WordPress.org

Make WordPress Core

Changeset 11929


Ignore:
Timestamp:
09/14/09 13:57:48 (5 years ago)
Author:
ryan
Message:

Filter fields through kses upon display. Introduce sanitize_user_object() and sanitize_user_field(). see #10751

Location:
trunk
Files:
9 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/template.php

    r11901 r11929  
    18931893    if ( !( is_object( $user_object) && is_a( $user_object, 'WP_User' ) ) ) 
    18941894        $user_object = new WP_User( (int) $user_object ); 
     1895    $user_object = sanitize_user_object($user_object, 'display'); 
    18951896    $email = $user_object->user_email; 
    18961897    $url = $user_object->user_url; 
  • trunk/wp-admin/includes/user.php

    r11852 r11929  
    2626 
    2727        if ( isset( $_POST['role'] ) ) { 
     28            $new_role = sanitize_text_field( $_POST['role'] ); 
    2829            // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. 
    29             if( $user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap( 'edit_users' ) ) { 
     30            if ( $user_id != $current_user->id || $wp_roles->role_objects[$new_role]->has_cap( 'edit_users' ) ) { 
    3031                // If the new role isn't editable by the logged-in user die with error 
    3132                $editable_roles = get_editable_roles(); 
    32                 if (!$editable_roles[$_POST['role']]) 
     33                if ( !$editable_roles[$new_role] ) 
    3334                    wp_die(__('You can’t give users that role.')); 
    3435 
    3536                $user = new WP_User( $user_id ); 
    36                 $user->set_role( $_POST['role'] ); 
     37                $user->set_role( $new_role ); 
    3738            } 
    3839        } 
     
    6566    } 
    6667 
    67     if ( isset( $_POST['user_login'] )) 
    68         $user->user_login = esc_html( trim( $_POST['user_login'] )); 
     68    if ( !$update && isset( $_POST['user_login'] ) ) 
     69        $user->user_login = sanitize_user($userdata['user_login'], true); 
    6970 
    7071    $pass1 = $pass2 = ''; 
     
