Changeset 11615
- Timestamp:
- 06/20/2009 05:42:24 PM (16 years ago)
- Location:
- trunk
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-admin/theme-editor.php
r11530 r11615 66 66 67 67 $location = wp_kses_no_null($location); 68 $strip = array('%0d', '%0a' );69 $location = str_replace($strip, '', $location);68 $strip = array('%0d', '%0a', '%0D', '%0A'); 69 $location = _deep_replace($strip, $location); 70 70 header("Location: $location"); 71 71 exit(); -
trunk/wp-includes/formatting.php
r11518 r11615 2043 2043 if ('' == $url) return $url; 2044 2044 $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url); 2045 $strip = array('%0d', '%0a' );2046 $url = str_replace($strip, '', $url);2045 $strip = array('%0d', '%0a', '%0D', '%0A'); 2046 $url = _deep_replace($strip, $url); 2047 2047 $url = str_replace(';//', '://', $url); 2048 2048 /* If the URL doesn't appear to contain a scheme, we … … 2066 2066 2067 2067 return apply_filters('clean_url', $url, $original_url, $context); 2068 } 2069 2070 /** 2071 * Perform a deep string replace operation to ensure the values in $search are no longer present 2072 * 2073 * Repeats the replacement operation until it no longer replaces anything so as to remove "nested" values 2074 * e.g. $subject = '%0%0%0DDD', $search ='%0D', $result ='' rather than the '%0%0DD' that 2075 * str_replace would return 2076 * 2077 * @since 2.8.1 2078 * @access private 2079 * 2080 * @param string|array $search 2081 * @param string $subject 2082 * @return string The processed string 2083 */ 2084 function _deep_replace($search, $subject){ 2085 $found = true; 2086 while($found) { 2087 $found = false; 2088 foreach( (array) $search as $val ) { 2089 while(strpos($subject, $val) !== false) { 2090 $found = true; 2091 $subject = str_replace($val, '', $subject); 2092 } 2093 } 2094 } 2095 2096 return $subject; 2068 2097 } 2069 2098 -
trunk/wp-includes/pluggable.php
r11610 r11615 881 881 882 882 // remove %0d and %0a from location 883 $strip = array('%0d', '%0a'); 884 $found = true; 885 while($found) { 886 $found = false; 887 foreach( (array) $strip as $val ) { 888 while(strpos($location, $val) !== false) { 889 $found = true; 890 $location = str_replace($val, '', $location); 891 } 892 } 893 } 883 $strip = array('%0d', '%0a', '%0D', '%0A'); 884 $location = _deep_replace($strip, $location); 894 885 return $location; 895 886 }
Note: See TracChangeset
for help on using the changeset viewer.