WordPress.org

Make WordPress Core

Changeset 23416


Ignore:
Timestamp:
02/14/13 22:51:06 (17 months ago)
Author:
ryan
Message:

Change all core API to expect unslashed rather than slashed arguments.

The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.

Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.

Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.

Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.

Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.

Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.

Plugins should use wp_unslash() on data being passed to core API.

Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.

Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.

Remove many no longer necessary calls to $wpdb->escape() and esc_sql().

In wp_get_referer() and wp_get_original_referer(), return unslashed data.

Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.

Switch several queries over to prepare().

Expect something to break.

Props alexkingorg
see #21767

Location:
trunk
Files:
86 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin.php

    r21913 r23416  
    4444} elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) { 
    4545    if ( !is_multisite() ) { 
    46         wp_redirect(admin_url('upgrade.php?_wp_http_referer=' . urlencode(stripslashes($_SERVER['REQUEST_URI'])))); 
     46        wp_redirect( admin_url( 'upgrade.php?_wp_http_referer=' . urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ); 
    4747        exit; 
    4848    } elseif ( apply_filters( 'do_mu_upgrade', true ) ) { 
     
    8585 
    8686if ( isset($_GET['page']) ) { 
    87     $plugin_page = stripslashes($_GET['page']); 
     87    $plugin_page = wp_unslash( $_GET['page'] ); 
    8888    $plugin_page = plugin_basename($plugin_page); 
    8989} 
  • trunk/wp-admin/custom-background.php

    r22812 r23416  
    379379        // Add the meta-data 
    380380        wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) ); 
    381         update_post_meta( $id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) ); 
     381        wp_update_post_meta( $id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) ); 
    382382 
    383383        set_theme_mod('background_image', esc_url_raw($url)); 
     
    416416            $size = esc_attr( $_POST['size'] ); 
    417417 
    418         update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) ); 
     418        wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) ); 
    419419        $url = wp_get_attachment_image_src( $attachment_id, $size ); 
    420420        $thumbnail = wp_get_attachment_image_src( $attachment_id, 'thumbnail' ); 
  • trunk/wp-admin/custom-header.php

    r23337 r23416  
    949949            ); 
    950950 
    951             update_post_meta( $choice['attachment_id'], '_wp_attachment_is_custom_header', get_stylesheet() ); 
     951            wp_update_post_meta( $choice['attachment_id'], '_wp_attachment_is_custom_header', get_stylesheet() ); 
    952952            set_theme_mod( 'header_image', $choice['url'] ); 
    953953            set_theme_mod( 'header_image_data', $header_image_data ); 
  • trunk/wp-admin/edit-comments.php

    r22275 r23416  
    2121 
    2222    if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) { 
    23         $comment_status = $wpdb->escape( $_REQUEST['comment_status'] ); 
    24         $delete_time = $wpdb->escape( $_REQUEST['pagegen_timestamp'] ); 
    25         $comment_ids = $wpdb->get_col( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = '$comment_status' AND '$delete_time' > comment_date_gmt" ); 
     23        $comment_status = $_REQUEST['comment_status']; 
     24        $delete_time = $_REQUEST['pagegen_timestamp']; 
     25        $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) ); 
    2626        $doaction = 'delete'; 
    2727    } elseif ( isset( $_REQUEST['delete_comments'] ) ) { 
     
    9696    exit; 
    9797} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { 
    98      wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) ); 
     98     wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); 
    9999     exit; 
    100100} 
     
    154154 
    155155if ( isset($_REQUEST['s']) && $_REQUEST['s'] ) 
    156     printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( stripslashes( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?> 
     156    printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?> 
    157157</h2> 
    158158 
  • trunk/wp-admin/edit-form-advanced.php

    r23395 r23416  
    305305<input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr( $post_type ) ?>" /> 
    306306<input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr( $post->post_status) ?>" /> 
    307 <input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" /> 
     307<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url( wp_get_referer() ); ?>" /> 
    308308<?php if ( ! empty( $active_post_lock ) ) { ?> 
    309309<input type="hidden" id="active_post_lock" value="<?php echo esc_attr( implode( ':', $active_post_lock ) ); ?>" /> 
  • trunk/wp-admin/edit-form-comment.php

    r21311 r23416  
    133133<input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID) ?>" /> 
    134134<input type="hidden" name="p" value="<?php echo esc_attr($comment->comment_post_ID) ?>" /> 
    135 <input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" /> 
     135<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url( wp_get_referer() ); ?>" /> 
    136136<?php wp_original_referer_field(true, 'previous'); ?> 
    137137<input type="hidden" name="noredir" value="1" /> 
  • trunk/wp-admin/edit-tags.php

    r22812 r23416  
    4848        wp_die( __( 'Cheatin&#8217; uh?' ) ); 
    4949 
    50     $ret = wp_insert_term( $_POST['tag-name'], $taxonomy, $_POST ); 
     50    $post_data = wp_unslash( $_POST ); 
     51 
     52    $ret = wp_insert_term( $post_data['tag-name'], $taxonomy, $post_data ); 
    5153    $location = 'edit-tags.php?taxonomy=' . $taxonomy; 
    5254    if ( 'post' != $post_type ) 
     
    133135 
    134136case 'editedtag': 
    135     $tag_ID = (int) $_POST['tag_ID']; 
     137 
     138    $post_data = wp_unslash( $_POST ); 
     139 
     140    $tag_ID = (int) $post_data['tag_ID']; 
    136141    check_admin_referer( 'update-tag_' . $tag_ID ); 
    137142 
     
    143148        wp_die( __( 'You attempted to edit an item that doesn&#8217;t exist. Perhaps it was deleted?' ) ); 
    144149 
    145     $ret = wp_update_term( $tag_ID, $taxonomy, $_POST ); 
     150    $ret = wp_update_term( $tag_ID, $taxonomy, $post_data ); 
    146151 
    147152    $location = 'edit-tags.php?taxonomy=' . $taxonomy; 
     
    165170default: 
    166171if ( ! empty($_REQUEST['_wp_http_referer']) ) { 
    167     $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ); 
     172    $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ); 
    168173 
    169174    if ( ! empty( $_REQUEST['paged'] ) ) 
     
    265270<?php screen_icon(); ?> 
    266271<h2><?php echo esc_html( $title ); 
    267 if ( !empty($_REQUEST['s']) ) 
    268     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?> 
     272if ( ! empty($_REQUEST['s']) ) 
     273    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( wp_unslash( $_REQUEST['s'] ) ) ); ?> 
    269274</h2> 
    270275 
  • trunk/wp-admin/edit.php

    r22291 r23416  
    139139    exit(); 
    140140} elseif ( ! empty($_REQUEST['_wp_http_referer']) ) { 
    141      wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ) ); 
     141     wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); 
    142142     exit; 
    143143} 
  • trunk/wp-admin/includes/ajax-actions.php

    r23382 r23416  
    6060    } 
    6161 
    62     $s = stripslashes( $_GET['q'] ); 
     62    $s = wp_unslash( $_GET['q'] ); 
    6363 
    6464    $comma = _x( ',', 'tag delimiter' ); 
     
    280280 
    281281function _wp_ajax_add_hierarchical_term() { 
    282     $action = $_POST['action']; 
     282    $post_data = wp_unslash( $_POST ); 
     283 
     284    $action = $post_data['action']; 
    283285    $taxonomy = get_taxonomy(substr($action, 4)); 
    284286    check_ajax_referer( $action, '_ajax_nonce-add-' . $taxonomy->name ); 
    285287    if ( !current_user_can( $taxonomy->cap->edit_terms ) ) 
    286288        wp_die( -1 ); 
    287     $names = explode(',', $_POST['new'.$taxonomy->name]); 
    288     $parent = isset($_POST['new'.$taxonomy->name.'_parent']) ? (int) $_POST['new'.$taxonomy->name.'_parent'] : 0; 
     289    $names = explode(',', $post_data['new'.$taxonomy->name]); 
     290    $parent = isset($post_data['new'.$taxonomy->name.'_parent']) ? (int) $post_data['new'.$taxonomy->name.'_parent'] : 0; 
    289291    if ( 0 > $parent ) 
    290292        $parent = 0; 
    291293    if ( $taxonomy->name == 'category' ) 
    292         $post_category = isset($_POST['post_category']) ? (array) $_POST['post_category'] : array(); 
     294        $post_category = isset( $post_data['post_category'] ) ? (array) $post_data['post_category'] : array(); 
    293295    else 
    294         $post_category = ( isset($_POST['tax_input']) && isset($_POST['tax_input'][$taxonomy->name]) ) ? (array) $_POST['tax_input'][$taxonomy->name] : array(); 
     296        $post_category = ( isset( $post_data['tax_input'] ) && isset( $post_data['tax_input'][$taxonomy->name] ) ) ? (array) $post_data['tax_input'][$taxonomy->name] : array(); 
    295297    $checked_categories = array_map( 'absint', (array) $post_category ); 
    296298    $popular_ids = wp_popular_terms_checklist($taxonomy->name, 0, 10, false); 
     
    560562    if ( !current_user_can( 'manage_categories' ) ) 
    561563        wp_die( -1 ); 
    562     $names = explode(',', $_POST['newcat']); 
     564    $names = explode( ',', wp_unslash( $_POST['newcat'] ) ); 
    563565    $x = new WP_Ajax_Response(); 
    564566    foreach ( $names as $cat_name ) { 
     
    573575        else if ( is_array( $cat_id ) ) 
    574576            $cat_id = $cat_id['term_id']; 
    575         $cat_name = esc_html(stripslashes($cat_name)); 
     577        $cat_name = esc_html( wp_unslash( $cat_name ) ); 
    576578        $x->add( array( 
    577579            'what' => 'link-category', 
     
    587589    global $wp_list_table; 
    588590 
     591    $post_data = wp_unslash( $_POST ); 
     592 
    589593    check_ajax_referer( 'add-tag', '_wpnonce_add-tag' ); 
    590     $post_type = !empty($_POST['post_type']) ? $_POST['post_type'] : 'post'; 
    591     $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag'; 
     594    $post_type = !empty($post_data['post_type']) ? $post_data['post_type'] : 'post'; 
     595    $taxonomy = !empty($post_data['taxonomy']) ? $post_data['taxonomy'] : 'post_tag'; 
    592596    $tax = get_taxonomy($taxonomy); 
    593597 
     
    597601    $x = new WP_Ajax_Response(); 
    598602 
    599     $tag = wp_insert_term($_POST['tag-name'], $taxonomy, $_POST ); 
     603    $tag = wp_insert_term( $post_data['tag-name'], $taxonomy, $post_data ); 
    600604 
    601605    if ( !$tag || is_wp_error($tag) || (!$tag = get_term( $tag['term_id'], $taxonomy )) ) { 
     
    611615    } 
    612616 
    613     $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $_POST['screen'] ) ); 
     617    $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $post_data['screen'] ) ); 
    614618 
    615619    $level = 0; 
     
    729733    if ( $user->exists() ) { 
    730734        $user_ID = $user->ID; 
    731         $comment_author       = $wpdb->escape($user->display_name); 
    732         $comment_author_email = $wpdb->escape($user->user_email); 
    733         $comment_author_url   = $wpdb->escape($user->user_url); 
    734         $comment_content      = trim($_POST['content']); 
     735        $comment_author       = $user->display_name; 
     736        $comment_author_email = $user->user_email; 
     737        $comment_author_url   = $user->user_url; 
     738        $comment_content      = trim( wp_unslash( $_POST['content'] ) ); 
    735739        if ( current_user_can( 'unfiltered_html' ) ) { 
    736740            if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) { 
     
    958962    } else { // Update? 
    959963        $mid = (int) key( $_POST['meta'] ); 
    960         $key = stripslashes( $_POST['meta'][$mid]['key'] ); 
    961         $value = stripslashes( $_POST['meta'][$mid]['value'] ); 
     964        $key = wp_unslash( $_POST['meta'][$mid]['key'] ); 
     965        $value = wp_unslash( $_POST['meta'][$mid]['value'] ); 
    962966        if ( '' == trim($key) ) 
    963967            wp_die( __( 'Please provide a custom field name.' ) ); 
     
    12281232 
    12291233    if ( isset( $_POST['search'] ) ) 
    1230         $args['s'] = stripslashes( $_POST['search'] ); 
     1234        $args['s'] = wp_unslash( $_POST['search'] ); 
    12311235    $args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1; 
    12321236 
     
    13291333 
    13301334    $post = get_post( $post_ID, ARRAY_A ); 
    1331     $post = add_magic_quotes($post); //since it is from db 
    13321335 
    13331336    $data['content'] = $post['post_content']; 
     
    13771380 
    13781381    check_ajax_referer( 'taxinlineeditnonce', '_inline_edit' ); 
    1379  
    1380     $taxonomy = sanitize_key( $_POST['taxonomy'] ); 
     1382     
     1383    $post_data = wp_unslash( $_POST ); 
     1384 
     1385    $taxonomy = sanitize_key( $post_data['taxonomy'] ); 
    13811386    $tax = get_taxonomy( $taxonomy ); 
    13821387    if ( ! $tax ) 
     
    13881393    $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) ); 
    13891394 
    1390     if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) ) 
     1395    if ( ! isset($post_data['tax_ID']) || ! ( $id = (int) $post_data['tax_ID'] ) ) 
    13911396        wp_die( -1 ); 
    13921397 
    13931398    $tag = get_term( $id, $taxonomy ); 
    1394     $_POST['description'] = $tag->description; 
    1395  
    1396     $updated = wp_update_term($id, $taxonomy, $_POST); 
     1399    $post_data['description'] = $tag->description; 
     1400 
     1401    $updated = wp_update_term($id, $taxonomy, $post_data ); 
    13971402    if ( $updated && !is_wp_error($updated) ) { 
    13981403        $tag = get_term( $updated['term_id'], $taxonomy ); 
     
    14261431    unset( $post_types['attachment'] ); 
    14271432 
    1428     $s = stripslashes( $_POST['ps'] ); 
     1433    $s = wp_unslash( $_POST['ps'] ); 
    14291434    $searchand = $search = ''; 
    14301435    $args = array( 
     
    15971602    } 
    15981603 
    1599     $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array(); 
     1604    $post_data = isset( $_REQUEST['post_data'] ) ? wp_unslash( $_REQUEST['post_data'] ) : array(); 
    16001605 
    16011606    // If the context is custom header or background, make sure the uploaded file is an image. 
     