    7576 
    7677    if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) { 
    77  
     78        $new_role = sanitize_text_field( $_POST['role'] ); 
    7879        // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. 
    79         if( $user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap( 'edit_users' )) 
    80             $user->role = $_POST['role']; 
     80        if( $user_id != $current_user->id || $wp_roles->role_objects[$new_role]->has_cap( 'edit_users' )) 
     81            $user->role = $new_role; 
    8182 
    8283        // If the new role isn't editable by the logged-in user die with error 
    8384        $editable_roles = get_editable_roles(); 
    84         if (!$editable_roles[$_POST['role']]) 
     85        if ( !$editable_roles[$new_role] ) 
    8586            wp_die(__('You can’t give users that role.')); 
    8687    } 
    8788 
    8889    if ( isset( $_POST['email'] )) 
    89         $user->user_email = esc_html( trim( $_POST['email'] )); 
     90        $user->user_email = sanitize_text_field( $_POST['email'] ); 
    9091    if ( isset( $_POST['url'] ) ) { 
    9192        if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) { 
    9293            $user->user_url = ''; 
    9394        } else { 
    94             $user->user_url = esc_url( trim( $_POST['url'] )); 
     95            $user->user_url = sanitize_url( $_POST['url'] ); 
    9596            $user->user_url = preg_match('/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url; 
    9697        } 
    9798    } 
    98     if ( isset( $_POST['first_name'] )) 
    99         $user->first_name = esc_html( trim( $_POST['first_name'] )); 
    100     if ( isset( $_POST['last_name'] )) 
    101         $user->last_name = esc_html( trim( $_POST['last_name'] )); 
    102     if ( isset( $_POST['nickname'] )) 
    103         $user->nickname = esc_html( trim( $_POST['nickname'] )); 
    104     if ( isset( $_POST['display_name'] )) 
    105         $user->display_name = esc_html( trim( $_POST['display_name'] )); 
    106     if ( isset( $_POST['description'] )) 
     99    if ( isset( $_POST['first_name'] ) ) 
     100        $user->first_name = sanitize_text_field( $_POST['first_name'] ); 
     101    if ( isset( $_POST['last_name'] ) ) 
     102        $user->last_name = sanitize_text_field( $_POST['last_name'] ); 
     103    if ( isset( $_POST['nickname'] ) ) 
     104        $user->nickname = sanitize_text_field( $_POST['nickname'] ); 
     105    if ( isset( $_POST['display_name'] ) ) 
     106        $user->display_name = sanitize_text_field( $_POST['display_name'] ); 
     107 
     108    if ( isset( $_POST['description'] ) ) 
    107109        $user->description = trim( $_POST['description'] ); 
    108     $user_contactmethods = _wp_get_user_contactmethods(); 
    109     foreach ($user_contactmethods as $method => $name) { 
     110 
     111    foreach ( _wp_get_user_contactmethods() as $method => $name ) { 
    110112        if ( isset( $_POST[$method] )) 
    111             $user->$method = esc_html( trim( $_POST[$method] ) ); 
    112     } 
    113     if ( !$update ) 
    114         $user->rich_editing = 'true';  // Default to true for new users. 
    115     else if ( isset( $_POST['rich_editing'] ) ) 
    116         $user->rich_editing = $_POST['rich_editing']; 
    117     else 
    118         $user->rich_editing = 'true'; 
    119  
    120     $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] )? $_POST['comment_shortcuts'] : ''; 
     113            $user->$method = sanitize_text_field( $_POST[$method] ); 
     114    } 
     115 
     116    if ( $update ) { 
     117        $user->rich_editing = isset( $_POST['rich_editing'] ) && 'false' == $_POST['rich_editing'] ? 'false' : 'true'; 
     118        $user->admin_color = isset( $_POST['admin_color'] ) ? sanitize_text_field( $_POST['admin_color'] ) : 'fresh'; 
     119    } 
     120 
     121    $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] ) && 'true' == $_POST['comment_shortcuts'] ? 'true' : ''; 
    121122 
    122123    $user->use_ssl = 0; 
    123124    if ( !empty($_POST['use_ssl']) ) 
    124125        $user->use_ssl = 1; 
    125  
    126     if ( !$update ) 
    127         $user->admin_color = 'fresh';  // Default to fresh for new users. 
    128     else if ( isset( $_POST['admin_color'] ) ) 
    129         $user->admin_color = $_POST['admin_color']; 
    130     else 
    131         $user->admin_color = 'fresh'; 
    132126 
    133127    $errors = new WP_Error(); 
     
    160154        $errors->add( 'pass', __( '<strong>ERROR</strong>: Please enter the same password in the two password fields.' ), array( 'form-field' => 'pass1' ) ); 
    161155 
    162     if (!empty ( $pass1 )) 
     156    if ( !empty( $pass1 ) ) 
    163157        $user->user_pass = $pass1; 
    164158 
     
    166160        $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is invalid. Please enter a valid username.' )); 
    167161 
    168     if (!$update && username_exists( $user->user_login )) 
     162    if ( !$update && username_exists( $user->user_login ) ) 
    169163        $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' )); 
    170164 
    171165    /* checking e-mail address */ 
    172     if ( empty ( $user->user_email ) ) { 
     166    if ( empty( $user->user_email ) ) { 
    173167        $errors->add( 'empty_email', __( '<strong>ERROR</strong>: Please enter an e-mail address.' ), array( 'form-field' => 'email' ) ); 
    174     } elseif (!is_email( $user->user_email ) ) { 
     168    } elseif ( !is_email( $user->user_email ) ) { 
    175169        $errors->add( 'invalid_email', __( '<strong>ERROR</strong>: The e-mail address isn&#8217;t correct.' ), array( 'form-field' => 'email' ) ); 
    176170    } elseif ( ( $owner_id = email_exists($user->user_email) ) && $owner_id != $user->ID ) { 
     
    178172    } 
    179173 
    180     // Allow plugins to return there own errors. 
     174    // Allow plugins to return their own errors. 
    181175    do_action_ref_array('user_profile_update_errors', array ( &$errors, $update, &$user ) ); 
    182176 
     
    185179 
    186180    if ( $update ) { 
    187         $user_id = wp_update_user( get_object_vars( $user )); 
     181        $user_id = wp_update_user( get_object_vars( $user ) ); 
    188182    } else { 
    189         $user_id = wp_insert_user( get_object_vars( $user )); 
     183        $user_id = wp_insert_user( get_object_vars( $user ) ); 
    190184        wp_new_user_notification( $user_id, isset($_POST['send_password']) ? $pass1 : '' ); 
    191185    } 
     
