Make WordPress Core


Ignore:
Timestamp:
09/14/2009 01:57:48 PM (15 years ago)
Author:
ryan
Message:

Filter fields through kses upon display. Introduce sanitize_user_object() and sanitize_user_field(). see #10751

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/formatting.php

    r11907 r11929  
    629629function sanitize_user( $username, $strict = false ) {
    630630    $raw_username = $username;
    631     $username = strip_tags($username);
     631    $username = wp_strip_all_tags($username);
    632632    // Kill octets
    633633    $username = preg_replace('|%([a-fA-F0-9][a-fA-F0-9])|', '', $username);
     
    22462246    $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
    22472247    return apply_filters( 'esc_html', $safe_text, $text );
    2248     return $text;
    22492248}
    22502249
     
    26022601 */
    26032602function wp_html_excerpt( $str, $count ) {
    2604     $str = strip_tags( $str );
     2603    $str = wp_strip_all_tags( $str, true );
    26052604    $str = mb_substr( $str, 0, $count );
    26062605    // remove part of an entity at the end
     
    26692668            $content);
    26702669}
     2670
    26712671/**
    26722672 * Callback to add a target attribute to all links in passed content.
     
    26932693}
    26942694
     2695/**
     2696 * Properly strip all HTML tags including script and style
     2697 *
     2698 * @since 2.9.0
     2699 *
     2700 * @param string $string String containing HTML tags
     2701 * @param bool $remove_breaks optional Whether to remove left over line breaks and white space chars
     2702 * @return string The processed string.
     2703 */
     2704function wp_strip_all_tags($string, $remove_breaks = false) {
     2705    $string = preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $string );
     2706    $string = strip_tags($string);
     2707
     2708    if ( $remove_breaks )
     2709        $string = preg_replace('/\s+/', ' ', $string);
     2710
     2711    return trim($string);
     2712}
     2713
     2714/**
     2715 * Sanitize a string from user input or from the db
     2716 *
     2717 * check for invalid UTF-8,
     2718 * Convert single < characters to entity,
     2719 * strip all tags,
     2720 * remove line breaks, tabs and extra whitre space,
     2721 * strip octets.
     2722 *
     2723 * @since 2.9
     2724 *
     2725 * @param string $str
     2726 * @return string
     2727 */
     2728function sanitize_text_field($str) {
     2729    $filtered = wp_check_invalid_utf8( $str );
     2730
     2731    if ( strpos($filtered, '<') !== false ) {
     2732        $filtered = wp_pre_kses_less_than( $filtered );
     2733        $filtered = wp_strip_all_tags( $filtered, true );
     2734    } else {
     2735         $filtered = trim( preg_replace('/\s+/', ' ', $filtered) );
     2736    }
     2737
     2738    $match = array();
     2739    while ( preg_match('/%[a-f0-9]{2}/i', $filtered, $match) )
     2740        $filtered = str_replace($match[0], '', $filtered);
     2741
     2742    return apply_filters('sanitize_text_field', $filtered, $str);
     2743}
     2744
    26952745?>
Note: See TracChangeset for help on using the changeset viewer.