    16311636    if ( isset( $post_data['context'] ) && isset( $post_data['theme'] ) ) { 
    16321637        if ( 'custom-background' === $post_data['context'] ) 
    1633             update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] ); 
     1638            wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] ); 
    16341639 
    16351640        if ( 'custom-header' === $post_data['context'] ) 
    1636             update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] ); 
     1641            wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] ); 
    16371642    } 
    16381643 
     
    17791784 
    17801785    $new_lock = ( time() - apply_filters( 'wp_check_post_lock_window', AUTOSAVE_INTERVAL * 2 ) + 5 ) . ':' . $active_lock[1]; 
    1781     update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) ); 
     1786    wp_update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) ); 
    17821787    wp_die( 1 ); 
    17831788} 
     
    18741879        wp_send_json_error(); 
    18751880 
    1876     $changes = $_REQUEST['changes']; 
     1881    $changes = wp_unslash( $_REQUEST['changes'] ); 
    18771882    $post    = get_post( $id, ARRAY_A ); 
    18781883 
     
    18911896    if ( isset( $changes['alt'] ) ) { 
    18921897        $alt = get_post_meta( $id, '_wp_attachment_image_alt', true ); 
    1893         $new_alt = stripslashes( $changes['alt'] ); 
     1898        $new_alt = $changes['alt']; 
    18941899        if ( $alt != $new_alt ) { 
    18951900            $new_alt = wp_strip_all_tags( $new_alt, true ); 
    1896             update_post_meta( $id, '_wp_attachment_image_alt', addslashes( $new_alt ) ); 
     1901            wp_update_post_meta( $id, '_wp_attachment_image_alt', $new_alt ); 
    18971902        } 
    18981903    } 
     
    19161921    if ( empty( $_REQUEST['attachments'] ) || empty( $_REQUEST['attachments'][ $id ] ) ) 
    19171922        wp_send_json_error(); 
    1918     $attachment_data = $_REQUEST['attachments'][ $id ]; 
     1923    $attachment_data = wp_unslash( $_REQUEST['attachments'][ $id ] ); 
    19191924 
    19201925    check_ajax_referer( 'update-post_' . $id, 'nonce' ); 
     
    19601965    check_ajax_referer( 'update-post_' . $post_id, 'nonce' ); 
    19611966 
    1962     $attachments = $_REQUEST['attachments']; 
     1967    $attachments = wp_unslash( $_REQUEST['attachments'] ); 
    19631968 
    19641969    if ( ! current_user_can( 'edit_post', $post_id ) ) 
     
    19911996    check_ajax_referer( 'media-send-to-editor', 'nonce' ); 
    19921997 
    1993     $attachment = stripslashes_deep( $_POST['attachment'] ); 
     1998    $attachment = wp_unslash( $_POST['attachment'] ); 
    19941999 
    19952000    $id = intval( $attachment['id'] ); 
     
    20462051    check_ajax_referer( 'media-send-to-editor', 'nonce' ); 
    20472052 
    2048     if ( ! $src = stripslashes( $_POST['src'] ) ) 
     2053    if ( ! $src = wp_unslash( $_POST['src'] ) ) 
    20492054        wp_send_json_error(); 
    20502055 
     
    20552060        wp_send_json_error(); 
    20562061 
    2057     if ( ! $title = trim( stripslashes( $_POST['title'] ) ) ) 
     2062    if ( ! $title = trim( wp_unslash( $_POST['title'] ) ) ) 
    20582063        $title = wp_basename( $src ); 
    20592064 
     
    20842089     
    20852090    if ( ! empty($_POST['data']) ) { 
    2086         $data = (array) $_POST['data']; 
     2091        $data = wp_unslash( (array) $_POST['data'] ); 
    20872092        // todo: how much to sanitize and preset and what to leave to be accessed from $data or $_POST..? 
    20882093        $user = wp_get_current_user(); 
  • trunk/wp-admin/includes/bookmark.php

    r22855 r23416  
    4040    if ( !empty( $link_id ) ) { 
    4141        $_POST['link_id'] = $link_id; 
    42         return wp_update_link( $_POST ); 
     42        return wp_update_link( wp_unslash( $_POST ) ); 
    4343    } else { 
    44         return wp_insert_link( $_POST ); 
     44        return wp_insert_link( wp_unslash( $_POST ) ); 
    4545    } 
    4646} 
     
    138138    $linkdata = sanitize_bookmark( $linkdata, 'db' ); 
    139139 
    140     extract( stripslashes_deep( $linkdata ), EXTR_SKIP ); 
     140    extract( $linkdata, EXTR_SKIP ); 
    141141 
    142142    $update = false; 
     
    251251    $link = get_bookmark( $link_id, ARRAY_A ); 
    252252 
    253     // Escape data pulled from DB. 
    254     $link = add_magic_quotes( $link ); 
    255  
    256253    // Passed link category list overwrites existing category list if not empty. 
    257254    if ( isset( $linkdata['link_category'] ) && is_array( $linkdata['link_category'] ) 
  • trunk/wp-admin/includes/class-wp-comments-list-table.php

    r22396 r23416  
    171171            // I toyed with this, but decided against it. Leaving it in here in case anyone thinks it is a good idea. ~ Mark 
    172172            if ( !empty( $_REQUEST['s'] ) ) 
    173                 $link = add_query_arg( 's', esc_attr( stripslashes( $_REQUEST['s'] ) ), $link ); 
     173                $link = add_query_arg( 's', esc_attr( wp_unslash( $_REQUEST['s'] ) ), $link ); 
    174174            */ 
    175175            $status_links[$status] = "<a href='$link'$class>" . sprintf( 
  • trunk/wp-admin/includes/class-wp-ms-sites-list-table.php

    r22190 r23416  
    3030        $pagenum = $this->get_pagenum(); 
    3131 
    32         $s = isset( $_REQUEST['s'] ) ? stripslashes( trim( $_REQUEST[ 's' ] ) ) : ''; 
     32        $s = isset( $_REQUEST['s'] ) ? wp_unslash( trim( $_REQUEST[ 's' ] ) ) : ''; 
    3333        $wild = ''; 
    3434        if ( false !== strpos($s, '*') ) { 
  • trunk/wp-admin/includes/class-wp-ms-themes-list-table.php

    r23394 r23416  
    127127        static $term; 
    128128        if ( is_null( $term ) ) 
    129             $term = stripslashes( $_REQUEST['s'] ); 
     129            $term = wp_unslash( $_REQUEST['s'] ); 
    130130 
    131131        foreach ( array( 'Name', 'Description', 'Author', 'Author', 'AuthorURI' ) as $field ) { 
  • trunk/wp-admin/includes/class-wp-ms-users-list-table.php

    r21364 r23416  
    174174                    case 'username': 
    175175                        $avatar = get_avatar( $user->user_email, 32 ); 
    176                         $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) ); 
     176                        $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) ); 
    177177 
    178178                        echo "<td $attributes>"; ?> 
    179                             <?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo stripslashes( $user->user_login ); ?></a><?php 
     179                            <?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo $user->user_login; ?></a><?php 
    180180                            if ( in_array( $user->user_login, $super_admins ) ) 
    181181                                echo ' - ' . __( 'Super Admin' ); 
     
    187187 
    188188                                if ( current_user_can( 'delete_user', $user->ID ) && ! in_array( $user->user_login, $super_admins ) ) { 
    189                                     $actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>'; 
     189                                    $actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>'; 
    190190                                } 
    191191 
  • trunk/wp-admin/includes/class-wp-plugin-install-list-table.php

    r23191 r23416  
    4949        switch ( $tab ) { 
    5050            case 'search': 
    51                 $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term'; 
    52                 $term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : ''; 
     51                $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term'; 
     52                $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : ''; 
    5353 
    5454                switch ( $type ) { 
     
    7474 
    7575            case 'favorites': 
    76                 $user = isset( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); 
     76                $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); 
    7777                update_user_meta( get_current_user_id(), 'wporg_favorites', $user ); 
    7878                if ( $user ) 
  • trunk/wp-admin/includes/class-wp-plugins-list-table.php

    r23394 r23416  
    2323 
    2424        if ( isset($_REQUEST['s']) ) 
    25             $_SERVER['REQUEST_URI'] = add_query_arg('s', stripslashes($_REQUEST['s']) ); 
     25            $_SERVER['REQUEST_URI'] = add_query_arg('s', wp_unslash($_REQUEST['s']) ); 
    2626 
    2727        $page = $this->get_pagenum(); 
     
    141141        static $term; 
    142142        if ( is_null( $term ) ) 
    143             $term = stripslashes( $_REQUEST['s'] ); 
     143            $term = wp_unslash( $_REQUEST['s'] ); 
    144144 
    145145        foreach ( $plugin as $value ) 
  • trunk/wp-admin/includes/class-wp-terms-list-table.php

    r22019 r23416  
    5353        } 
    5454 
    55         $search = !empty( $_REQUEST['s'] ) ? trim( stripslashes( $_REQUEST['s'] ) ) : ''; 
     55        $search = !empty( $_REQUEST['s'] ) ? trim( wp_unslash( $_REQUEST['s'] ) ) : ''; 
    5656 
    5757        $args = array( 
     
    6262 
    6363        if ( !empty( $_REQUEST['orderby'] ) ) 
    64             $args['orderby'] = trim( stripslashes( $_REQUEST['orderby'] ) ); 
     64            $args['orderby'] = trim( wp_unslash( $_REQUEST['orderby'] ) ); 
    6565 
    6666        if ( !empty( $_REQUEST['order'] ) ) 
    67             $args['order'] = trim( stripslashes( $_REQUEST['order'] ) ); 
     67            $args['order'] = trim( wp_unslash( $_REQUEST['order'] ) ); 
    6868 
    6969        $this->callback_args = $args; 
  • trunk/wp-admin/includes/class-wp-theme-install-list-table.php

    r23191 r23416  
    2525        $search_string = ''; 
    2626        if ( ! empty( $_REQUEST['s'] ) ){ 
    27             $search_string = strtolower( stripslashes( $_REQUEST['s'] ) ); 
     27            $search_string = strtolower( wp_unslash( $_REQUEST['s'] ) ); 
    2828            $search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', $search_string ) ) ) ); 
    2929        } 
     
    6060        switch ( $tab ) { 
    6161            case 'search': 
    62                 $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term'; 
     62                $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term'; 
    6363                switch ( $type ) { 
    6464                    case 'tag': 
  • trunk/wp-admin/includes/class-wp-themes-list-table.php

    r22167 r23416  
    2929 
    3030        if ( ! empty( $_REQUEST['s'] ) ) 
    31             $this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( stripslashes( $_REQUEST['s'] ) ) ) ) ) ); 
     31            $this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( wp_unslash( $_REQUEST['s'] ) ) ) ) ) ); 
    3232 
    3333        if ( ! empty( $_REQUEST['features'] ) ) 
     
    236236     */ 
    237237     function _js_vars( $extra_args = array() ) { 
    238         $search_string = isset( $_REQUEST['s'] ) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : ''; 
     238        $search_string = isset( $_REQUEST['s'] ) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : ''; 
    239239 
    240240        $args = array( 
  • trunk/wp-admin/includes/class-wp-upgrader.php

    r23191 r23416  
    14281428        $install_actions = array(); 
    14291429 
    1430         $from = isset($_GET['from']) ? stripslashes($_GET['from']) : 'plugins'; 
     1430        $from = isset($_GET['from']) ? wp_unslash( $_GET['from'] ) : 'plugins'; 
    14311431 
    14321432        if ( 'import' == $from ) 
  • trunk/wp-admin/includes/class-wp-users-list-table.php

    r23191 r23416  
    242242        if ( current_user_can( 'list_users' ) ) { 
    243243            // Set up the user editing link 
    244             $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) ); 
     244            $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) ); 
    245245 
    246246            // Set up the hover actions for this user 
  • trunk/wp-admin/includes/comment.php

    r23350 r23416  
    2020    global $wpdb; 
    2121 
    22     $comment_author = stripslashes($comment_author); 
    23     $comment_date = stripslashes($comment_date); 
    24  
    2522    return $wpdb->get_var( $wpdb->prepare("SELECT comment_post_ID FROM $wpdb->comments 
    2623            WHERE comment_author = %s AND comment_date = %s", $comment_author, $comment_date) ); 
     