    371365function get_user_to_edit( $user_id ) { 
    372366    $user = new WP_User( $user_id ); 
    373     $user->user_login   = esc_attr($user->user_login); 
    374     $user->user_email   = esc_attr($user->user_email); 
    375     $user->user_url     = esc_url($user->user_url); 
    376     $user->first_name   = esc_attr($user->first_name); 
    377     $user->last_name    = esc_attr($user->last_name); 
    378     $user->display_name = esc_attr($user->display_name); 
    379     $user->nickname     = esc_attr($user->nickname); 
    380367 
    381368    $user_contactmethods = _wp_get_user_contactmethods(); 
    382369    foreach ($user_contactmethods as $method => $name) { 
    383         $user->{$method} = isset( $user->{$method} ) && !empty( $user->{$method} ) ? esc_attr($user->{$method}) : ''; 
    384     } 
    385      
    386     $user->description  = isset( $user->description ) && !empty( $user->description ) ? esc_html($user->description) : ''; 
     370        if ( empty( $user->{$method} ) ) 
     371            $user->{$method} = ''; 
     372    } 
     373 
     374    if ( empty($user->description) ) 
     375        $user->description = ''; 
     376 
     377    $user = sanitize_user_object($user, 'edit'); 
    387378 
    388379    return $user; 
  • trunk/wp-admin/user-edit.php

    r11830 r11929  
    285285<tr> 
    286286    <th><label for="description"><?php _e('Biographical Info'); ?></label></th> 
    287     <td><textarea name="description" id="description" rows="5" cols="30"><?php echo $profileuser->description ?></textarea><br /> 
     287    <td><textarea name="description" id="description" rows="5" cols="30"><?php echo esc_html($profileuser->description); ?></textarea><br /> 
    288288    <span class="description"><?php _e('Share a little biographical information to fill out your profile. This may be shown publicly.'); ?></span></td> 
    289289</tr> 
     
    312312?> 
    313313 
    314 <?php if (count($profileuser->caps) > count($profileuser->roles) && apply_filters('additional_capabilities_display', true, $profileuser)): ?> 
     314<?php if ( count($profileuser->caps) > count($profileuser->roles) && apply_filters('additional_capabilities_display', true, $profileuser) ) { ?> 
    315315<br class="clear" /> 
    316316    <table width="99%" style="border: none;" cellspacing="2" cellpadding="3" class="editform"> 
     
    319319            <td><?php 
    320320            $output = ''; 
    321             foreach($profileuser->caps as $cap => $value) { 
    322                 if(!$wp_roles->is_role($cap)) { 
    323                     if($output != '') $output .= ', '; 
     321            foreach ( $profileuser->caps as $cap => $value ) { 
     322                if ( !$wp_roles->is_role($cap) ) { 
     323                    if ( $output != '' ) 
     324                        $output .= ', '; 
    324325                    $output .= $value ? $cap : "Denied: {$cap}"; 
    325326                } 
     
    329330        </tr> 
    330331    </table> 
    331 <?php endif; ?> 
     332<?php } ?> 
    332333 
    333334<p class="submit"> 
  • trunk/wp-admin/users.php

    r11554 r11929  
    386386</div> 
    387387 
    388 <?php 
    389     foreach ( array('user_login' => 'user_login', 'first_name' => 'user_firstname', 'last_name' => 'user_lastname', 'email' => 'user_email', 'url' => 'user_uri', 'role' => 'user_role') as $formpost => $var ) { 
    390         $var = 'new_' . $var; 
    391         $$var = isset($_REQUEST[$formpost]) ? esc_attr(stripslashes($_REQUEST[$formpost])) : ''; 
    392     } 
    393     unset($name); 
    394 ?> 
    395  
    396388<br class="clear" /> 
    397389<?php 
  • trunk/wp-includes/capabilities.php

    r11912 r11929  
    448448     */ 
    449449    var $last_name = ''; 
     450 
     451    /** 
     452     * The filter context applied to user data fields. 
     453     * 
     454     * @since 2.9.0 
     455     * @access private 
     456     * @var string 
     457     */ 
     458    var $filter = null; 
    450459 
    451460    /** 
  • trunk/wp-includes/default-filters.php

