Make WordPress Core

Changeset 18705


Ignore:
Timestamp:
09/18/2011 07:53:59 PM (13 years ago)
Author:
nacin
Message:

Strip a number of special characters in sanitize_title_with_dashes on save. Includes quotes (curly, angle), dashes, marks, etc. props SergeyBiryukov. props ampt for the unit tests in [UT438]. see #10797.

Location:
trunk/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/default-filters.php

    r18680 r18705  
    183183add_filter( 'tiny_mce_before_init',     '_mce_set_direction'                  );
    184184add_filter( 'pre_kses',                 'wp_pre_kses_less_than'               );
    185 add_filter( 'sanitize_title',           'sanitize_title_with_dashes'          );
     185add_filter( 'sanitize_title',           'sanitize_title_with_dashes',   10, 3 );
    186186add_action( 'check_comment_flood',      'check_comment_flood_db',       10, 3 );
    187187add_filter( 'comment_flood_filter',     'wp_throttle_comment_flood',    10, 3 );
  • trunk/wp-includes/formatting.php

    r18633 r18705  
    804804
    805805/**
    806  * Sanitizes title, replacing whitespace with dashes.
     806 * Sanitizes title, replacing whitespace and a few other characters with dashes.
    807807 *
    808808 * Limits the output to alphanumeric characters, underscore (_) and dash (-).
     
    812812 *
    813813 * @param string $title The title to be sanitized.
     814 * @param string $raw_title Optional. Not used.
     815 * @param string $context Optional. The operation for which the string is sanitized.
    814816 * @return string The sanitized title.
    815817 */
    816 function sanitize_title_with_dashes($title) {
     818function sanitize_title_with_dashes($title, $raw_title = '', $context = 'display') {
    817819    $title = strip_tags($title);
    818820    // Preserve escaped octets.
     
    833835    $title = preg_replace('/&.+?;/', '', $title); // kill entities
    834836    $title = str_replace('.', '-', $title);
     837
     838    if ( 'save' == $context ) {
     839        // nbsp, ndash and mdash
     840        $title = str_replace( array( '%c2%a0', '%e2%80%93', '%e2%80%94' ), '-', $title );
     841        // iexcl and iquest
     842        $title = str_replace( array( '%c2%a1', '%c2%bf' ), '', $title );
     843        // angle quotes
     844        $title = str_replace( array( '%c2%ab', '%c2%bb', '%e2%80%b9', '%e2%80%ba' ), '', $title );
     845        // curly quotes
     846        $title = str_replace( array( '%e2%80%98', '%e2%80%99', '%e2%80%9c', '%e2%80%9d' ), '', $title );
     847        // copy, reg, deg, hellip and trade
     848        $title = str_replace( array( '%c2%a9', '%c2%ae', '%c2%b0', '%e2%80%a6', '%e2%84%a2' ), '', $title );
     849    }
     850
    835851    $title = preg_replace('/[^%a-z0-9 _-]/', '', $title);
    836852    $title = preg_replace('/\s+/', '-', $title);
Note: See TracChangeset for help on using the changeset viewer.