    3431function edit_comment() { 
    3532 
    36     if ( ! current_user_can( 'edit_comment', (int) $_POST['comment_ID'] ) ) 
     33    $post_data = wp_unslash( $_POST ); 
     34 
     35    if ( ! current_user_can( 'edit_comment', (int) $post_data['comment_ID'] ) ) 
    3736        wp_die ( __( 'You are not allowed to edit comments on this post.' ) ); 
    3837 
    39     $_POST['comment_author'] = $_POST['newcomment_author']; 
    40     $_POST['comment_author_email'] = $_POST['newcomment_author_email']; 
    41     $_POST['comment_author_url'] = $_POST['newcomment_author_url']; 
    42     $_POST['comment_approved'] = $_POST['comment_status']; 
    43     $_POST['comment_content'] = $_POST['content']; 
    44     $_POST['comment_ID'] = (int) $_POST['comment_ID']; 
     38    $post_data['comment_author'] = $post_data['newcomment_author']; 
     39    $post_data['comment_author_email'] = $post_data['newcomment_author_email']; 
     40    $post_data['comment_author_url'] = $post_data['newcomment_author_url']; 
     41    $post_data['comment_approved'] = $post_data['comment_status']; 
     42    $post_data['comment_content'] = $post_data['content']; 
     43    $post_data['comment_ID'] = (int) $post_data['comment_ID']; 
    4544 
    4645    foreach ( array ('aa', 'mm', 'jj', 'hh', 'mn') as $timeunit ) { 
    47         if ( !empty( $_POST['hidden_' . $timeunit] ) && $_POST['hidden_' . $timeunit] != $_POST[$timeunit] ) { 
     46        if ( !empty( $post_data['hidden_' . $timeunit] ) && $post_data['hidden_' . $timeunit] != $post_data[$timeunit] ) { 
    4847            $_POST['edit_date'] = '1'; 
    4948            break; 
     
    5150    } 
    5251 
    53     if ( !empty ( $_POST['edit_date'] ) ) { 
    54         $aa = $_POST['aa']; 
    55         $mm = $_POST['mm']; 
    56         $jj = $_POST['jj']; 
    57         $hh = $_POST['hh']; 
    58         $mn = $_POST['mn']; 
    59         $ss = $_POST['ss']; 
     52    if ( !empty ( $post_data['edit_date'] ) ) { 
     53        $aa = $post_data['aa']; 
     54        $mm = $post_data['mm']; 
     55        $jj = $post_data['jj']; 
     56        $hh = $post_data['hh']; 
     57        $mn = $post_data['mn']; 
     58        $ss = $post_data['ss']; 
    6059        $jj = ($jj > 31 ) ? 31 : $jj; 
    6160        $hh = ($hh > 23 ) ? $hh -24 : $hh; 
    6261        $mn = ($mn > 59 ) ? $mn -60 : $mn; 
    6362        $ss = ($ss > 59 ) ? $ss -60 : $ss; 
    64         $_POST['comment_date'] = "$aa-$mm-$jj $hh:$mn:$ss"; 
     63        $post_data['comment_date'] = "$aa-$mm-$jj $hh:$mn:$ss"; 
    6564    } 
    6665 
    67     wp_update_comment( $_POST ); 
     66    wp_update_comment( $post_data ); 
    6867} 
    6968 
  • trunk/wp-admin/includes/dashboard.php

    r23265 r23416  
    10941094 
    10951095    if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset($_POST['widget-rss'][$number]) ) { 
    1096         $_POST['widget-rss'][$number] = stripslashes_deep( $_POST['widget-rss'][$number] ); 
     1096        $_POST['widget-rss'][$number] = wp_unslash( $_POST['widget-rss'][$number] ); 
    10971097        $widget_options[$widget_id] = wp_widget_rss_process( $_POST['widget-rss'][$number] ); 
    10981098        // title is optional. If black, fill it if possible 
  • trunk/wp-admin/includes/deprecated.php

    r21956 r23416  
    473473        _deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' ); 
    474474 
    475         $this->search_term = stripslashes( $search_term ); 
     475        $this->search_term = $search_term; 
    476476        $this->raw_page = ( '' == $page ) ? false : (int) $page; 
    477477        $this->page = (int) ( '' == $page ) ? 1 : $page; 
     
    480480        $this->prepare_query(); 
    481481        $this->query(); 
    482         $this->prepare_vars_for_template_usage(); 
    483482        $this->do_paging(); 
    484483    } 
     
    551550     * @access public 
    552551     */ 
    553     function prepare_vars_for_template_usage() { 
    554         $this->search_term = stripslashes($this->search_term); // done with DB, from now on we want slashes gone 
    555     } 
     552    function prepare_vars_for_template_usage() {} 
    556553 
    557554    /** 
  • trunk/wp-admin/includes/file.php

    r23191 r23416  
    902902 
    903903    // If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option) 
    904     $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? stripslashes($_POST['hostname']) : $credentials['hostname']); 
    905     $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? stripslashes($_POST['username']) : $credentials['username']); 
    906     $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? stripslashes($_POST['password']) : ''); 
     904    $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? wp_unslash( $_POST['hostname'] ) : $credentials['hostname']); 
     905    $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? wp_unslash( $_POST['username'] ) : $credentials['username']); 
     906    $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? wp_unslash( $_POST['password'] ) : ''); 
    907907 
    908908    // Check to see if we are setting the public/private keys for ssh 
    909     $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? stripslashes($_POST['public_key']) : ''); 
    910     $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? stripslashes($_POST['private_key']) : ''); 
     909    $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? wp_unslash( $_POST['public_key'] ) : ''); 
     910    $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? wp_unslash( $_POST['private_key'] ) : ''); 
    911911 
    912912    //sanitize the hostname, Some people might pass in odd-data: 
     
    926926        $credentials['connection_type'] = 'ftps'; 
    927927    else if ( !empty($_POST['connection_type']) ) 
    928         $credentials['connection_type'] = stripslashes($_POST['connection_type']); 
     928        $credentials['connection_type'] = wp_unslash( $_POST['connection_type'] ); 
    929929    else if ( !isset($credentials['connection_type']) ) //All else fails (And it's not defaulted to something else saved), Default to FTP 
    930930        $credentials['connection_type'] = 'ftp'; 
     
    10511051foreach ( (array) $extra_fields as $field ) { 
    10521052    if ( isset( $_POST[ $field ] ) ) 
    1053         echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( stripslashes( $_POST[ $field ] ) ) . '" />'; 
     1053        echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( wp_unslash( $_POST[ $field ] ) ) . '" />'; 
    10541054} 
    10551055submit_button( __( 'Proceed' ), 'button', 'upgrade' ); 
  • trunk/wp-admin/includes/image-edit.php

    r23246 r23416  
    455455        return false; 
    456456 
    457     $changes = !empty($_REQUEST['history']) ? json_decode( stripslashes($_REQUEST['history']) ) : null; 
     457    $changes = !empty($_REQUEST['history']) ? json_decode( wp_unslash( $_REQUEST['history'] ) ) : null; 
    458458    if ( $changes ) 
    459459        $img = image_edit_apply_changes( $img, $changes ); 
     
    534534    } 
    535535 
    536     if ( !wp_update_attachment_metadata($post_id, $meta) || !update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes) ) { 
     536    if ( !wp_update_attachment_metadata($post_id, $meta) || !wp_update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes) ) { 
    537537        $msg->error = __('Cannot save image metadata.'); 
    538538        return $msg; 
     
    588588        } 
    589589    } elseif ( !empty($_REQUEST['history']) ) { 
    590         $changes = json_decode( stripslashes($_REQUEST['history']) ); 
     590        $changes = json_decode( wp_unslash( $_REQUEST['history'] ) ); 
    591591        if ( $changes ) 
    592592            $img = image_edit_apply_changes($img, $changes); 
     
    700700    if ( $success ) { 
    701701        wp_update_attachment_metadata( $post_id, $meta ); 
    702         update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes); 
     702        wp_update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes); 
    703703 
    704704        if ( $target == 'thumbnail' || $target == 'all' || $target == 'full' ) { 
  • trunk/wp-admin/includes/media.php

    r23395 r23416  
    445445 
    446446    if ( !empty($_POST['attachments']) ) foreach ( $_POST['attachments'] as $attachment_id => $attachment ) { 
     447        $attachment = wp_unslash( $attachment ); 
     448     
    447449        $post = $_post = get_post($attachment_id, ARRAY_A); 
    448450        $post_type_object = get_post_type_object( $post[ 'post_type' ] ); 
     
    469471        if ( isset($attachment['image_alt']) ) { 
    470472            $image_alt = get_post_meta($attachment_id, '_wp_attachment_image_alt', true); 
    471             if ( $image_alt != stripslashes($attachment['image_alt']) ) { 
    472                 $image_alt = wp_strip_all_tags( stripslashes($attachment['image_alt']), true ); 
    473                 // update_meta expects slashed 
    474                 update_post_meta( $attachment_id, '_wp_attachment_image_alt', addslashes($image_alt) ); 
     473            if ( $image_alt != $attachment['image_alt'] ) { 
     474                $image_alt = wp_strip_all_tags( $attachment['image_alt'], true ); 
     475                wp_update_post_meta( $attachment_id, '_wp_attachment_image_alt', $image_alt ); 
    475476            } 
    476477        } 
     
    502503 
    503504    if ( isset($send_id) ) { 
    504         $attachment = stripslashes_deep( $_POST['attachments'][$send_id] ); 
     505        $attachment = wp_unslash( $_POST['attachments'][$send_id] ); 
    505506 
    506507        $html = isset( $attachment['post_title'] ) ? $attachment['post_title'] : ''; 
     
    547548 
    548549        if ( isset( $_POST['media_type'] ) && 'image' != $_POST['media_type'] ) { 
    549             $title = esc_html( stripslashes( $_POST['title'] ) ); 
     550            $title = esc_html( wp_unslash( $_POST['title'] ) ); 
    550551            if ( empty( $title ) ) 
    551552                $title = esc_html( basename( $src ) ); 
     
    562563        } else { 
    563564            $align = ''; 
    564             $alt = esc_attr( stripslashes( $_POST['alt'] ) ); 
     565            $alt = esc_attr( wp_unslash( $_POST['alt'] ) ); 
    565566            if ( isset($_POST['align']) ) { 
    566                 $align = esc_attr( stripslashes( $_POST['align'] ) ); 
     567                $align = esc_attr( wp_unslash( $_POST['align'] ) ); 
    567568                $class = " class='align$align'"; 
    568569            } 
  • trunk/wp-admin/includes/misc.php

    r22375 r23416  
    221221 */ 
    222222function url_shorten( $url ) { 
    223     $short_url = str_replace( 'http://', '', stripslashes( $url )); 
     223    $short_url = str_replace( 'http://', '', $url ); 
    224224    $short_url = str_replace( 'www.', '', $short_url ); 
    225225    $short_url = untrailingslashit( $short_url ); 
     
    249249                $$var = ''; 
    250250            else 
    251                 $$var = $_GET[$var]; 
     251                $$var = wp_unslash( $_GET[$var] ); 
    252252        } else { 
    253             $$var = $_POST[$var]; 
     253            $$var = wp_unslash( $_POST[$var] ); 
    254254        } 
    255255    } 
     
    324324        if ( !$user = wp_get_current_user() ) 
    325325            return; 
    326         $option = $_POST['wp_screen_options']['option']; 
    327         $value = $_POST['wp_screen_options']['value']; 
     326        $option = wp_unslash( $_POST['wp_screen_options']['option'] ); 
     327        $value = wp_unslash( $_POST['wp_screen_options']['value'] ); 
    328328 
    329329        if ( $option != sanitize_key( $option ) ) 
  • trunk/wp-admin/includes/plugin-install.php

    r22459 r23416  
    117117 */ 
    118118function install_search_form( $type_selector = true ) { 
    119     $type = isset($_REQUEST['type']) ? stripslashes( $_REQUEST['type'] ) : 'term'; 
    120     $term = isset($_REQUEST['s']) ? stripslashes( $_REQUEST['s'] ) : ''; 
     119    $type = isset($_REQUEST['type']) ? wp_unslash( $_REQUEST['type'] ) : 'term'; 
     120    $term = isset($_REQUEST['s']) ? wp_unslash( $_REQUEST['s'] ) : ''; 
    121121 
    122122    ?><form id="search-plugins" method="get" action=""> 
     
    161161 */ 
    162162function install_plugins_favorites_form() { 
    163     $user = ! empty( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); 
     163    $user = ! empty( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); 
    164164    ?> 
    165165    <p class="install-help"><?php _e( 'If you have marked plugins as favorites on WordPress.org, you can browse them here.' ); ?></p> 
     
    252252    } 
    253253    if ( isset($_GET['from']) ) 
    254         $url .= '&amp;from=' . urlencode(stripslashes($_GET['from'])); 
     254        $url .= '&amp;from=' . urlencode( wp_unslash( $_GET['from'] ) ); 
    255255 
    256256    return compact('status', 'url', 'version'); 
     
    265265    global $tab; 
    266266 
    267     $api = plugins_api('plugin_information', array('slug' => stripslashes( $_REQUEST['plugin'] ) )); 
     267    $api = plugins_api('plugin_information', array('slug' => wp_unslash( $_REQUEST['plugin'] ) )); 
    268268 
    269269    if ( is_wp_error($api) ) 
     
    296296    } 
    297297 
    298     $section = isset($_REQUEST['section']) ? stripslashes( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English. 
     298    $section = isset($_REQUEST['section']) ? wp_unslash( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English. 
    299299    if ( empty($section) || ! isset($api->sections[ $section ]) ) 
    300300        $section = array_shift( $section_titles = array_keys((array)$api->sections) ); 
  • trunk/wp-admin/includes/post.php

    r23094 r23416  
    150150function edit_post( $post_data = null ) { 
    151151 
    152     if ( empty($post_data) ) 
    153         $post_data = &$_POST; 
     152    if ( empty( $post_data ) ) 
     153        $post_data = wp_unslash( $_POST ); 
    154154 
    155155    // Clear out any data in internal vars. 
     