    r11777 r11929  
    1818    'pre_user_nickname'); 
    1919foreach ( $filters as $filter ) { 
    20     add_filter($filter, 'strip_tags'); 
     20    add_filter($filter, 'sanitize_text_field'); 
     21    add_filter($filter, 'wp_filter_kses'); 
     22    add_filter($filter, '_wp_specialchars', 30); 
     23} 
     24 
     25// Strip, kses, special chars for string display 
     26$filters = array('term_name', 'comment_author_name', 'link_name', 'link_target', 'link_rel', 'user_display_name', 'user_first_name', 'user_last_name', 'user_nickname'); 
     27foreach ( $filters as $filter ) { 
     28    add_filter($filter, 'sanitize_text_field'); 
     29    add_filter($filter, 'wp_filter_kses'); 
     30    add_filter($filter, '_wp_specialchars', 30); 
     31} 
     32 
     33// Kses only for textarea saves and displays 
     34$filters = array('pre_term_description', 'term_description', 'pre_link_description', 'link_description', 'pre_link_notes', 'link_notes', 'pre_user_description', 'user_description'); 
     35foreach ( $filters as $filter ) { 
     36    add_filter($filter, 'wp_filter_kses'); 
     37} 
     38 
     39// Email saves 
     40$filters = array('pre_comment_author_email', 'pre_user_email'); 
     41foreach ( $filters as $filter ) { 
    2142    add_filter($filter, 'trim'); 
    22     add_filter($filter, 'wp_filter_kses'); 
    23     add_filter($filter, '_wp_specialchars', 30); 
    24 } 
    25  
    26 // Kses only for textarea saves 
    27 $filters = array('pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description'); 
    28 foreach ( $filters as $filter ) { 
    29     add_filter($filter, 'wp_filter_kses'); 
    30 } 
    31  
    32 // Email 
    33 $filters = array('pre_comment_author_email', 'pre_user_email'); 
    34 foreach ( $filters as $filter ) { 
    35     add_filter($filter, 'trim'); 
     43    add_filter($filter, 'sanitize_email'); 
     44    add_filter($filter, 'wp_filter_kses'); 
     45} 
     46 
     47// Email display 
     48$filters = array('comment_author_email', 'user_email'); 
     49foreach ( $filters as $filter ) { 
    3650    add_filter($filter, 'sanitize_email'); 
    3751    add_filter($filter, 'wp_filter_kses'); 
     
    4256    'pre_link_rss'); 
    4357foreach ( $filters as $filter ) { 
    44     add_filter($filter, 'strip_tags'); 
    45     add_filter($filter, 'trim'); 
     58    add_filter($filter, 'wp_strip_all_tags'); 
    4659    add_filter($filter, 'esc_url_raw'); 
    4760    add_filter($filter, 'wp_filter_kses'); 
     
    5164$filters = array('user_url', 'link_url', 'link_image', 'link_rss', 'comment_url'); 
    5265foreach ( $filters as $filter ) { 
    53     add_filter($filter, 'strip_tags'); 
    54     add_filter($filter, 'trim'); 
     66    add_filter($filter, 'wp_strip_all_tags'); 
    5567    add_filter($filter, 'esc_url'); 
    5668    add_filter($filter, 'wp_filter_kses'); 
  • trunk/wp-includes/formatting.php

    r11907 r11929  
    629629function sanitize_user( $username, $strict = false ) { 
    630630    $raw_username = $username; 
    631     $username = strip_tags($username); 
     631    $username = wp_strip_all_tags($username); 
    632632    // Kill octets 
    633633    $username = preg_replace('|%([a-fA-F0-9][a-fA-F0-9])|', '', $username); 
     
    22462246    $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); 
    22472247    return apply_filters( 'esc_html', $safe_text, $text ); 
    2248     return $text; 
    22492248} 
    22502249 
     
    26022601 */ 
    26032602function wp_html_excerpt( $str, $count ) { 
    2604     $str = strip_tags( $str ); 
     2603    $str = wp_strip_all_tags( $str, true ); 
    26052604    $str = mb_substr( $str, 0, $count ); 
    26062605    // remove part of an entity at the end 
     
    26692668            $content); 
    26702669} 
     2670 
    26712671/** 
    26722672 * Callback to add a target attribute to all links in passed content. 
     
