Changeset 11929
- Timestamp:
- 09/14/2009 01:57:48 PM (15 years ago)
- Location:
- trunk
- Files:
-
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-admin/includes/template.php
r11901 r11929 1893 1893 if ( !( is_object( $user_object) && is_a( $user_object, 'WP_User' ) ) ) 1894 1894 $user_object = new WP_User( (int) $user_object ); 1895 $user_object = sanitize_user_object($user_object, 'display'); 1895 1896 $email = $user_object->user_email; 1896 1897 $url = $user_object->user_url; -
trunk/wp-admin/includes/user.php
r11852 r11929 26 26 27 27 if ( isset( $_POST['role'] ) ) { 28 $new_role = sanitize_text_field( $_POST['role'] ); 28 29 // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. 29 if ( $user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap( 'edit_users' ) ) {30 if ( $user_id != $current_user->id || $wp_roles->role_objects[$new_role]->has_cap( 'edit_users' ) ) { 30 31 // If the new role isn't editable by the logged-in user die with error 31 32 $editable_roles = get_editable_roles(); 32 if ( !$editable_roles[$_POST['role']])33 if ( !$editable_roles[$new_role] ) 33 34 wp_die(__('You can’t give users that role.')); 34 35 35 36 $user = new WP_User( $user_id ); 36 $user->set_role( $ _POST['role']);37 $user->set_role( $new_role ); 37 38 } 38 39 } … … 65 66 } 66 67 67 if ( isset( $_POST['user_login'] ))68 $user->user_login = esc_html( trim( $_POST['user_login'] ));68 if ( !$update && isset( $_POST['user_login'] ) ) 69 $user->user_login = sanitize_user($userdata['user_login'], true); 69 70 70 71 $pass1 = $pass2 = ''; … … 75 76 76 77 if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) { 77 78 $new_role = sanitize_text_field( $_POST['role'] ); 78 79 // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. 79 if( $user_id != $current_user->id || $wp_roles->role_objects[$ _POST['role']]->has_cap( 'edit_users' ))80 $user->role = $ _POST['role'];80 if( $user_id != $current_user->id || $wp_roles->role_objects[$new_role]->has_cap( 'edit_users' )) 81 $user->role = $new_role; 81 82 82 83 // If the new role isn't editable by the logged-in user die with error 83 84 $editable_roles = get_editable_roles(); 84 if ( !$editable_roles[$_POST['role']])85 if ( !$editable_roles[$new_role] ) 85 86 wp_die(__('You can’t give users that role.')); 86 87 } 87 88 88 89 if ( isset( $_POST['email'] )) 89 $user->user_email = esc_html( trim( $_POST['email'] ));90 $user->user_email = sanitize_text_field( $_POST['email'] ); 90 91 if ( isset( $_POST['url'] ) ) { 91 92 if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) { 92 93 $user->user_url = ''; 93 94 } else { 94 $user->user_url = esc_url( trim( $_POST['url'] ));95 $user->user_url = sanitize_url( $_POST['url'] ); 95 96 $user->user_url = preg_match('/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url; 96 97 } 97 98 } 98 if ( isset( $_POST['first_name'] )) 99 $user->first_name = esc_html( trim( $_POST['first_name'] )); 100 if ( isset( $_POST['last_name'] )) 101 $user->last_name = esc_html( trim( $_POST['last_name'] )); 102 if ( isset( $_POST['nickname'] )) 103 $user->nickname = esc_html( trim( $_POST['nickname'] )); 104 if ( isset( $_POST['display_name'] )) 105 $user->display_name = esc_html( trim( $_POST['display_name'] )); 106 if ( isset( $_POST['description'] )) 99 if ( isset( $_POST['first_name'] ) ) 100 $user->first_name = sanitize_text_field( $_POST['first_name'] ); 101 if ( isset( $_POST['last_name'] ) ) 102 $user->last_name = sanitize_text_field( $_POST['last_name'] ); 103 if ( isset( $_POST['nickname'] ) ) 104 $user->nickname = sanitize_text_field( $_POST['nickname'] ); 105 if ( isset( $_POST['display_name'] ) ) 106 $user->display_name = sanitize_text_field( $_POST['display_name'] ); 107 108 if ( isset( $_POST['description'] ) ) 107 109 $user->description = trim( $_POST['description'] ); 108 $user_contactmethods = _wp_get_user_contactmethods(); 109 foreach ( $user_contactmethods as $method => $name) {110 111 foreach ( _wp_get_user_contactmethods() as $method => $name ) { 110 112 if ( isset( $_POST[$method] )) 111 $user->$method = esc_html( trim( $_POST[$method] ) ); 112 } 113 if ( !