |
| 434 | 434 | |
| 435 | 435 | /** |
| 436 | 436 | * Filters the update response for a given plugin hostname. |
-
diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 0511a8a890..b36619ac9a 100644
|
a
|
b
|
All at ###SITENAME### |
| 4158 | 4158 | $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); |
| 4159 | 4159 | $content = str_replace( '###USER_EMAIL###', $email_data['user_email'], $content ); |
| 4160 | 4160 | $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content ); |
| 4161 | | $content = str_replace( '###MANAGE_URL###', esc_url_raw( $email_data['manage_url'] ), $content ); |
| 4162 | | $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content ); |
| | 4161 | $content = str_replace( '###MANAGE_URL###', sanitize_url( $email_data['manage_url'] ), $content ); |
| | 4162 | $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); |
| 4163 | 4163 | |
| 4164 | 4164 | $headers = ''; |
| 4165 | 4165 | |
| … |
… |
All at ###SITENAME### |
| 4399 | 4399 | |
| 4400 | 4400 | $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); |
| 4401 | 4401 | $content = str_replace( '###PRIVACY_POLICY_URL###', $email_data['privacy_policy_url'], $content ); |
| 4402 | | $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content ); |
| | 4402 | $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); |
| 4403 | 4403 | |
| 4404 | 4404 | $headers = ''; |
| 4405 | 4405 | |
| … |
… |
All at ###SITENAME### |
| 4720 | 4720 | $content = apply_filters( 'user_request_action_email_content', $content, $email_data ); |
| 4721 | 4721 | |
| 4722 | 4722 | $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content ); |
| 4723 | | $content = str_replace( '###CONFIRM_URL###', esc_url_raw( $email_data['confirm_url'] ), $content ); |
| | 4723 | $content = str_replace( '###CONFIRM_URL###', sanitize_url( $email_data['confirm_url'] ), $content ); |
| 4724 | 4724 | $content = str_replace( '###EMAIL###', $email_data['email'], $content ); |
| 4725 | 4725 | $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); |
| 4726 | | $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content ); |
| | 4726 | $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); |
| 4727 | 4727 | |
| 4728 | 4728 | $headers = ''; |
| 4729 | 4729 | |
-
diff --git a/src/wp-includes/widgets.php b/src/wp-includes/widgets.php
index 4aaa6112b2..639c59afa1 100644
|
a
|
b
|
function wp_widget_rss_process( $widget_rss, $check_feed = true ) { |
| 1767 | 1767 | if ( $items < 1 || 20 < $items ) { |
| 1768 | 1768 | $items = 10; |
| 1769 | 1769 | } |
| 1770 | | $url = esc_url_raw( strip_tags( $widget_rss['url'] ) ); |
| | 1770 | $url = sanitize_url( strip_tags( $widget_rss['url'] ) ); |
| 1771 | 1771 | $title = isset( $widget_rss['title'] ) ? trim( strip_tags( $widget_rss['title'] ) ) : ''; |
| 1772 | 1772 | $show_summary = isset( $widget_rss['show_summary'] ) ? (int) $widget_rss['show_summary'] : 0; |
| 1773 | 1773 | $show_author = isset( $widget_rss['show_author'] ) ? (int) $widget_rss['show_author'] : 0; |
-
diff --git a/src/wp-login.php b/src/wp-login.php
index f744c684db..c805921727 100644
|
a
|
b
|
function login_footer( $input_id = '' ) { |
| 360 | 360 | <?php } ?> |
| 361 | 361 | |
| 362 | 362 | <?php if ( isset( $_GET['redirect_to'] ) && '' !== $_GET['redirect_to'] ) { ?> |
| 363 | | <input type="hidden" name="redirect_to" value="<?php echo esc_url_raw( $_GET['redirect_to'] ); ?>" /> |
| | 363 | <input type="hidden" name="redirect_to" value="<?php echo sanitize_url( $_GET['redirect_to'] ); ?>" /> |
| 364 | 364 | <?php } ?> |
| 365 | 365 | |
| 366 | 366 | <?php if ( isset( $_GET['action'] ) && '' !== $_GET['action'] ) { ?> |