    26932693} 
    26942694 
     2695/** 
     2696 * Properly strip all HTML tags including script and style 
     2697 * 
     2698 * @since 2.9.0 
     2699 * 
     2700 * @param string $string String containing HTML tags 
     2701 * @param bool $remove_breaks optional Whether to remove left over line breaks and white space chars 
     2702 * @return string The processed string. 
     2703 */ 
     2704function wp_strip_all_tags($string, $remove_breaks = false) { 
     2705    $string = preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $string ); 
     2706    $string = strip_tags($string); 
     2707 
     2708    if ( $remove_breaks ) 
     2709        $string = preg_replace('/\s+/', ' ', $string); 
     2710 
     2711    return trim($string); 
     2712} 
     2713 
     2714/** 
     2715 * Sanitize a string from user input or from the db 
     2716 * 
     2717 * check for invalid UTF-8, 
     2718 * Convert single < characters to entity, 
     2719 * strip all tags, 
     2720 * remove line breaks, tabs and extra whitre space, 
     2721 * strip octets. 
     2722 * 
     2723 * @since 2.9 
     2724 * 
     2725 * @param string $str 
     2726 * @return string 
     2727 */ 
     2728function sanitize_text_field($str) { 
     2729    $filtered = wp_check_invalid_utf8( $str ); 
     2730 
     2731    if ( strpos($filtered, '<') !== false ) { 
     2732        $filtered = wp_pre_kses_less_than( $filtered ); 
     2733        $filtered = wp_strip_all_tags( $filtered, true ); 
     2734    } else { 
     2735         $filtered = trim( preg_replace('/\s+/', ' ', $filtered) ); 
     2736    } 
     2737 
     2738    $match = array(); 
     2739    while ( preg_match('/%[a-f0-9]{2}/i', $filtered, $match) ) 
     2740        $filtered = str_replace($match[0], '', $filtered); 
     2741 
     2742    return apply_filters('sanitize_text_field', $filtered, $str); 
     2743} 
     2744 
    26952745?> 
  • trunk/wp-includes/registration.php

    r11852 r11929  
    170170    $user_nicename_check = $wpdb->get_var( $wpdb->prepare("SELECT ID FROM $wpdb->users WHERE user_nicename = %s AND user_login != %s LIMIT 1" , $user_nicename, $user_login)); 
    171171 
    172     if ($user_nicename_check) { 
     172    if ( $user_nicename_check ) { 
    173173        $suffix = 2; 
    174174        while ($user_nicename_check) { 
     
    199199    update_usermeta( $user_id, 'admin_color', $admin_color); 
    200200    update_usermeta( $user_id, 'use_ssl', $use_ssl); 
    201     foreach (_wp_get_user_contactmethods() as $method => $name) { 
     201 
     202    foreach ( _wp_get_user_contactmethods() as $method => $name ) { 
    202203        if ( empty($$method) ) 
    203204            $$method = ''; 
    204          
     205 
    205206        update_usermeta( $user_id, $method, $$method ); 
    206207    } 
  • trunk/wp-includes/user.php

