Make WordPress Core


Ignore:
Timestamp:
09/14/2009 01:57:48 PM (15 years ago)
Author:
ryan
Message:

Filter fields through kses upon display. Introduce sanitize_user_object() and sanitize_user_field(). see #10751

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/user.php

    r11909 r11929  
    618618}
    619619
     620/**
     621 * Sanitize every user field.
     622 *
     623 * If the context is 'raw', then the user object or array will get minimal santization of the int fields.
     624 *
     625 * @since 2.3.0
     626 * @uses sanitize_user_field() Used to sanitize the fields.
     627 *
     628 * @param object|array $user The User Object or Array
     629 * @param string $context Optional, default is 'display'. How to sanitize user fields.
     630 * @return object|array The now sanitized User Object or Array (will be the same type as $user)
     631 */
     632function sanitize_user_object($user, $context = 'display') {
     633    if ( is_object($user) ) {
     634        if ( !isset($user->ID) )
     635            $user->ID = 0;
     636        if ( isset($user->data) )
     637            $vars = get_object_vars( $user->data );
     638        else
     639            $vars = get_object_vars($user);
     640        foreach ( array_keys($vars) as $field ) {
     641            if ( is_array($user->$field) )
     642                continue;
     643            $user->$field = sanitize_user_field($field, $user->$field, $user->ID, $context);
     644        }
     645        $user->filter = $context;
     646    } else {
     647        if ( !isset($user['ID']) )
     648            $user['ID'] = 0;
     649        foreach ( array_keys($user) as $field )
     650            $user[$field] = sanitize_user_field($field, $user[$field], $user['ID'], $context);
     651        $user['filter'] = $context;
     652    }
     653
     654    return $user;
     655}
     656
     657/**
     658 * Sanitize user field based on context.
     659 *
     660 * Possible context values are:  'raw', 'edit', 'db', 'display', 'attribute' and 'js'. The
     661 * 'display' context is used by default. 'attribute' and 'js' contexts are treated like 'display'
     662 * when calling filters.
     663 *
     664 * @since 2.3.0
     665 * @uses apply_filters() Calls 'edit_$field' and '${field_no_prefix}_edit_pre' passing $value and
     666 *  $user_id if $context == 'edit' and field name prefix == 'user_'.
     667 *
     668 * @uses apply_filters() Calls 'edit_user_$field' passing $value and $user_id if $context == 'db'.
     669 * @uses apply_filters() Calls 'pre_$field' passing $value if $context == 'db' and field name prefix == 'user_'.
     670 * @uses apply_filters() Calls '${field}_pre' passing $value if $context == 'db' and field name prefix != 'user_'.
     671 *
     672 * @uses apply_filters() Calls '$field' passing $value, $user_id and $context if $context == anything
     673 *  other than 'raw', 'edit' and 'db' and field name prefix == 'user_'.
     674 * @uses apply_filters() Calls 'user_$field' passing $value if $context == anything other than 'raw',
     675 *  'edit' and 'db' and field name prefix != 'user_'.
     676 *
     677 * @param string $field The user Object field name.
     678 * @param mixed $value The user Object value.
     679 * @param int $user_id user ID.
     680 * @param string $context How to sanitize user fields. Looks for 'raw', 'edit', 'db', 'display',
     681 *               'attribute' and 'js'.
     682 * @return mixed Sanitized value.
     683 */
     684function sanitize_user_field($field, $value, $user_id, $context) {
     685    $int_fields = array('ID');
     686    if ( in_array($field, $int_fields) )
     687        $value = (int) $value;
     688
     689    if ( 'raw' == $context )
     690        return $value;
     691
     692    if ( is_array($value) )
     693        return $value;
     694
     695    $prefixed = false;
     696    if ( false !== strpos($field, 'user_') ) {
     697        $prefixed = true;
     698        $field_no_prefix = str_replace('user_', '', $field);
     699    }
     700
     701    if ( 'edit' == $context ) {
     702        if ( $prefixed ) {
     703            $value = apply_filters("edit_$field", $value, $user_id);
     704        } else {
     705            $value = apply_filters("edit_user_$field", $value, $user_id);
     706        }
     707
     708        if ( 'description' == $field )
     709            $value = esc_html($value);
     710        else
     711            $value = esc_attr($value);
     712    } else if ( 'db' == $context ) {
     713        if ( $prefixed ) {
     714            $value = apply_filters("pre_$field", $value);
     715        } else {
     716            $value = apply_filters("pre_user_$field", $value);
     717        }
     718    } else {
     719        // Use display filters by default.
     720        if ( $prefixed )
     721            $value = apply_filters($field, $value, $user_id, $context);
     722        else
     723            $value = apply_filters("user_$field", $value, $user_id, $context);
     724    }
     725
     726    if ( 'user_url' == $field )
     727        $value = esc_url($value);
     728
     729    if ( 'attribute' == $context )
     730        $value = esc_attr($value);
     731    else if ( 'js' == $context )
     732        $value = esc_js($value);
     733
     734    return $value;
     735}
     736
    620737?>
Note: See TracChangeset for help on using the changeset viewer.