$update ) 114 $user->rich_editing = 'true'; // Default to true for new users. 115 else if ( isset( $_POST['rich_editing'] ) ) 116 $user->rich_editing = $_POST['rich_editing']; 117 else 118 $user->rich_editing = 'true'; 119 120 $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] )? $_POST['comment_shortcuts'] : ''; 113 $user->$method = sanitize_text_field( $_POST[$method] ); 114 } 115 116 if ( $update ) { 117 $user->rich_editing = isset( $_POST['rich_editing'] ) && 'false' == $_POST['rich_editing'] ? 'false' : 'true'; 118 $user->admin_color = isset( $_POST['admin_color'] ) ? sanitize_text_field( $_POST['admin_color'] ) : 'fresh'; 119 } 120 121 $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] ) && 'true' == $_POST['comment_shortcuts'] ? 'true' : ''; 121 122 122 123 $user->use_ssl = 0; 123 124 if ( !empty($_POST['use_ssl']) ) 124 125 $user->use_ssl = 1; 125 126 if ( !$update )127 $user->admin_color = 'fresh'; // Default to fresh for new users.128 else if ( isset( $_POST['admin_color'] ) )129 $user->admin_color = $_POST['admin_color'];130 else131 $user->admin_color = 'fresh';132 126 133 127 $errors = new WP_Error(); … … 160 154 $errors->add( 'pass', __( '<strong>ERROR</strong>: Please enter the same password in the two password fields.' ), array( 'form-field' => 'pass1' ) ); 161 155 162 if ( !empty ( $pass1 ))156 if ( !empty( $pass1 ) ) 163 157 $user->user_pass = $pass1; 164 158 … … 166 160 $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is invalid. Please enter a valid username.' )); 167 161 168 if ( !$update && username_exists( $user->user_login ))162 if ( !$update && username_exists( $user->user_login ) ) 169 163 $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' )); 170 164 171 165 /* checking e-mail address */ 172 if ( empty 166 if ( empty( $user->user_email ) ) { 173 167 $errors->add( 'empty_email', __( '<strong>ERROR</strong>: Please enter an e-mail address.' ), array( 'form-field' => 'email' ) ); 174 } elseif ( !is_email( $user->user_email ) ) {168 } elseif ( !is_email( $user->user_email ) ) { 175 169 $errors->add( 'invalid_email', __( '<strong>ERROR</strong>: The e-mail address isn’t correct.' ), array( 'form-field' => 'email' ) ); 176 170 } elseif ( ( $owner_id = email_exists($user->user_email) ) && $owner_id != $user->ID ) { … … 178 172 } 179 173 180 // Allow plugins to return the reown errors.174 // Allow plugins to return their own errors. 181 175 do_action_ref_array('user_profile_update_errors', array ( &$errors, $update, &$user ) ); 182 176 … … 185 179 186 180 if ( $update ) { 187 $user_id = wp_update_user( get_object_vars( $user ) );181 $user_id = wp_update_user( get_object_vars( $user ) ); 188 182 } else { 189 $user_id = wp_insert_user( get_object_vars( $user ) );183 $user_id = wp_insert_user( get_object_vars( $user ) ); 190 184 wp_new_user_notification( $user_id, isset($_POST['send_password']) ? $pass1 : '' ); 191 185 } … … 371 365 function get_user_to_edit( $user_id ) { 372 366 $user = new WP_User( $user_id ); 373 $user->user_login = esc_attr($user->user_login);374 $user->user_email = esc_attr($user->user_email);375 $user->user_url = esc_url($user->user_url);376 $user->first_name = esc_attr($user->first_name);377 $user->last_name = esc_attr($user->last_name);378 $user->display_name = esc_attr($user->display_name);379 $user->nickname = esc_attr($user->nickname);380 367 381 368 $user_contactmethods = _wp_get_user_contactmethods(); 382 369 foreach ($user_contactmethods as $method => $name) { 383 $user->{$method} = isset( $user->{$method} ) && !empty( $user->{$method} ) ? esc_attr($user->{$method}) : ''; 384 } 385 386 $user->description = isset( $user->description ) && !empty( $user->description ) ? esc_html($user->description) : ''; 370 if ( empty( $user->{$method} ) ) 371 $user->{$method} = ''; 372 } 373 374 if ( empty($user->description) ) 375 $user->description = ''; 376 377 $user = sanitize_user_object($user, 'edit'); 387 378 388 379 return $user; -
trunk/wp-admin/user-edit.php