    229229        if ( isset( $post_data[ '_wp_attachment_image_alt' ] ) ) { 
    230230            $image_alt = get_post_meta( $post_ID, '_wp_attachment_image_alt', true ); 
    231             if ( $image_alt != stripslashes( $post_data['_wp_attachment_image_alt'] ) ) { 
    232                 $image_alt = wp_strip_all_tags( stripslashes( $post_data['_wp_attachment_image_alt'] ), true ); 
    233                 // update_meta expects slashed 
    234                 update_post_meta( $post_ID, '_wp_attachment_image_alt', addslashes( $image_alt ) ); 
     231            if ( $image_alt != $post_data['_wp_attachment_image_alt'] ) { 
     232                $image_alt = wp_strip_all_tags( $post_data['_wp_attachment_image_alt'], true ); 
     233                wp_update_post_meta( $post_ID, '_wp_attachment_image_alt', $image_alt ); 
    235234            } 
    236235        } 
     
    242241    add_meta( $post_ID ); 
    243242 
    244     update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); 
     243    wp_update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); 
    245244 
    246245    wp_update_post( $post_data ); 
     
    423422    $post_title = ''; 
    424423    if ( !empty( $_REQUEST['post_title'] ) ) 
    425         $post_title = esc_html( stripslashes( $_REQUEST['post_title'] )); 
     424        $post_title = esc_html( wp_unslash( $_REQUEST['post_title'] )); 
    426425 
    427426    $post_content = ''; 
    428427    if ( !empty( $_REQUEST['content'] ) ) 
    429         $post_content = esc_html( stripslashes( $_REQUEST['content'] )); 
     428        $post_content = esc_html( wp_unslash( $_REQUEST['content'] )); 
    430429 
    431430    $post_excerpt = ''; 
    432431    if ( !empty( $_REQUEST['excerpt'] ) ) 
    433         $post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] )); 
     432        $post_excerpt = esc_html( wp_unslash( $_REQUEST['excerpt'] )); 
    434433 
    435434    if ( $create_in_db ) { 
     
    480479    global $wpdb; 
    481480 
    482     $post_title = stripslashes( sanitize_post_field( 'post_title', $title, 0, 'db' ) ); 
    483     $post_content = stripslashes( sanitize_post_field( 'post_content', $content, 0, 'db' ) ); 
    484     $post_date = stripslashes( sanitize_post_field( 'post_date', $date, 0, 'db' ) ); 
     481    $post_title = sanitize_post_field( 'post_title', $title, 0, 'db' ); 
     482    $post_content = sanitize_post_field( 'post_content', $content, 0, 'db' ); 
     483    $post_date = sanitize_post_field( 'post_date', $date, 0, 'db' ); 
    485484 
    486485    $query = "SELECT ID FROM $wpdb->posts WHERE 1=1"; 
     
    560559 
    561560    // Create the post. 
    562     $post_ID = wp_insert_post( $_POST ); 
     561    $post_ID = wp_insert_post( wp_unslash( $_POST ) ); 
    563562    if ( is_wp_error( $post_ID ) ) 
    564563        return $post_ID; 
     
    569568    add_meta( $post_ID ); 
    570569 
    571     add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); 
     570    wp_add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); 
    572571 
    573572    // Now that we have an ID we can fix any attachment anchor hrefs 
     
    613612    $post_ID = (int) $post_ID; 
    614613 
    615     $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : ''; 
    616     $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : ''; 
    617     $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : ''; 
     614    $metakeyselect = isset($_POST['metakeyselect']) ? wp_unslash( trim( $_POST['metakeyselect'] ) ) : ''; 
     615    $metakeyinput = isset($_POST['metakeyinput']) ? wp_unslash( trim( $_POST['metakeyinput'] ) ) : ''; 
     616    $metavalue = isset($_POST['metavalue']) ? wp_unslash( trim( $_POST['metavalue'] ) ) : ''; 
    618617    if ( is_string( $metavalue ) ) 
    619618        $metavalue = trim( $metavalue ); 
     
    632631            return false; 
    633632 
    634         $metakey = esc_sql( $metakey ); 
    635  
    636         return add_post_meta( $post_ID, $metakey, $metavalue ); 
     633        return wp_add_post_meta( $post_ID, $metakey, $metavalue ); 
    637634    } 
    638635 
     
    707704 * 
    708705 * @param unknown_type $meta_id 
    709  * @param unknown_type $meta_key Expect Slashed 
    710  * @param unknown_type $meta_value Expect Slashed 
     706 * @param unknown_type $meta_key 
     707 * @param unknown_type $meta_value 
    711708 * @return unknown 
    712709 */ 
    713710function update_meta( $meta_id, $meta_key, $meta_value ) { 
    714     $meta_key = stripslashes( $meta_key ); 
    715     $meta_value = stripslashes_deep( $meta_value ); 
    716  
    717711    return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key ); 
    718712} 
     
    768762    if ( $replace ) { 
    769763        $post['post_content'] = $content; 
    770         // Escape data pulled from DB. 
    771         $post = add_magic_quotes($post); 
    772764 
    773765        return wp_update_post($post); 
     
    11801172    $lock = "$now:$user_id"; 
    11811173 
    1182     update_post_meta( $post->ID, '_edit_lock', $lock ); 
     1174    wp_update_post_meta( $post->ID, '_edit_lock', $lock ); 
    11831175    return array( $now, $user_id ); 
    11841176} 
     
    12311223    // Only store one autosave. If there is already an autosave, overwrite it. 
    12321224    if ( $old_autosave = wp_get_post_autosave( $post_id ) ) { 
    1233         $new_autosave = _wp_post_revision_fields( $_POST, true ); 
     1225        $new_autosave = _wp_post_revision_fields( wp_unslash( $_POST ), true ); 
    12341226        $new_autosave['ID'] = $old_autosave->ID; 
    12351227        $new_autosave['post_author'] = get_current_user_id(); 
     
    12381230 
    12391231    // _wp_put_post_revision() expects unescaped. 
    1240     $_POST = stripslashes_deep($_POST); 
     1232    $_POST = wp_unslash( $_POST ); 
    12411233 
    12421234    // Otherwise create the new autosave as a special post revision 
  • trunk/wp-admin/includes/schema.php

    r22300 r23416  
    506506            $autoload = 'yes'; 
    507507 
    508         $option = $wpdb->escape($option); 
    509508        if ( is_array($value) ) 
    510509            $value = serialize($value); 
    511         $value = $wpdb->escape($value); 
    512510        if ( !empty($insert) ) 
    513511            $insert .= ', '; 
    514         $insert .= "('$option', '$value', '$autoload')"; 
     512        $insert .= $wpdb->prepare( "(%s, %s, %s)", $option, $value, $autoload ); 
    515513    } 
    516514 
     
    922920    $insert = ''; 
    923921    foreach ( $sitemeta as $meta_key => $meta_value ) { 
    924         $meta_key = $wpdb->escape( $meta_key ); 
    925922        if ( is_array( $meta_value ) ) 
    926923            $meta_value = serialize( $meta_value ); 
    927         $meta_value = $wpdb->escape( $meta_value ); 
    928924        if ( !empty( $insert ) ) 
    929925            $insert .= ', '; 
    930         $insert .= "( $network_id, '$meta_key', '$meta_value')"; 
     926        $insert .= $wpdb->prepare( "( %d, %s, %s)", $network_id, $meta_key, $meta_value ); 
    931927    } 
    932928    $wpdb->query( "INSERT INTO $wpdb->sitemeta ( site_id, meta_key, meta_value ) VALUES " . $insert ); 
  • trunk/wp-admin/includes/taxonomy.php

    r19678 r23416  
    158158    $category = get_category($cat_ID, ARRAY_A); 
    159159 
    160     // Escape data pulled from DB. 
    161     $category = add_magic_quotes($category); 
    162  
    163160    // Merge old and new fields with new fields overwriting old ones. 
    164161    $catarr = array_merge($category, $catarr); 
  • trunk/wp-admin/includes/template.php

    r23397 r23416  
    13321332 */ 
    13331333function _admin_search_query() { 
    1334     echo isset($_REQUEST['s']) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : ''; 
     1334    echo isset($_REQUEST['s']) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : ''; 
    13351335} 
    13361336 
  • trunk/wp-admin/includes/theme-install.php

    r23265 r23416  
    5151 */ 
    5252function install_theme_search_form( $type_selector = true ) { 
    53     $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term'; 
    54     $term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : ''; 
     53    $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term'; 
     54    $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : ''; 
    5555    if ( ! $type_selector ) 
    5656        echo '<p class="install-help">' . __( 'Search for themes by keyword.' ) . '</p>'; 
     
    180180    global $tab, $themes_allowedtags, $wp_list_table; 
    181181 
    182     $theme = themes_api( 'theme_information', array( 'slug' => stripslashes( $_REQUEST['theme'] ) ) ); 
     182    $theme = themes_api( 'theme_information', array( 'slug' => wp_unslash( $_REQUEST['theme'] ) ) ); 
    183183 
    184184    if ( is_wp_error( $theme ) ) 
  • trunk/wp-admin/includes/upgrade.php

    r23265 r23416  
    133133 
    134134        if ( empty($first_post) ) 
    135             $first_post = stripslashes( __( 'Welcome to <a href="SITE_URL">SITE_NAME</a>. This is your first post. Edit or delete it, then start blogging!' ) ); 
     135            $first_post = __( 'Welcome to <a href="SITE_URL">SITE_NAME</a>. This is your first post. Edit or delete it, then start blogging!' ); 
    136136 
    137137        $first_post = str_replace( "SITE_URL", esc_url( network_home_url() ), $first_post ); 
     
    637637    foreach ( $users as $user ) : 
    638638        if ( !empty( $user->user_firstname ) ) 
    639             update_user_meta( $user->ID, 'first_name', $wpdb->escape($user->user_firstname) ); 
     639            update_user_meta( $user->ID, 'first_name', $user->user_firstname ); 
    640640        if ( !empty( $user->user_lastname ) ) 
    641             update_user_meta( $user->ID, 'last_name', $wpdb->escape($user->user_lastname) ); 
     641            update_user_meta( $user->ID, 'last_name', $user->user_lastname ); 
    642642        if ( !empty( $user->user_nickname ) ) 
    643             update_user_meta( $user->ID, 'nickname', $wpdb->escape($user->user_nickname) ); 
     643            update_user_meta( $user->ID, 'nickname', $user->user_nickname ); 
    644644        if ( !empty( $user->user_level ) ) 
    645645            update_user_meta( $user->ID, $wpdb->prefix . 'user_level', $user->user_level ); 
    646646        if ( !empty( $user->user_icq ) ) 
    647             update_user_meta( $user->ID, 'icq', $wpdb->escape($user->user_icq) ); 
     647            update_user_meta( $user->ID, 'icq', $user->user_icq ); 
    648648        if ( !empty( $user->user_aim ) ) 
    649             update_user_meta( $user->ID, 'aim', $wpdb->escape($user->user_aim) ); 
     649            update_user_meta( $user->ID, 'aim', $user->user_aim ); 
    650650        if ( !empty( $user->user_msn ) ) 
    651             update_user_meta( $user->ID, 'msn', $wpdb->escape($user->user_msn) ); 
     651            update_user_meta( $user->ID, 'msn', $user->user_msn ); 
    652652        if ( !empty( $user->user_yim ) ) 
    653             update_user_meta( $user->ID, 'yim', $wpdb->escape($user->user_icq) ); 
     653            update_user_meta( $user->ID, 'yim', $user->user_icq ); 
    654654        if ( !empty( $user->user_description ) ) 
    655             update_user_meta( $user->ID, 'description', $wpdb->escape($user->user_description) ); 
     655            update_user_meta( $user->ID, 'description', $user->user_description ); 
    656656 
    657657        if ( isset( $user->user_idmode ) ): 
     
    855855            $cat_id = (int) $category->cat_id; 
    856856            $term_id = 0; 
    857             $name = $wpdb->escape($category->cat_name); 
     857            $name = $category->cat_name; 
    858858            $slug = sanitize_title($name); 
    859859            $term_group = 0; 
  • trunk/wp-admin/includes/user.php

    r23380 r23416  
    3535        $user->ID = (int) $user_id; 
    3636        $userdata = get_userdata( $user_id ); 
    37         $user->user_login = $wpdb->escape( $userdata->user_login ); 
     37        $user->user_login = $userdata->user_login; 
    3838    } else { 
    3939        $update = false; 
    4040    } 
    4141 
    42     if ( !$update && isset( $_POST['user_login'] ) ) 
    43         $user->user_login = sanitize_user($_POST['user_login'], true); 
     42    // get clean data before we get started. 
     43    $post_data = wp_unslash( $_POST ); 
     44 
     45    if ( !$update && isset( $post_data['user_login'] ) ) 
     46        $user->user_login = sanitize_user($post_data['user_login'], true); 
    4447 
    4548    $pass1 = $pass2 = ''; 
    46     if ( isset( $_POST['pass1'] )) 
    47         $pass1 = $_POST['pass1']; 
    48     if ( isset( $_POST['pass2'] )) 
    49         $pass2 = $_POST['pass2']; 
    50  
    51     if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) { 
    52         $new_role = sanitize_text_field( $_POST['role'] ); 
     49    if ( isset( $post_data['pass1'] )) 
     50        $pass1 = $post_data['pass1']; 
     51    if ( isset( $post_data['pass2'] )) 
     52        $pass2 = $post_data['pass2']; 
     53 
     54    if ( isset( $post_data['role'] ) && current_user_can( 'edit_users' ) ) { 
     55        $new_role = sanitize_text_field( $post_data['role'] ); 
    5356        $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false; 
    5457        // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. 
     