    r11909 r11929  
    618618} 
    619619 
     620/** 
     621 * Sanitize every user field. 
     622 * 
     623 * If the context is 'raw', then the user object or array will get minimal santization of the int fields. 
     624 * 
     625 * @since 2.3.0 
     626 * @uses sanitize_user_field() Used to sanitize the fields. 
     627 * 
     628 * @param object|array $user The User Object or Array 
     629 * @param string $context Optional, default is 'display'. How to sanitize user fields. 
     630 * @return object|array The now sanitized User Object or Array (will be the same type as $user) 
     631 */ 
     632function sanitize_user_object($user, $context = 'display') { 
     633    if ( is_object($user) ) { 
     634        if ( !isset($user->ID) ) 
     635            $user->ID = 0; 
     636        if ( isset($user->data) ) 
     637            $vars = get_object_vars( $user->data ); 
     638        else 
     639            $vars = get_object_vars($user); 
     640        foreach ( array_keys($vars) as $field ) { 
     641            if ( is_array($user->$field) ) 
     642                continue; 
     643            $user->$field = sanitize_user_field($field, $user->$field, $user->ID, $context); 
     644        } 
     645        $user->filter = $context; 
     646    } else { 
     647        if ( !isset($user['ID']) ) 
     648            $user['ID'] = 0; 
     649        foreach ( array_keys($user) as $field ) 
     650            $user[$field] = sanitize_user_field($field, $user[$field], $user['ID'], $context); 
     651        $user['filter'] = $context; 
     652    } 
     653 
     654    return $user; 
     655} 
     656 
     657/** 
     658 * Sanitize user field based on context. 
     659 * 
     660 * Possible context values are:  'raw', 'edit', 'db', 'display', 'attribute' and 'js'. The 
     661 * 'display' context is used by default. 'attribute' and 'js' contexts are treated like 'display' 
     662 * when calling filters. 
     663 * 
     664 * @since 2.3.0 
     665 * @uses apply_filters() Calls 'edit_$field' and '${field_no_prefix}_edit_pre' passing $value and 
     666 *  $user_id if $context == 'edit' and field name prefix == 'user_'. 
     667 * 
     668 * @uses apply_filters() Calls 'edit_user_$field' passing $value and $user_id if $context == 'db'. 
     669 * @uses apply_filters() Calls 'pre_$field' passing $value if $context == 'db' and field name prefix == 'user_'. 
     670 * @uses apply_filters() Calls '${field}_pre' passing $value if $context == 'db' and field name prefix != 'user_'. 
     671 * 
     672 * @uses apply_filters() Calls '$field' passing $value, $user_id and $context if $context == anything 
     673 *  other than 'raw', 'edit' and 'db' and field name prefix == 'user_'. 
     674 * @uses apply_filters() Calls 'user_$field' passing $value if $context == anything other than 'raw', 
     675 *  'edit' and 'db' and field name prefix != 'user_'. 
     676 * 
     677 * @param string $field The user Object field name. 
     678 * @param mixed $value The user Object value. 
     679 * @param int $user_id user ID. 
     680 * @param string $context How to sanitize user fields. Looks for 'raw', 'edit', 'db', 'display', 
     681 *               'attribute' and 'js'. 
     682 * @return mixed Sanitized value. 
     683 */ 
     684function sanitize_user_field($field, $value, $user_id, $context) { 
     685    $int_fields = array('ID'); 
     686    if ( in_array($field, $int_fields) ) 
     687        $value = (int) $value; 
     688 
     689    if ( 'raw' == $context ) 
     690        return $value; 
     691 
     692    if ( is_array($value) ) 
     693        return $value; 
     694 
     695    $prefixed = false; 
     696    if ( false !== strpos($field, 'user_') ) { 
     697        $prefixed = true; 
     698        $field_no_prefix = str_replace('user_', '', $field); 
     699    } 
     700 
     701    if ( 'edit' == $context ) { 
     702        if ( $prefixed ) { 
     703            $value = apply_filters("edit_$field", $value, $user_id); 
     704        } else { 
     705            $value = apply_filters("edit_user_$field", $value, $user_id); 
     706        } 
     707 
     708        if ( 'description' == $field ) 
     709            $value = esc_html($value); 
     710        else 
     711            $value = esc_attr($value); 
     712    } else if ( 'db' == $context ) { 
     713        if ( $prefixed ) { 
     714            $value = apply_filters("pre_$field", $value); 
     715        } else { 
     716            $value = apply_filters("pre_user_$field", $value); 
     717        } 
     718    } else { 
     719        // Use display filters by default. 
     720        if ( $prefixed ) 
     721            $value = apply_filters($field, $value, $user_id, $context); 
     722        else 
     723            $value = apply_filters("user_$field", $value, $user_id, $context); 
     724    } 
     725 
     726    if ( 'user_url' == $field ) 
     727        $value = esc_url($value); 
     728 
     729    if ( 'attribute' == $context ) 
     730        $value = esc_attr($value); 
     731    else if ( 'js' == $context ) 
     732        $value = esc_js($value); 
     733 
     734    return $value; 
     735} 
     736 
    620737?> 
Note: See TracChangeset for help on using the changeset viewer.