r11830 r11929 285 285 <tr> 286 286 <th><label for="description"><?php _e('Biographical Info'); ?></label></th> 287 <td><textarea name="description" id="description" rows="5" cols="30"><?php echo $profileuser->description?></textarea><br />287 <td><textarea name="description" id="description" rows="5" cols="30"><?php echo esc_html($profileuser->description); ?></textarea><br /> 288 288 <span class="description"><?php _e('Share a little biographical information to fill out your profile. This may be shown publicly.'); ?></span></td> 289 289 </tr> … … 312 312 ?> 313 313 314 <?php if ( count($profileuser->caps) > count($profileuser->roles) && apply_filters('additional_capabilities_display', true, $profileuser)):?>314 <?php if ( count($profileuser->caps) > count($profileuser->roles) && apply_filters('additional_capabilities_display', true, $profileuser) ) { ?> 315 315 <br class="clear" /> 316 316 <table width="99%" style="border: none;" cellspacing="2" cellpadding="3" class="editform"> … … 319 319 <td><?php 320 320 $output = ''; 321 foreach($profileuser->caps as $cap => $value) { 322 if(!$wp_roles->is_role($cap)) { 323 if($output != '') $output .= ', '; 321 foreach ( $profileuser->caps as $cap => $value ) { 322 if ( !$wp_roles->is_role($cap) ) { 323 if ( $output != '' ) 324 $output .= ', '; 324 325 $output .= $value ? $cap : "Denied: {$cap}"; 325 326 } … … 329 330 </tr> 330 331 </table> 331 <?php endif;?>332 <?php } ?> 332 333 333 334 <p class="submit"> -
trunk/wp-admin/users.php
r11554 r11929 386 386 </div> 387 387 388 <?php389 foreach ( array('user_login' => 'user_login', 'first_name' => 'user_firstname', 'last_name' => 'user_lastname', 'email' => 'user_email', 'url' => 'user_uri', 'role' => 'user_role') as $formpost => $var ) {390 $var = 'new_' . $var;391 $$var = isset($_REQUEST[$formpost]) ? esc_attr(stripslashes($_REQUEST[$formpost])) : '';392 }393 unset($name);394 ?>395 396 388 <br class="clear" /> 397 389 <?php -
trunk/wp-includes/capabilities.php
r11912 r11929 448 448 */ 449 449 var $last_name = ''; 450 451 /** 452 * The filter context applied to user data fields. 453 * 454 * @since 2.9.0 455 * @access private 456 * @var string 457 */ 458 var $filter = null; 450 459 451 460 /** -
trunk/wp-includes/default-filters.php
r11777 r11929 18 18 'pre_user_nickname'); 19 19 foreach ( $filters as $filter ) { 20 add_filter($filter, 'strip_tags'); 20 add_filter($filter, 'sanitize_text_field'); 21 add_filter($filter, 'wp_filter_kses'); 22 add_filter($filter, '_wp_specialchars', 30); 23 } 24 25 // Strip, kses, special chars for string display 26 $filters = array('term_name', 'comment_author_name', 'link_name', 'link_target', 'link_rel', 'user_display_name', 'user_first_name', 'user_last_name', 'user_nickname'); 27 foreach ( $filters as $filter ) { 28 add_filter($filter, 'sanitize_text_field'); 29 add_filter($filter, 'wp_filter_kses'); 30 add_filter($filter, '_wp_specialchars', 30); 31 } 32 33 // Kses only for textarea saves and displays 34 $filters = array('pre_term_description', 'term_description', 'pre_link_description', 'link_description', 'pre_link_notes', 'link_notes', 'pre_user_description', 'user_description'); 35 foreach ( $filters as $filter ) { 36 add_filter($filter, 'wp_filter_kses'); 37 } 38 39 // Email saves 40 $filters = array('pre_comment_author_email', 'pre_user_email'); 41 foreach ( $filters as $filter ) { 21 42 add_filter($filter, 'trim'); 22 add_filter($filter, 'wp_filter_kses'); 23 add_filter($filter, '_wp_specialchars', 30); 24 } 25 26 // Kses only for textarea saves 27 $filters = array('pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description'); 28 foreach ( $filters as $filter ) { 29 add_filter($filter, 'wp_filter_kses'); 30 } 31 32 // Email 33 $filters = array('pre_comment_author_email', 'pre_user_email'); 34 foreach ( $filters as $filter ) { 35 add_filter($filter, 'trim'); 43 add_filter($filter, 'sanitize_email'); 44 add_filter($filter, 'wp_filter_kses'); 45 } 46 47 // Email display 48 $filters = array('comment_author_email', 'user_email'); 49 foreach ( $filters as $filter ) { 36 50 add_filter($filter, 