    6366    } 
    6467 
    65     if ( isset( $_POST['email'] )) 
    66         $user->user_email = sanitize_text_field( $_POST['email'] ); 
    67     if ( isset( $_POST['url'] ) ) { 
    68         if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) { 
     68    if ( isset( $post_data['email'] )) 
     69        $user->user_email = sanitize_text_field( $post_data['email'] ); 
     70    if ( isset( $post_data['url'] ) ) { 
     71        if ( empty ( $post_data['url'] ) || $post_data['url'] == 'http://' ) { 
    6972            $user->user_url = ''; 
    7073        } else { 
    71             $user->user_url = esc_url_raw( $_POST['url'] ); 
     74            $user->user_url = esc_url_raw( $post_data['url'] ); 
    7275            $protocols = implode( '|', array_map( 'preg_quote', wp_allowed_protocols() ) ); 
    7376            $user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url; 
    7477        } 
    7578    } 
    76     if ( isset( $_POST['first_name'] ) ) 
    77         $user->first_name = sanitize_text_field( $_POST['first_name'] ); 
    78     if ( isset( $_POST['last_name'] ) ) 
    79         $user->last_name = sanitize_text_field( $_POST['last_name'] ); 
    80     if ( isset( $_POST['nickname'] ) ) 
    81         $user->nickname = sanitize_text_field( $_POST['nickname'] ); 
    82     if ( isset( $_POST['display_name'] ) ) 
    83         $user->display_name = sanitize_text_field( $_POST['display_name'] ); 
    84  
    85     if ( isset( $_POST['description'] ) ) 
    86         $user->description = trim( $_POST['description'] ); 
     79    if ( isset( $post_data['first_name'] ) ) 
     80        $user->first_name = sanitize_text_field( $post_data['first_name'] ); 
     81    if ( isset( $post_data['last_name'] ) ) 
     82        $user->last_name = sanitize_text_field( $post_data['last_name'] ); 
     83    if ( isset( $post_data['nickname'] ) ) 
     84        $user->nickname = sanitize_text_field( $post_data['nickname'] ); 
     85    if ( isset( $post_data['display_name'] ) ) 
     86        $user->display_name = sanitize_text_field( $post_data['display_name'] ); 
     87 
     88    if ( isset( $post_data['description'] ) ) 
     89        $user->description = trim( $post_data['description'] ); 
    8790 
    8891    foreach ( _wp_get_user_contactmethods( $user ) as $method => $name ) { 
    89         if ( isset( $_POST[$method] )) 
    90             $user->$method = sanitize_text_field( $_POST[$method] ); 
     92        if ( isset( $post_data[$method] )) 
     93            $user->$method = sanitize_text_field( $post_data[$method] ); 
    9194    } 
    9295 
    9396    if ( $update ) { 
    94         $user->rich_editing = isset( $_POST['rich_editing'] ) && 'false' == $_POST['rich_editing'] ? 'false' : 'true'; 
    95         $user->admin_color = isset( $_POST['admin_color'] ) ? sanitize_text_field( $_POST['admin_color'] ) : 'fresh'; 
    96         $user->show_admin_bar_front = isset( $_POST['admin_bar_front'] ) ? 'true' : 'false'; 
    97     } 
    98  
    99     $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] ) && 'true' == $_POST['comment_shortcuts'] ? 'true' : ''; 
     97        $user->rich_editing = isset( $post_data['rich_editing'] ) && 'false' == $post_data['rich_editing'] ? 'false' : 'true'; 
     98        $user->admin_color = isset( $post_data['admin_color'] ) ? sanitize_text_field( $post_data['admin_color'] ) : 'fresh'; 
     99        $user->show_admin_bar_front = isset( $post_data['admin_bar_front'] ) ? 'true' : 'false'; 
     100    } 
     101 
     102    $user->comment_shortcuts = isset( $post_data['comment_shortcuts'] ) && 'true' == $post_data['comment_shortcuts'] ? 'true' : ''; 
    100103 
    101104    $user->use_ssl = 0; 
    102     if ( !empty($_POST['use_ssl']) ) 
     105    if ( !empty($post_data['use_ssl']) ) 
    103106        $user->use_ssl = 1; 
    104107 
     
    125128 
    126129    /* Check for "\" in password */ 
    127     if ( false !== strpos( stripslashes($pass1), "\\" ) ) 
     130    if ( false !== strpos( $pass1, "\\" ) ) 
    128131        $errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) ); 
    129132 
     
    135138        $user->user_pass = $pass1; 
    136139 
    137     if ( !$update && isset( $_POST['user_login'] ) && !validate_username( $_POST['user_login'] ) ) 
     140    if ( !$update && isset( $post_data['user_login'] ) && !validate_username( $post_data['user_login'] ) ) 
    138141        $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' )); 
    139142 
     
    160163    } else { 
    161164        $user_id = wp_insert_user( $user ); 
    162         wp_new_user_notification( $user_id, isset($_POST['send_password']) ? $pass1 : '' ); 
     165        wp_new_user_notification( $user_id, isset($post_data['send_password']) ? $pass1 : '' ); 
    163166    } 
    164167    return $user_id; 
  • trunk/wp-admin/install.php

    r23413 r23416  
    8585        $blog_public = isset( $_POST['blog_public'] ); 
    8686 
    87     $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : ''; 
    88     $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin'; 
    89     $admin_password = isset($_POST['admin_password']) ? trim( stripslashes( $_POST['admin_password'] ) ) : ''; 
    90     $admin_email  = isset( $_POST['admin_email']  ) ? trim( stripslashes( $_POST['admin_email'] ) ) : ''; 
     87    $weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : ''; 
     88    $user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin'; 
     89    $admin_password = isset($_POST['admin_password']) ? trim( wp_unslash( $_POST['admin_password'] ) ) : ''; 
     90    $admin_email  = isset( $_POST['admin_email']  ) ? trim( wp_unslash( $_POST['admin_email'] ) ) : ''; 
    9191 
    9292    if ( ! is_null( $error ) ) { 
     
    190190        display_header(); 
    191191        // Fill in the data we gathered 
    192         $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : ''; 
    193         $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin'; 
    194         $admin_password = isset($_POST['admin_password']) ? $_POST['admin_password'] : ''; 
    195         $admin_password_check = isset($_POST['admin_password2']) ? $_POST['admin_password2'] : ''; 
    196         $admin_email  = isset( $_POST['admin_email']  ) ?trim( stripslashes( $_POST['admin_email'] ) ) : ''; 
     192        $weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : ''; 
     193        $user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin'; 
     194        $admin_password = isset($_POST['admin_password']) ? wp_unslash( $_POST['admin_password'] ) : ''; 
     195        $admin_password_check = isset($_POST['admin_password2']) ? wp_unslash( $_POST['admin_password2'] ) : ''; 
     196        $admin_email  = isset( $_POST['admin_email']  ) ?trim( wp_unslash( $_POST['admin_email'] ) ) : ''; 
    197197        $public       = isset( $_POST['blog_public']  ) ? (int) $_POST['blog_public'] : 0; 
    198198        // check e-mail address 
  • trunk/wp-admin/link-manager.php

    r19528 r23416  
    3232    } 
    3333} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { 
    34      wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) ); 
     34     wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); 
    3535     exit; 
    3636} 
     
    7373<h2><?php echo esc_html( $title ); ?> <a href="link-add.php" class="add-new-h2"><?php echo esc_html_x('Add New', 'link'); ?></a> <?php 
    7474if ( !empty($_REQUEST['s']) ) 
    75     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?> 
     75    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( wp_unslash($_REQUEST['s']) ) ); ?> 
    7676</h2> 
    7777 
  • trunk/wp-admin/media.php

    r20753 r23416  
    3333        if ( false !== strpos($location, 'upload.php') ) { 
    3434            $location = remove_query_arg('message', $location); 
    35             $location = add_query_arg('posted', $attachment_id, $location); 
     35            $location = add_query_arg('posted', $attachment_id, $location); 
    3636        } elseif ( false !== strpos($location, 'media.php') ) { 
    3737            $location = add_query_arg('message', 'updated', $location); 
  • trunk/wp-admin/nav-menus.php

    r22812 r23416  
    9494                            $parent_data = (array) $parent_object; 
    9595                            $menu_item_data['menu_item_parent'] = $parent_data['menu_item_parent']; 
    96                             update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] ); 
     96                            wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] ); 
    9797 
    9898                        } 
     
    104104 
    105105                        $menu_item_data['menu_item_parent'] = $next_item_data['ID']; 
    106                         update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] ); 
     106                        wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] ); 
    107107 
    108108                        wp_update_post($menu_item_data); 
     
    116116                ) { 
    117117                    $menu_item_data['menu_item_parent'] = (int) get_post_meta( $menu_item_data['menu_item_parent'], '_menu_item_menu_item_parent', true); 
    118                     update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] ); 
     118                    wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] ); 
    119119                } 
    120120            } 
     
    191191 
    192192                            // save changes 
    193                             update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] ); 
     193                            wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] ); 
    194194                            wp_update_post($menu_item_data); 
    195195                            wp_update_post($parent_data); 
     
    206206                        // just make it a child of the previous; keep the order 
    207207                        $menu_item_data['menu_item_parent'] = (int) $orders_to_dbids[$dbids_to_orders[$menu_item_id] - 1]; 
    208                         update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] ); 
     208                        wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] ); 
    209209                        wp_update_post($menu_item_data); 
    210210                    } 
  • trunk/wp-admin/network.php

    r23295 r23416  
    521521    $subdomain_install = allow_subdomain_install() ? !empty( $_POST['subdomain_install'] ) : false; 
    522522    if ( ! network_domain_check() ) { 
    523         $result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), stripslashes( $_POST['sitename'] ), $base, $subdomain_install ); 
     523        $result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), wp_unslash( $_POST['sitename'] ), $base, $subdomain_install ); 
    524524        if ( is_wp_error( $result ) ) { 
    525525            if ( 1 == count( $result->get_error_codes() ) && 'no_wildcard_dns' == $result->get_error_code() ) 
  • trunk/wp-admin/network/settings.php

    r21993 r23416  
    6262        if ( ! isset($_POST[$option_name]) ) 
    6363            continue; 
    64         $value = stripslashes_deep( $_POST[$option_name] ); 
     64        $value = wp_unslash( $_POST[$option_name] ); 
    6565        update_site_option( $option_name, $value ); 
    6666    } 
     
    182182                <td> 
    183183                    <textarea name="welcome_email" id="welcome_email" rows="5" cols="45" class="large-text"> 
    184 <?php echo esc_textarea( stripslashes( get_site_option( 'welcome_email' ) ) ) ?></textarea> 
     184<?php echo esc_textarea( get_site_option( 'welcome_email' ) ) ?></textarea> 
    185185                    <br /> 
    186186                    <?php _e( 'The welcome email sent to new site owners.' ) ?> 
     
    191191                <td> 
    192192                    <textarea name="welcome_user_email" id="welcome_user_email" rows="5" cols="45" class="large-text"> 
    193 <?php echo esc_textarea( stripslashes( get_site_option( 'welcome_user_email' ) ) ) ?></textarea> 
     193<?php echo esc_textarea( get_site_option( 'welcome_user_email' ) ) ?></textarea> 
    194194                    <br /> 
    195195                    <?php _e( 'The welcome email sent to new users.' ) ?> 
     
    200200                <td> 
    201201                    <textarea name="first_post" id="first_post" rows="5" cols="45" class="large-text"> 
    202 <?php echo esc_textarea( stripslashes( get_site_option( 'first_post' ) ) ) ?></textarea> 
     202<?php echo esc_textarea( get_site_option( 'first_post' ) ) ?></textarea> 
    203203                    <br /> 
    204204                    <?php _e( 'The first post on a new site.' ) ?> 
     
    209209                <td> 
    210210                    <textarea name="first_page" id="first_page" rows="5" cols="45" class="large-text"> 
    211 <?php echo esc_textarea( stripslashes( get_site_option('first_page') ) ) ?></textarea> 
     211<?php echo esc_textarea( get_site_option( 'first_page' ) ) ?></textarea> 
    212212                    <br /> 
    213213                    <?php _e( 'The first page on a new site.' ) ?> 
     
    218218                <td> 
    219219                    <textarea name="first_comment" id="first_comment" rows="5" cols="45" class="large-text"> 
    220 <?php echo esc_textarea( stripslashes( get_site_option('first_comment') ) ) ?></textarea> 
     220<?php echo esc_textarea( get_site_option( 'first_comment' ) ) ?></textarea> 
    221221                    <br /> 
    222222                    <?php _e( 'The first comment on a new site.' ) ?> 
  • trunk/wp-admin/network/site-info.php

    r21414 r23416  
    6363 
    6464    // update blogs table 
    65     $blog_data = stripslashes_deep( $_POST['blog'] ); 
     65    $blog_data = wp_unslash( $_POST['blog'] ); 
    6666    $existing_details = get_blog_details( $id, false ); 
    6767    $blog_data_checkboxes = array( 'public', 'archived', 'spam', 'mature', 'deleted' ); 
  • trunk/wp-admin/network/site-new.php

    r22664 r23416  
    3939    if ( ! is_array( $_POST['blog'] ) ) 
    4040        wp_die( __( 'Can&#8217;t create an empty site.' ) ); 
    41     $blog = $_POST['blog']; 
     41    $blog = wp_unslash( $_POST['blog'] ); 
    4242    $domain = ''; 
    4343    if ( preg_match( '|^([a-zA-Z0-9-])+$|', $blog['domain'] ) ) 
     
