Make WordPress Core

Changeset 11615


Ignore:
Timestamp:
06/20/2009 05:42:24 PM (16 years ago)
Author:
westi
Message:

Introduce _deep_replace() and use it to improve the stripping of percent encoded values from urls. Fixes #10226 for trunk.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/theme-editor.php

    r11530 r11615  
    6666
    6767    $location = wp_kses_no_null($location);
    68     $strip = array('%0d', '%0a');
    69     $location = str_replace($strip, '', $location);
     68    $strip = array('%0d', '%0a', '%0D', '%0A');
     69    $location = _deep_replace($strip, $location);
    7070    header("Location: $location");
    7171    exit();
  • trunk/wp-includes/formatting.php

    r11518 r11615  
    20432043    if ('' == $url) return $url;
    20442044    $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);
    2045     $strip = array('%0d', '%0a');
    2046     $url = str_replace($strip, '', $url);
     2045    $strip = array('%0d', '%0a', '%0D', '%0A');
     2046    $url = _deep_replace($strip, $url);
    20472047    $url = str_replace(';//', '://', $url);
    20482048    /* If the URL doesn't appear to contain a scheme, we
     
    20662066
    20672067    return apply_filters('clean_url', $url, $original_url, $context);
     2068}
     2069
     2070/**
     2071 * Perform a deep string replace operation to ensure the values in $search are no longer present
     2072 *
     2073 * Repeats the replacement operation until it no longer replaces anything so as to remove "nested" values
     2074 * e.g. $subject = '%0%0%0DDD', $search ='%0D', $result ='' rather than the '%0%0DD' that
     2075 * str_replace would return
     2076 *
     2077 * @since 2.8.1
     2078 * @access private
     2079 *
     2080 * @param string|array $search
     2081 * @param string $subject
     2082 * @return string The processed string
     2083 */
     2084function _deep_replace($search, $subject){
     2085    $found = true;
     2086    while($found) {
     2087        $found = false;
     2088        foreach( (array) $search as $val ) {
     2089            while(strpos($subject, $val) !== false) {
     2090                $found = true;
     2091                $subject = str_replace($val, '', $subject);
     2092            }
     2093        }
     2094    }
     2095   
     2096    return $subject;
    20682097}
    20692098
  • trunk/wp-includes/pluggable.php

    r11610 r11615  
    881881
    882882    // remove %0d and %0a from location
    883     $strip = array('%0d', '%0a');
    884     $found = true;
    885     while($found) {
    886         $found = false;
    887         foreach( (array) $strip as $val ) {
    888             while(strpos($location, $val) !== false) {
    889                 $found = true;
    890                 $location = str_replace($val, '', $location);
    891             }
    892         }
    893     }
     883    $strip = array('%0d', '%0a', '%0D', '%0A');
     884    $location = _deep_replace($strip, $location);
    894885    return $location;
    895886}
Note: See TracChangeset for help on using the changeset viewer.