'sanitize_email'); 37 51 add_filter($filter, 'wp_filter_kses'); … … 42 56 'pre_link_rss'); 43 57 foreach ( $filters as $filter ) { 44 add_filter($filter, 'strip_tags'); 45 add_filter($filter, 'trim'); 58 add_filter($filter, 'wp_strip_all_tags'); 46 59 add_filter($filter, 'esc_url_raw'); 47 60 add_filter($filter, 'wp_filter_kses'); … … 51 64 $filters = array('user_url', 'link_url', 'link_image', 'link_rss', 'comment_url'); 52 65 foreach ( $filters as $filter ) { 53 add_filter($filter, 'strip_tags'); 54 add_filter($filter, 'trim'); 66 add_filter($filter, 'wp_strip_all_tags'); 55 67 add_filter($filter, 'esc_url'); 56 68 add_filter($filter, 'wp_filter_kses'); -
trunk/wp-includes/formatting.php
r11907 r11929 629 629 function sanitize_user( $username, $strict = false ) { 630 630 $raw_username = $username; 631 $username = strip_tags($username);631 $username = wp_strip_all_tags($username); 632 632 // Kill octets 633 633 $username = preg_replace('|%([a-fA-F0-9][a-fA-F0-9])|', '', $username); … … 2246 2246 $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); 2247 2247 return apply_filters( 'esc_html', $safe_text, $text ); 2248 return $text;2249 2248 } 2250 2249 … … 2602 2601 */ 2603 2602 function wp_html_excerpt( $str, $count ) { 2604 $str = strip_tags( $str);2603 $str = wp_strip_all_tags( $str, true ); 2605 2604 $str = mb_substr( $str, 0, $count ); 2606 2605 // remove part of an entity at the end … … 2669 2668 $content); 2670 2669 } 2670 2671 2671 /** 2672 2672 * Callback to add a target attribute to all links in passed content. … … 2693 2693 } 2694 2694 2695 /** 2696 * Properly strip all HTML tags including script and style 2697 * 2698 * @since 2.9.0 2699 * 2700 * @param string $string String containing HTML tags 2701 * @param bool $remove_breaks optional Whether to remove left over line breaks and white space chars 2702 * @return string The processed string. 2703 */ 2704 function wp_strip_all_tags($string, $remove_breaks = false) { 2705 $string = preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $string ); 2706 $string = strip_tags($string); 2707 2708 if ( $remove_breaks ) 2709 $string = preg_replace('/\s+/', ' ', $string); 2710 2711 return trim($string); 2712 } 2713 2714 /** 2715 * Sanitize a string from user input or from the db 2716 * 2717 * check for invalid UTF-8, 2718 * Convert single < characters to entity, 2719 * strip all tags, 2720 * remove line breaks, tabs and extra whitre space, 2721 * strip octets. 2722 * 2723 * @since 2.9 2724 * 2725 * @param string $str 2726 * @return string 2727 */ 2728 function sanitize_text_field($str) { 2729 $filtered = wp_check_invalid_utf8( $str ); 2730 2731 if ( strpos($filtered, '<') !== false ) { 2732 $filtered = wp_pre_kses_less_than( $filtered ); 2733 $filtered = wp_strip_all_tags( $filtered, true ); 2734 } else { 2735 $filtered = trim( preg_replace('/\s+/', ' ', $filtered) ); 2736 } 2737 2738 $match = array(); 2739 while ( preg_match('/%[a-f0-9]{2}/i', $filtered, $match) ) 2740 $filtered = str_replace($match[0], '', $filtered); 2741 2742 return apply_filters('sanitize_text_field', $filtered, $str); 2743 } 2744 2695 2745 ?> -
trunk/wp-includes/registration.php
r11852 r11929 170 170 $user_nicename_check = $wpdb->get_var( $wpdb->prepare("SELECT ID FROM $wpdb->users WHERE user_nicename = %s AND user_login != %s LIMIT 1" , $user_nicename, $user_login)); 171 171 172 if ( $user_nicename_check) {172 if ( $user_nicename_check ) { 173 173 $suffix = 2; 174 174 while ($user_nicename_check) { … … 199 199 update_usermeta( $user_id, 'admin_color', $admin_color); 200 200 update_usermeta( $user_id, 'use_ssl', $use_ssl); 201 foreach (_wp_get_user_contactmethods() as $method => $name) { 201 202 foreach ( _wp_get_user_contactmethods() as $method => $name ) { 202 203 if ( empty($$method) ) 203 204 $$method = ''; 204 205 205 206 update_usermeta( $user_id, $method, $$method ); 206 207 } -
trunk/wp-includes/user.php