    8989 
    9090Address: %2$s 
    91 Name: %3$s' ), $current_user->user_login , get_site_url( $id ), stripslashes( $title ) ); 
     91Name: %3$s' ), $current_user->user_login , get_site_url( $id ), $title ); 
    9292        wp_mail( get_site_option('admin_email'), sprintf( __( '[%s] New Site Created' ), $current_site->site_name ), $content_mail, 'From: "Site Admin" <' . get_site_option( 'admin_email' ) . '>' ); 
    9393        wpmu_welcome_notification( $id, $user_id, $password, $title, array( 'public' => 1 ) ); 
  • trunk/wp-admin/network/site-settings.php

    r20713 r23416  
    5454    $skip_options = array( 'allowedthemes' ); // Don't update these options since they are handled elsewhere in the form. 
    5555    foreach ( (array) $_POST['option'] as $key => $val ) { 
     56        $key = wp_unslash( $key ); 
     57        $val = wp_unslash( $val ); 
    5658        if ( $key === 0 || is_array( $val ) || in_array($key, $skip_options) ) 
    5759            continue; // Avoids "0 is a protected WP option and may not be modified" error when edit blog options 
    5860        if ( $c == $count ) 
    59             update_option( $key, stripslashes( $val ) ); 
     61            update_option( $key, $val ); 
    6062        else 
    61             update_option( $key, stripslashes( $val ), false ); // no need to refresh blog details yet 
     63            update_option( $key, $val, false ); // no need to refresh blog details yet 
    6264        $c++; 
    6365    } 
  • trunk/wp-admin/network/sites.php

    r23413 r23416  
    8080                    <input type="hidden" name="_wp_http_referer" value="<?php echo esc_attr( wp_get_referer() ); ?>" /> 
    8181                    <?php wp_nonce_field( $_GET['action2'], '_wpnonce', false ); ?> 
    82                     <p><?php echo esc_html( stripslashes( $_GET['msg'] ) ); ?></p> 
     82                    <p><?php echo esc_html( wp_unslash( $_GET['msg'] ) ); ?></p> 
    8383                    <?php submit_button( __('Confirm'), 'button' ); ?> 
    8484                </form> 
  • trunk/wp-admin/options.php

    r22653 r23416  
    121121        if ( is_multisite() && ! is_super_admin() ) 
    122122            wp_die( __( 'You do not have sufficient permissions to modify unregistered settings for this site.' ) ); 
    123         $options = explode( ',', stripslashes( $_POST[ 'page_options' ] ) ); 
     123        $options = explode( ',', wp_unslash( $_POST[ 'page_options' ] ) ); 
    124124    } else { 
    125125        $options = $whitelist_options[ $option_page ]; 
     
    128128    // Handle custom date/time formats 
    129129    if ( 'general' == $option_page ) { 
    130         if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['date_format'] ) ) 
     130        if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['date_format'] ) ) 
    131131            $_POST['date_format'] = $_POST['date_format_custom']; 
    132         if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['time_format'] ) ) 
     132        if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['time_format'] ) ) 
    133133            $_POST['time_format'] = $_POST['time_format_custom']; 
    134134        // Map UTC+- timezones to gmt_offsets and set timezone_string to empty. 
     
    151151                if ( ! is_array( $value ) ) 
    152152                    $value = trim( $value ); 
    153                 $value = stripslashes_deep( $value ); 
     153                $value = wp_unslash( $value ); 
    154154            } 
    155155            update_option( $option, $value ); 
  • trunk/wp-admin/plugin-editor.php

    r23393 r23416  
    2929 
    3030if ( isset($_REQUEST['file']) ) 
    31     $plugin = stripslashes($_REQUEST['file']); 
     31    $plugin = wp_unslash($_REQUEST['file']); 
    3232 
    3333if ( empty($plugin) ) { 
     
    4141    $file = $plugin_files[0]; 
    4242else 
    43     $file = stripslashes($file); 
     43    $file = wp_unslash($file); 
    4444 
    4545$file = validate_file_to_edit($file, $plugin_files); 
     
    5353    check_admin_referer('edit-plugin_' . $file); 
    5454 
    55     $newcontent = stripslashes($_POST['newcontent']); 
     55    $newcontent = wp_unslash( $_POST['newcontent'] ); 
    5656    if ( is_writeable($real_file) ) { 
    5757        $f = fopen($real_file, 'w+'); 
  • trunk/wp-admin/press-this.php

    r22948 r23416  
    9292 
    9393// Set Variables 
    94 $title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( stripslashes( $_GET['t'] ) , ENT_QUOTES) ) ) : ''; 
     94$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( wp_unslash( $_GET['t'] ) , ENT_QUOTES) ) ) : ''; 
    9595 
    9696$selection = ''; 
    9797if ( !empty($_GET['s']) ) { 
    98     $selection = str_replace('&apos;', "'", stripslashes($_GET['s'])); 
     98    $selection = str_replace('&apos;', "'", wp_unslash($_GET['s'])); 
    9999    $selection = trim( htmlspecialchars( html_entity_decode($selection, ENT_QUOTES) ) ); 
    100100} 
  • trunk/wp-admin/setup-config.php

    r23413 r23416  
    165165    case 2: 
    166166    foreach ( array( 'dbname', 'uname', 'pwd', 'dbhost', 'prefix' ) as $key ) 
    167         $$key = trim( stripslashes( $_POST[ $key ] ) ); 
     167        $$key = trim( wp_unslash( $_POST[ $key ] ) ); 
    168168 
    169169    $tryagain_link = '</p><p class="step"><a href="setup-config.php?step=1" onclick="javascript:history.go(-1);return false;" class="button button-large">' . __( 'Try again' ) . '</a>'; 
  • trunk/wp-admin/theme-editor.php

    r23393 r23416  
    6969    $file = $allowed_files['style.css']; 
    7070} else { 
    71     $relative_file = stripslashes( $file ); 
     71    $relative_file = wp_unslash( $file ); 
    7272    $file = $theme->get_stylesheet_directory() . '/' . $relative_file; 
    7373} 
     
    7979case 'update': 
    8080    check_admin_referer( 'edit-theme_' . $file . $stylesheet ); 
    81     $newcontent = stripslashes( $_POST['newcontent'] ); 
     81    $newcontent = wp_unslash( $_POST['newcontent'] ); 
    8282    $location = 'theme-editor.php?file=' . urlencode( $relative_file ) . '&theme=' . urlencode( $stylesheet ) . '&scrollto=' . $scrollto; 
    8383    if ( is_writeable( $file ) ) { 
  • trunk/wp-admin/update.php

    r22430 r23416  
    2727 
    2828        if ( isset( $_GET['plugins'] ) ) 
    29             $plugins = explode( ',', stripslashes($_GET['plugins']) ); 
     29            $plugins = explode( ',', wp_unslash($_GET['plugins']) ); 
    3030        elseif ( isset( $_POST['checked'] ) ) 
    3131            $plugins = (array) $_POST['checked']; 
     
    110110        $url = 'update.php?action=install-plugin&plugin=' . $plugin; 
    111111        if ( isset($_GET['from']) ) 
    112             $url .= '&from=' . urlencode(stripslashes($_GET['from'])); 
     112            $url .= '&from=' . urlencode( wp_unslash( $_GET['from'] ) ); 
    113113 
    114114        $type = 'web'; //Install plugin type, From Web or an Upload. 
     
    174174 
    175175        if ( isset( $_GET['themes'] ) ) 
    176             $themes = explode( ',', stripslashes($_GET['themes']) ); 
     176            $themes = explode( ',', wp_unslash( $_GET['themes'] ) ); 
    177177        elseif ( isset( $_POST['checked'] ) ) 
    178178            $themes = (array) $_POST['checked']; 
  • trunk/wp-admin/upgrade.php

    r23413 r23416  
    7878switch ( $step ) : 
    7979    case 0: 
    80         $goback = stripslashes( wp_get_referer() ); 
     80        $goback = wp_get_referer(); 
    8181        $goback = esc_url_raw( $goback ); 
    8282        $goback = urlencode( $goback ); 
     
    9191        wp_upgrade(); 
    9292 
    93             $backto = !empty($_GET['backto']) ? stripslashes( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/'; 
     93            $backto = !empty($_GET['backto']) ? wp_unslash( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/'; 
    9494            $backto = esc_url( $backto ); 
    9595            $backto = wp_validate_redirect($backto, __get_option( 'home' ) . '/'); 
  • trunk/wp-admin/upload.php

    r21605 r23416  
    133133    exit; 
    134134} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { 
    135      wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) ); 
     135     wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); 
    136136     exit; 
    137137} 
  • trunk/wp-admin/user-edit.php

    r23364 r23416  
    5555); 
    5656 
    57 $wp_http_referer = remove_query_arg(array('update', 'delete_count'), stripslashes($wp_http_referer)); 
     57$wp_http_referer = remove_query_arg(array('update', 'delete_count'), wp_unslash( $wp_http_referer ) ); 
    5858 
    5959$user_can_edit = current_user_can( 'edit_posts' ) || current_user_can( 'edit_pages' ); 
  • trunk/wp-admin/user-new.php

    r23412 r23416  
    113113    } else { 
    114114        // Adding a new user to this blog 
    115         $user_details = wpmu_validate_user_signup( $_REQUEST[ 'user_login' ], $_REQUEST[ 'email' ] ); 
     115        $user_details = wpmu_validate_user_signup( wp_unslash( $_REQUEST[ 'user_login' ] ), wp_unslash( $_REQUEST[ 'email' ] ) ); 
    116116        if ( is_wp_error( $user_details[ 'errors' ] ) && !empty( $user_details[ 'errors' ]->errors ) ) { 
    117117            $add_user_errors = $user_details[ 'errors' ]; 
    118118        } else { 
    119             $new_user_login = apply_filters('pre_user_login', sanitize_user(stripslashes($_REQUEST['user_login']), true)); 
     119            $new_user_login = apply_filters('pre_user_login', sanitize_user( wp_unslash( $_REQUEST['user_login'] ), true ) ); 
    120120            if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { 
    121121                add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email 
    122122            } 
    123             wpmu_signup_user( $new_user_login, $_REQUEST[ 'email' ], array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) ); 
     123            wpmu_signup_user( $new_user_login, wp_unslash( $_REQUEST[ 'email' ] ), array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) ); 
    124124            if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { 
    125125                $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $_REQUEST[ 'email' ] ) ); 
     
    310310    if( isset( $_POST['createuser'] ) ) { 
    311311        if ( ! isset($$var) ) 
    312             $$var = isset( $_POST[$post_field] ) ? stripslashes( $_POST[$post_field] ) : ''; 
     312            $$var = isset( $_POST[$post_field] ) ? wp_unslash( $_POST[$post_field] ) : ''; 
    313313    } else { 
    314314        $$var = false; 
  • trunk/wp-admin/users.php

    r23366 r23416  
    6565 
    6666if ( empty($_REQUEST) ) { 
    67     $referer = '<input type="hidden" name="wp_http_referer" value="'. esc_attr(stripslashes($_SERVER['REQUEST_URI'])) . '" />'; 
     67    $referer = '<input type="hidden" name="wp_http_referer" value="'. esc_attr( wp_unslash( $_SERVER['REQUEST_URI'] ) ) . '" />'; 
    6868} elseif ( isset($_REQUEST['wp_http_referer']) ) { 
    69     $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), stripslashes($_REQUEST['wp_http_referer'])); 
     69    $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), wp_unslash( $_REQUEST['wp_http_referer'] ) ); 
    7070    $referer = '<input type="hidden" name="wp_http_referer" value="' . esc_attr($redirect) . '" />'; 
    7171} else { 
     
    358358 
    359359    if ( !empty($_GET['_wp_http_referer']) ) { 
    360         wp_redirect(remove_query_arg(array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']))); 
     360        wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); 
    361361        exit; 
    362362    } 
     
    382382            if ( isset( $_GET['id'] ) && ( $user_id = $_GET['id'] ) && current_user_can( 'edit_user', $user_id ) ) { 
    383383                $messages[] = '<div id="message" class="updated"><p>' . sprintf( __( 'New user created. <a href="%s">Edit user</a>' ), 
    384                     esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), 
     384                    esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), 
    385385                        self_admin_url( 'user-edit.php?user_id=' . $user_id ) ) ) ) . '</p></div>'; 
    386386            } else { 
  • trunk/wp-comments-post.php

    r20425 r23416  
    1818nocache_headers(); 
    1919 
    20 $comment_post_ID = isset($_POST['comment_post_ID']) ? (int) $_POST['comment_post_ID'] : 0; 
     20$post_data = wp_unslash( $_POST ); 
     21 
     22$comment_post_ID = isset($post_data['comment_post_ID']) ? (int) $post_data['comment_post_ID'] : 0; 
    2123 
    2224$post = get_post($comment_post_ID); 
     
    4850} 
    4951 
    50 $comment_author       = ( isset($_POST['author']) )  ? trim(strip_tags($_POST['author'])) : null; 
    51 $comment_author_email = ( isset($_POST['email']) )   ? trim($_POST['email']) : null; 
    52 $comment_author_url   = ( isset($_POST['url']) )     ? trim($_POST['url']) : null; 
    53 $comment_content      = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null; 
     52$comment_author       = ( isset( $post_data['author'] ) )  ? trim( strip_tags( $post_data['author'] ) ) : null; 
     53$comment_author_email = ( isset( $post_data['email'] ) )   ? trim( $post_data['email'] ) : null; 
     54$comment_author_url   = ( isset( $post_data['url'] ) )     ? trim( $post_data['url'] ) : null; 
     55$comment_content      = ( isset( $post_data['comment'] ) ) ? trim( $post_data['comment'] ) : null; 
    5456 
    5557// If the user is logged in 
     
