Changeset 19675

Timestamp:

01/04/2012 07:45:13 PM (13 years ago)

Author:

ryan

Message:

Introduce sanitize_trackback_urls(). Don't ping bad urls. Don't ping bad urls or save them to the DB. Props xknown, SergeyBiryukov. fixes #17560

Location:

trunk/wp-includes

Files:

• formatting.php (modified) (1 diff)
• post.php (modified) (2 diffs)

trunk/wp-includes/formatting.php

@@ -3003 +3003 @@
 }
 
+/**
+ * Sanitize space or carriage return separated URLs that are used to send trackbacks.
+ *
+ * @since 3.4.0
+ *
+ * @param string $to_ping Space or carriage return separated URLs
+ * @return string URLs starting with the http or https protocol, separated by a carriage return.
+ */
+function sanitize_trackback_urls( $to_ping ) {
+    $urls_to_ping = preg_split( '/\r\n\t /', trim( $to_ping ), -1, PREG_SPLIT_NO_EMPTY );
+    foreach ( $urls_to_ping as $k => $url ) {
+        if ( !preg_match( '#^https?://.#i', $url ) )
+            unset( $urls_to_ping[$k] );
+    }
+    $urls_to_ping = array_map( 'esc_url_raw', $urls_to_ping );
+    $urls_to_ping = implode( "\n", $urls_to_ping );
+    return apply_filters( 'sanitize_trackback_urls', $urls_to_ping, $to_ping );
+}
+
 ?>

trunk/wp-includes/post.php

@@ -2538 +2538 @@
 
     if ( isset($to_ping) )
-        $to_ping = preg_replace('|\s+|', "\n", $to_ping);
+        $to_ping = sanitize_trackback_urls( $to_ping );
     else
         $to_ping = '';
@@ -3065 +3065 @@
     global $wpdb;
     $to_ping = $wpdb->get_var( $wpdb->prepare( "SELECT to_ping FROM $wpdb->posts WHERE ID = %d", $post_id ));
-    $to_ping = trim($to_ping);
+    $to_ping = sanitize_trackback_urls( $to_ping );
     $to_ping = preg_split('/\s/', $to_ping, -1, PREG_SPLIT_NO_EMPTY);
     $to_ping = apply_filters('get_to_ping',  $to_ping);