r11909 r11929 618 618 } 619 619 620 /** 621 * Sanitize every user field. 622 * 623 * If the context is 'raw', then the user object or array will get minimal santization of the int fields. 624 * 625 * @since 2.3.0 626 * @uses sanitize_user_field() Used to sanitize the fields. 627 * 628 * @param object|array $user The User Object or Array 629 * @param string $context Optional, default is 'display'. How to sanitize user fields. 630 * @return object|array The now sanitized User Object or Array (will be the same type as $user) 631 */ 632 function sanitize_user_object($user, $context = 'display') { 633 if ( is_object($user) ) { 634 if ( !isset($user->ID) ) 635 $user->ID = 0; 636 if ( isset($user->data) ) 637 $vars = get_object_vars( $user->data ); 638 else 639 $vars = get_object_vars($user); 640 foreach ( array_keys($vars) as $field ) { 641 if ( is_array($user->$field) ) 642 continue; 643 $user->$field = sanitize_user_field($field, $user->$field, $user->ID, $context); 644 } 645 $user->filter = $context; 646 } else { 647 if ( !isset($user['ID']) ) 648 $user['ID'] = 0; 649 foreach ( array_keys($user) as $field ) 650 $user[$field] = sanitize_user_field($field, $user[$field], $user['ID'], $context); 651 $user['filter'] = $context; 652 } 653 654 return $user; 655 } 656 657 /** 658 * Sanitize user field based on context. 659 * 660 * Possible context values are: 'raw', 'edit', 'db', 'display', 'attribute' and 'js'. The 661 * 'display' context is used by default. 'attribute' and 'js' contexts are treated like 'display' 662 * when calling filters. 663 * 664 * @since 2.3.0 665 * @uses apply_filters() Calls 'edit_$field' and '${field_no_prefix}_edit_pre' passing $value and 666 * $user_id if $context == 'edit' and field name prefix == 'user_'. 667 * 668 * @uses apply_filters() Calls 'edit_user_$field' passing $value and $user_id if $context == 'db'. 669 * @uses apply_filters() Calls 'pre_$field' passing $value if $context == 'db' and field name prefix == 'user_'. 670 * @uses apply_filters() Calls '${field}_pre' passing $value if $context == 'db' and field name prefix != 'user_'. 671 * 672 * @uses apply_filters() Calls '$field' passing $value, $user_id and $context if $context == anything 673 * other than 'raw', 'edit' and 'db' and field name prefix == 'user_'. 674 * @uses apply_filters() Calls 'user_$field' passing $value if $context == anything other than 'raw', 675 * 'edit' and 'db' and field name prefix != 'user_'. 676 * 677 * @param string $field The user Object field name. 678 * @param mixed $value The user Object value. 679 * @param int $user_id user ID. 680 * @param string $context How to sanitize user fields. Looks for 'raw', 'edit', 'db', 'display', 681 * 'attribute' and 'js'. 682 * @return mixed Sanitized value. 683 */ 684 function sanitize_user_field($field, $value, $user_id, $context) { 685 $int_fields = array('ID'); 686 if ( in_array($field, $int_fields) ) 687 $value = (int) $value; 688 689 if ( 'raw' == $context ) 690 return $value; 691 692 if ( is_array($value) ) 693 return $value; 694 695 $prefixed = false; 696 if ( false !== strpos($field, 'user_') ) { 697 $prefixed = true; 698 $field_no_prefix = str_replace('user_', '', $field); 699 } 700 701 if ( 'edit' == $context ) { 702 if ( $prefixed ) { 703 $value = apply_filters("edit_$field", $value, $user_id); 704 } else { 705 $value = apply_filters("edit_user_$field", $value, $user_id); 706 } 707 708 if ( 'description' == $field ) 709 $value = esc_html($value); 710 else 711 $value = esc_attr($value); 712 } else if ( 'db' == $context ) { 713 if ( $prefixed ) { 714 $value = apply_filters("pre_$field", $value); 715 } else { 716 $value = apply_filters("pre_user_$field", $value); 717 } 718 } else { 719 // Use display filters by default. 720 if ( $prefixed ) 721 $value = apply_filters($field, $value, $user_id, $context); 722 else 723 $value = apply_filters("user_$field", $value, $user_id, $context); 724 } 725 726 if ( 'user_url' == $field ) 727 $value = esc_url($value); 728 729 if ( 'attribute' == $context ) 730 $value = esc_attr($value); 731 else if ( 'js' == $context ) 732 $value = esc_js($value); 733 734 return $value; 735 } 736 620 737 ?>
Note: See TracChangeset
for help on using the changeset viewer.