    5759if ( $user->exists() ) { 
    5860    if ( empty( $user->display_name ) ) 
    59         $user->display_name=$user->user_login; 
    60     $comment_author       = $wpdb->escape($user->display_name); 
    61     $comment_author_email = $wpdb->escape($user->user_email); 
    62     $comment_author_url   = $wpdb->escape($user->user_url); 
     61        $user->display_name = $user->user_login; 
     62    $comment_author       = $user->display_name; 
     63    $comment_author_email = $user->user_email; 
     64    $comment_author_url   = $user->user_url; 
    6365    if ( current_user_can('unfiltered_html') ) { 
    64         if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) { 
     66        if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $post_data['_wp_unfiltered_html_comment'] ) { 
    6567            kses_remove_filters(); // start with a clean slate 
    6668            kses_init_filters(); // set up the filters 
     
    8486    wp_die( __('<strong>ERROR</strong>: please type a comment.') ); 
    8587 
    86 $comment_parent = isset($_POST['comment_parent']) ? absint($_POST['comment_parent']) : 0; 
     88$comment_parent = isset($post_data['comment_parent']) ? absint($post_data['comment_parent']) : 0; 
    8789 
    8890$commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type', 'comment_parent', 'user_ID'); 
     
    9395do_action('set_comment_cookies', $comment, $user); 
    9496 
    95 $location = empty($_POST['redirect_to']) ? get_comment_link($comment_id) : $_POST['redirect_to'] . '#comment-' . $comment_id; 
     97$location = empty($post_data['redirect_to']) ? get_comment_link($comment_id) : $post_data['redirect_to'] . '#comment-' . $comment_id; 
    9698$location = apply_filters('comment_post_redirect', $location, $comment); 
    9799 
  • trunk/wp-includes/class-wp-customize-manager.php

    r22798 r23416  
    311311        if ( ! isset( $this->_post_values ) ) { 
    312312            if ( isset( $_POST['customized'] ) ) 
    313                 $this->_post_values = json_decode( stripslashes( $_POST['customized'] ), true ); 
     313                $this->_post_values = json_decode( wp_unslash( $_POST['customized'] ), true ); 
    314314            else 
    315315                $this->_post_values = false; 
  • trunk/wp-includes/class-wp-customize-setting.php

    r22798 r23416  
    145145     */ 
    146146    public function sanitize( $value ) { 
    147         $value = stripslashes_deep( $value ); 
     147        $value = wp_unslash( $value ); 
    148148        return apply_filters( "customize_sanitize_{$this->id}", $value, $this ); 
    149149    } 
  • trunk/wp-includes/class-wp-xmlrpc-server.php

    r23363 r23416  
    281281                $pmeta = get_metadata_by_mid( 'post', $meta['id'] ); 
    282282                if ( isset($meta['key']) ) { 
    283                     $meta['key'] = stripslashes( $meta['key'] ); 
    284283                    if ( $meta['key'] != $pmeta->meta_key ) 
    285284                        continue; 
    286                     $meta['value'] = stripslashes_deep( $meta['value'] ); 
    287285                    if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) ) 
    288286                        update_metadata_by_mid( 'post', $meta['id'], $meta['value'] ); 
     
    290288                    delete_metadata_by_mid( 'post', $meta['id'] ); 
    291289                } 
    292             } elseif ( current_user_can( 'add_post_meta', $post_id, stripslashes( $meta['key'] ) ) ) { 
    293                 add_post_meta( $post_id, $meta['key'], $meta['value'] ); 
     290            } elseif ( current_user_can( 'add_post_meta', $post_id, $meta['key'] ) ) { 
     291                wp_add_post_meta( $post_id, $meta['key'], $meta['value'] ); 
    294292            } 
    295293        } 
     
    463461        } 
    464462 
    465         $this->escape( $args ); 
    466  
    467463        $username = $args[0]; 
    468464        $password = $args[1]; 
     
    956952            return $this->error; 
    957953 
    958         $this->escape( $args ); 
    959  
    960954        $blog_id        = (int) $args[0]; 
    961955        $username       = $args[1]; 
     
    12401234            return $this->error; 
    12411235 
    1242         $this->escape( $args ); 
    1243  
    12441236        $blog_id        = (int) $args[0]; 
    12451237        $username       = $args[1]; 
     
    12751267            $post['post_date_gmt'] = $this->_convert_date( $post['post_date_gmt'] ); 
    12761268 
    1277         $this->escape( $post ); 
    12781269        $merged_content_struct = array_merge( $post, $content_struct ); 
    12791270 
     
    13011292        if ( ! $this->minimum_args( $args, 4 ) ) 
    13021293            return $this->error; 
    1303  
    1304         $this->escape( $args ); 
    13051294 
    13061295        $blog_id    = (int) $args[0]; 
     
    13781367            return $this->error; 
    13791368 
    1380         $this->escape( $args ); 
    1381  
    13821369        $blog_id            = (int) $args[0]; 
    13831370        $username           = $args[1]; 
     
    14341421        if ( ! $this->minimum_args( $args, 3 ) ) 
    14351422            return $this->error; 
    1436  
    1437         $this->escape( $args ); 
    14381423 
    14391424        $blog_id    = (int) $args[0]; 
     
    15291514        if ( ! $this->minimum_args( $args, 4 ) ) 
    15301515            return $this->error; 
    1531  
    1532         $this->escape( $args ); 
    15331516 
    15341517        $blog_id            = (int) $args[0]; 
     
    16171600            return $this->error; 
    16181601 
    1619         $this->escape( $args ); 
    1620  
    16211602        $blog_id            = (int) $args[0]; 
    16221603        $username           = $args[1]; 
     
    17081689        if ( ! $this->minimum_args( $args, 5 ) ) 
    17091690            return $this->error; 
    1710  
    1711         $this->escape( $args ); 
    17121691 
    17131692        $blog_id            = (int) $args[0]; 
     
    17761755            return $this->error; 
    17771756 
    1778         $this->escape( $args ); 
    1779  
    17801757        $blog_id            = (int) $args[0]; 
    17811758        $username           = $args[1]; 
     
    18291806            return $this->error; 
    18301807 
    1831         $this->escape( $args ); 
    1832  
    18331808        $blog_id        = (int) $args[0]; 
    18341809        $username       = $args[1]; 
     
    19041879            return $this->error; 
    19051880 
    1906         $this->escape( $args ); 
    1907  
    19081881        $blog_id        = (int) $args[0]; 
    19091882        $username       = $args[1]; 
     
    19471920        if ( ! $this->minimum_args( $args, 3 ) ) 
    19481921            return $this->error; 
    1949  
    1950         $this->escape( $args ); 
    19511922 
    19521923        $blog_id            = (int) $args[0]; 
     
    20171988            return $this->error; 
    20181989 
    2019         $this->escape( $args ); 
    2020  
    20211990        $blog_id    = (int) $args[0]; 
    20221991        $username   = $args[1]; 
     
    20702039            return $this->error; 
    20712040 
    2072         $this->escape( $args ); 
    2073  
    20742041        $blog_id    = (int) $args[0]; 
    20752042        $username   = $args[1]; 
     
    21372104        if ( ! $this->minimum_args( $args, 3 ) ) 
    21382105            return $this->error; 
    2139  
    2140         $this->escape( $args ); 
    21412106 
    21422107        $blog_id    = (int) $args[0]; 
     
    21852150            return $this->error; 
    21862151 
    2187         $this->escape( $args ); 
    2188  
    21892152        $blog_id        = (int) $args[0]; 
    21902153        $username       = $args[1]; 
     
    22502213     */ 
    22512214    function wp_getPage($args) { 
    2252         $this->escape($args); 
    2253  
    22542215        $blog_id    = (int) $args[0]; 
    22552216        $page_id    = (int) $args[1]; 
     
    22932254     */ 
    22942255    function wp_getPages($args) { 
    2295         $this->escape($args); 
    2296  
    22972256        $blog_id    = (int) $args[0]; 
    22982257        $username   = $args[1]; 
     
    23372296     */ 
    23382297    function wp_newPage($args) { 
    2339         // Items not escaped here will be escaped in newPost. 
    2340         $username   = $this->escape($args[1]); 
    2341         $password   = $this->escape($args[2]); 
     2298        $username   = $args[1]; 
     2299        $password   = $args[2]; 
    23422300        $page       = $args[3]; 
    23432301        $publish    = $args[4]; 
     
    23642322     */ 
    23652323    function wp_deletePage($args) { 
    2366         $this->escape($args); 
    2367  
    23682324        $blog_id    = (int) $args[0]; 
    23692325        $username   = $args[1]; 
     
    24052361     */ 
    24062362    function wp_editPage($args) { 
    2407         // Items not escaped here will be escaped in editPost. 
    24082363        $blog_id    = (int) $args[0]; 
    2409         $page_id    = (int) $this->escape($args[1]); 
    2410         $username   = $this->escape($args[2]); 
    2411         $password   = $this->escape($args[3]); 
     2364        $page_id    = (int) $args[1]; 
     2365        $username   = $args[2]; 
     2366        $password   = $args[3]; 
    24122367        $content    = $args[4]; 
    24132368        $publish    = $args[5]; 
     
    24532408    function wp_getPageList($args) { 
    24542409        global $wpdb; 
    2455  
    2456         $this->escape($args); 
    24572410 
    24582411        $blog_id                = (int) $args[0]; 
     
    25042457     */ 
    25052458    function wp_getAuthors($args) { 
    2506  
    2507         $this->escape($args); 
    2508  
    25092459        $blog_id    = (int) $args[0]; 
    25102460        $username   = $args[1]; 
     
    25402490     */ 
    25412491    function wp_getTags( $args ) { 
    2542         $this->escape( $args ); 
    2543  
    25442492        $blog_id        = (int) $args[0]; 
    25452493        $username       = $args[1]; 
     
    25812529     */ 
    25822530    function wp_newCategory($args) { 
    2583         $this->escape($args); 
    2584  
    25852531        $blog_id                = (int) $args[0]; 
    25862532        $username               = $args[1]; 
     
    26422588     */ 
    26432589    function wp_deleteCategory($args) { 
    2644         $this->escape($args); 
    2645  
    26462590        $blog_id        = (int) $args[0]; 
    26472591        $username       = $args[1]; 
     
    26742618     */ 
    26752619    function wp_suggestCategories($args) { 
    2676         $this->escape($args); 
    2677  
    26782620        $blog_id                = (int) $args[0]; 
    26792621        $username               = $args[1]; 
     
    27112653     */ 
    27122654    function wp_getComment($args) { 
    2713         $this->escape($args); 
    2714  
    27152655        $blog_id    = (int) $args[0]; 
    27162656        $username   = $args[1]; 
     
    27522692     */ 
    27532693    function wp_getComments($args) { 
    2754         $this->escape($args); 
    2755  
    27562694        $blog_id    = (int) $args[0]; 
    27572695        $username   = $args[1]; 
     
    28122750     */ 
    28132751    function wp_deleteComment($args) { 
    2814         $this->escape($args); 
    2815  
    28162752        $blog_id    = (int) $args[0]; 
    28172753        $username   = $args[1]; 
     
    28662802     */ 
    28672803    function wp_editComment($args) { 
    2868         $this->escape($args); 
    2869  
    28702804        $blog_id    = (int) $args[0]; 
    28712805        $username   = $args[1]; 
     
    29422876    function wp_newComment($args) { 
    29432877        global $wpdb; 
    2944  
    2945         $this->escape($args); 
    29462878 
    29472879        $blog_id    = (int) $args[0]; 
     
    29792911 
    29802912        if ( $logged_in ) { 
    2981             $comment['comment_author'] = $wpdb->escape( $user->display_name ); 
    2982             $comment['comment_author_email'] = $wpdb->escape( $user->user_email ); 
    2983             $comment['comment_author_url'] = $wpdb->escape( $user->user_url ); 
     2913            $comment['comment_author'] = $user->display_name; 
     2914            $comment['comment_author_email'] = $user->user_email; 
     2915            $comment['comment_author_url'] = $user->user_url; 
    29842916            $comment['user_ID'] = $user->ID; 
    29852917        } else { 
     
    30282960     */ 
    30292961    function wp_getCommentStatusList($args) { 
    3030         $this->escape( $args ); 
    3031  
    30322962        $blog_id    = (int) $args[0]; 
    30332963        $username   = $args[1]; 
     
    30542984     */ 
    30552985    function wp_getCommentCount( $args ) { 
    3056         $this->escape($args); 
    3057  
    30582986        $blog_id    = (int) $args[0]; 
    30592987        $username   = $args[1]; 
     
    30873015     */ 
    30883016    function wp_getPostStatusList( $args ) { 
    3089         $this->escape( $args ); 
    3090  
    30913017        $blog_id    = (int) $args[0]; 
    30923018        $username   = $args[1]; 
     
    31133039     */ 
    31143040    function wp_getPageStatusList( $args ) { 
    3115         $this->escape( $args ); 
    3116  
    31173041        $blog_id    = (int) $args[0]; 
    31183042        $username   = $args[1]; 
     
    31393063     */ 
    31403064    function wp_getPageTemplates( $args ) { 
    3141         $this->escape( $args ); 
    3142  
    31433065        $blog_id    = (int) $args[0]; 
    31443066        $username   = $args[1]; 
     
    31663088     */ 
    31673089    function wp_getOptions( $args ) { 
    3168         $this->escape( $args ); 
    3169  
    31703090        $blog_id    = (int) $args[0]; 
    31713091        $username   = $args[1]; 
     
    32163136     */ 
    32173137    function wp_setOptions( $args ) { 
    3218         $this->escape( $args ); 
    3219  
    32203138        $blog_id    = (int) $args[0]; 
    32213139        $username   = $args[1]; 
     
    32653183     */ 
    32663184    function wp_getMediaItem($args) { 
    3267         $this->escape($args); 
    3268  
    32693185        $blog_id        = (int) $args[0]; 
    32703186        $username       = $args[1]; 
     
    33103226     */ 
    33113227    function wp_getMediaLibrary($args) { 
    3312         $this->escape($args); 
    3313  
    33143228        $blog_id    = (int) $args[0]; 
    33153229        $username   = $args[1]; 
     
    33523266      */ 
    33533267    function wp_getPostFormats( $args ) { 
    3354         $this->escape( $args ); 
    3355  
    33563268        $blog_id = (int) $args[0]; 
    33573269        $username = $args[1]; 
     
    34123324            return $this->error; 
    34133325 
    3414         $this->escape( $args ); 
    3415  
    34163326        $blog_id        = (int) $args[0]; 
    34173327        $username       = $args[1]; 
     
    34583368            return $this->error; 
    34593369 
    3460         $this->escape( $args ); 
    3461  
    34623370        $blog_id            = (int) $args[0]; 
    34633371        $username           = $args[1]; 
     
    35123420            return $this->error; 
    35133421 
    3514         $this->escape( $args ); 
    3515  
    35163422        $blog_id    = (int) $args[0]; 
    35173423        $username   = $args[1]; 
     
    35783484            return $this->error; 
    35793485 
    3580         $this->escape( $args ); 
    3581  
    35823486        $blog_id     = (int) $args[0]; 
    35833487        $username    = $args[1]; 
     
    36283532        if ( is_multisite() ) 
    36293533            return $this->_multisite_getUsersBlogs($args); 
    3630  
    3631         $this->escape($args); 
    36323534 
    36333535        $username = $args[1]; 
     
    36923594     */ 
    36933595    function blogger_getUserInfo($args) { 
    3694  
    3695         $this->escape($args); 
    3696  
    36973596        $username = $args[1]; 
    36983597        $password  = $args[2]; 
     
    37263625     */ 
    37273626    function blogger_getPost($args) { 
    3728  
    3729         $this->escape($args); 
    3730  
    37313627        $post_ID    = (int) $args[1]; 
    37323628        $username = $args[2]; 
     
    37473643        $categories = implode(',', wp_get_post_categories($post_ID)); 
    37483644 
    3749         $content  = '<title>'.stripslashes($post_data['post_title']).'</title>'; 
     3645        $content  = '<title>'.$post_data['post_title'].'</title>'; 
    37503646        $content .= '<category>'.$categories.'</category>'; 
    3751         $content .= stripslashes($post_data['post_content']); 
     3647        $content .= $post_data['post_content']; 
    37523648 
    37533649        $struct = array( 
     
    37703666     */ 
    37713667    function blogger_getRecentPosts($args) { 
    3772  
    3773         $this->escape($args); 
    3774  
    37753668        // $args[0] = appkey - ignored 
    37763669        $blog_ID    = (int) $args[1]; /* though we don't use it yet */ 
     
    38013694            $categories = implode(',', wp_get_post_categories($entry['ID'])); 
    38023695 
    3803             $content  = '<title>'.stripslashes($entry['post_title']).'</title>'; 
     3696            $content  = '<title>'.$entry['post_title'].'</title>'; 
    38043697            $content .= '<category>'.$categories.'</category>'; 
    3805             $content .= stripslashes($entry['post_content']); 
     3698            $content .= $entry['post_content']; 
    38063699 
    38073700            $struct[] = array( 
     
    38513744     */ 
    38523745    function blogger_newPost($args) { 
    3853  
    3854         $this->escape($args); 
    3855  
    38563746        $blog_ID    = (int) $args[1]; /* though we don't use it yet */ 
    38573747        $username = $args[2]; 
     
    39053795     */ 
    39063796    function blogger_editPost($args) { 
    3907  
    3908         $this->escape($args); 
    3909  
    39103797        $post_ID     = (int) $args[1]; 
    39113798        $username  = $args[2]; 
     
    39243811            return new IXR_Error(404, __('Sorry, no such post.')); 
    39253812 
    3926         $this->escape($actual_post); 
    3927  
    39283813        if ( !current_user_can('edit_post', $post_ID) ) 
    39293814            return new IXR_Error(401, __('Sorry, you do not have the right to edit this post.')); 
     
    39613846     */ 
    39623847    function blogger_deletePost($args) { 
    3963         $this->escape($args); 
    3964  
    39653848        $post_ID     = (int) $args[1]; 
    39663849        $username  = $args[2]; 
     
    40313914     */ 
    40323915    function mw_newPost($args) { 
    4033         $this->escape($args); 
    4034  
    4035         $blog_ID     = (int) $args[0]; 
    4036         $username  = $args[1]; 
    4037         $password   = $args[2]; 
     3916        $blog_ID        = (int) $args[0]; 
     3917        $username       = $args[1]; 
     3918        $password       = $args[2]; 
    40383919        $content_struct = $args[3]; 
    4039         $publish     = isset( $args[4] ) ? $args[4] : 0; 
     3920        $publish        = isset( $args[4] ) ? $args[4] : 0; 
    40403921 
    40413922        if ( !$user = $this->login($username, $password) ) 
     
    43174198            } 
    43184199            if (!$found) 
    4319                 add_post_meta( $post_ID, 'enclosure', $encstring ); 
     4200                wp_add_post_meta( $post_ID, 'enclosure', $encstring ); 
    43204201        } 
    43214202    } 
     
    43514232     */ 
    43524233    function mw_editPost($args) { 
    4353  
    4354         $this->escape($args); 
    4355  
    43564234        $post_ID        = (int) $args[0]; 
    43574235        $username       = $args[1]; 
     
    43924270        } 
    43934271 
    4394         $this->escape($postdata); 
    43954272        extract($postdata, EXTR_SKIP); 
    43964273 
     
    46204497     */ 
    46214498    function mw_getPost($args) { 
    4622  
    4623         $this->escape($args); 
    4624  
    46254499        $post_ID     = (int) $args[0]; 
    46264500        $username  = $args[1]; 
     
    47444618     */ 
    47454619    function mw_getRecentPosts($args) { 
    4746  
    4747         $this->escape($args); 
    4748  
    47494620        $blog_ID     = (int) $args[0]; 
    47504621        $username  = $args[1]; 
     
    48594730     */ 
    48604731    function mw_getCategories($args) { 
    4861  
    4862         $this->escape($args); 
    4863  
    48644732        $blog_ID     = (int) $args[0]; 
    48654733        $username  = $args[1]; 
     
    49084776        global $wpdb; 
    49094777 
    4910         $blog_ID     = (int) $args[0]; 
    4911         $username  = $wpdb->escape($args[1]); 
    4912         $password   = $wpdb->escape($args[2]); 
    4913         $data        = $args[3]; 
     4778        $blog_ID   = (int) $args[0]; 
     4779        $username  = $args[1]; 
     4780        $password  = $args[2]; 
     4781        $data      = $args[3]; 
    49144782 
    49154783        $name = sanitize_file_name( $data['name'] ); 
     
    49984866     */ 
    49994867    function mt_getRecentPostTitles($args) { 
    5000  
    5001         $this->escape($args); 
    5002  
    50034868        $blog_ID     = (int) $args[0]; 
    50044869        $username  = $args[1]; 
     
    50584923     */ 
    50594924    function mt_getCategoryList($args) { 
    5060  
    5061         $this->escape($args); 
    5062  
    50634925        $blog_ID     = (int) $args[0]; 
    50644926        $username  = $args[1]; 
     
    50964958     */ 
    50974959    function mt_getPostCategories($args) { 
    5098  
    5099         $this->escape($args); 
    5100  
    51014960        $post_ID     = (int) $args[0]; 
    51024961        $username  = $args[1]; 
     
    51394998     */ 
    51404999    function mt_setPostCategories($args) { 
    5141  
    5142         $this->escape($args); 
    5143  
    51445000        $post_ID     = (int) $args[0]; 
    51455001        $username  = $args[1]; 
     
    52515107     */ 
    52525108    function mt_publishPost($args) { 
    5253  
    5254         $this->escape($args); 
    5255  
    52565109        $post_ID     = (int) $args[0]; 
    52575110        $username  = $args[1]; 
     
    52755128        $cats = wp_get_post_categories($post_ID); 
    52765129        $postdata['post_category'] = $cats; 
    5277         $this->escape($postdata); 
    52785130 
    52795131        $result = wp_update_post($postdata); 
     
    52985150 
    52995151        do_action('xmlrpc_call', 'pingback.ping'); 
    5300  
    5301         $this->escape($args); 
    53025152 
    53035153        $pagelinkedfrom = $args[0]; 
     
    54365286 
    54375287        $context = '[...] ' . esc_html( $excerpt ) . ' [...]'; 
    5438         $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom ); 
     5288        $pagelinkedfrom = $pagelinkedfrom; 
    54395289 
    54405290        $comment_post_ID = (int) $post_ID; 
    54415291        $comment_author = $title; 
    54425292        $comment_author_email = ''; 
    5443         $this->escape($comment_author); 
     5293        $comment_author; 
    54445294        $comment_author_url = $pagelinkedfrom; 
    54455295        $comment_content = $context; 
    5446         $this->escape($comment_content); 
     5296        $comment_content; 
    54475297        $comment_type = 'pingback'; 
    54485298 
     
    54665316     */ 
    54675317    function pingback_extensions_getPingbacks($args) { 
    5468  
    54695318        global $wpdb; 
    54705319 
    54715320        do_action('xmlrpc_call', 'pingback.extensions.getPingbacks'); 
    5472  
    5473         $this->escape($args); 
    54745321 
    54755322        $url = $args; 
  • trunk/wp-includes/class-wp.php

    r23267 r23416  
    143143 
    144144            if ( isset($_SERVER['PATH_INFO']) ) 
    145                 $pathinfo = $_SERVER['PATH_INFO']; 
     145                $pathinfo = wp_unslash( $_SERVER['PATH_INFO'] ); 
    146146            else 
    147147                $pathinfo = ''; 
    148148            $pathinfo_array = explode('?', $pathinfo); 
    149149            $pathinfo = str_replace("%", "%25", $pathinfo_array[0]); 
    150             $req_uri = $_SERVER['REQUEST_URI']; 
     150            $req_uri = wp_unslash( $_SERVER['REQUEST_URI'] ); 
    151151            $req_uri_array = explode('?', $req_uri); 
    152152            $req_uri = $req_uri_array[0]; 
    153             $self = $_SERVER['PHP_SELF']; 
     153            $self = wp_unslash( $_SERVER['PHP_SELF'] ); 
    154154            $home_path = parse_url(home_url()); 
    155155            if ( isset($home_path['path']) ) 
     
    256256                $this->query_vars[$wpvar] = $this->extra_query_vars[$wpvar]; 
    257257            elseif ( isset( $_POST[$wpvar] ) ) 
    258                 $this->query_vars[$wpvar] = $_POST[$wpvar]; 
     258                $this->query_vars[$wpvar] = wp_unslash( $_POST[$wpvar] ); 
    259259            elseif ( isset( $_GET[$wpvar] ) ) 
    260                 $this->query_vars[$wpvar] = $_GET[$wpvar]; 
     260                $this->query_vars[$wpvar] = wp_unslash( $_GET[$wpvar] ); 
    261261            elseif ( isset( $perma_query_vars[$wpvar] ) ) 
    262262                $this->query_vars[$wpvar] = $perma_query_vars[$wpvar]; 
     
    357357            // Support for Conditional GET 
    358358            if (isset($_SERVER['HTTP_IF_NONE_MATCH'])) 
    359                 $client_etag = stripslashes(stripslashes($_SERVER['HTTP_IF_NONE_MATCH'])); 
     359                $client_etag = stripslashes( wp_unslash( $_SERVER['HTTP_IF_NONE_MATCH'] ) ); // Retain extra strip. See #2597 
    360360            else $client_etag = false; 
    361361 
  • trunk/wp-includes/comment.php

    r23401 r23416  
    634634function sanitize_comment_cookies() { 
    635635    if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) { 
    636         $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]); 
    637         $comment_author = stripslashes($comment_author); 
     636        $comment_author = wp_unslash( $_COOKIE['comment_author_'.COOKIEHASH] ); 
     637        $comment_author = apply_filters('pre_comment_author_name', $comment_author); 
    638638        $comment_author = esc_attr($comment_author); 
    639639        $_COOKIE['comment_author_'.COOKIEHASH] = $comment_author; 
     
    641641 
    642642    if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) { 
    643         $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]); 
    644         $comment_author_email = stripslashes($comment_author_email); 
     643        $comment_author_email = wp_unslash( $_COOKIE['comment_author_email_'.COOKIEHASH] ); 
     644        $comment_author_email = apply_filters('pre_comment_author_email', $comment_author_email); 
    645645        $comment_author_email = esc_attr($comment_author_email); 
    646646        $_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email; 
     
    648648 
    649649    if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) { 
    650         $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]); 
    651         $comment_author_url = stripslashes($comment_author_url); 
     650        $comment_author_url = wp_unslash( $_COOKIE['comment_author_url_'.COOKIEHASH] ); 
     651        $comment_author_url = apply_filters('pre_comment_author_url', $comment_author_url); 
    652652        $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url; 
    653653    } 
     
    671671 
    672672    // Simple duplicate check 
    673     // expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content) 
    674     $dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_parent = '$comment_parent' AND comment_approved != 'trash' AND ( comment_author = '$comment_author' "; 
     673    $dupe = $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_parent = %s AND comment_approved != 'trash' AND ( comment_author = %s ", $comment_post_ID, $comment_parent, $comment_author ); 
    675674    if ( $comment_author_email ) 
    676         $dupe .= "OR comment_author_email = '$comment_author_email' "; 
    677     $dupe .= ") AND comment_content = '$comment_content' LIMIT 1"; 
     675        $dupe .= $wpdb->prepare( "OR comment_author_email = %s ", $comment_author_email ); 
     676    $dupe .= $wpdb->prepare( ") AND comment_content = %s LIMIT 1", $comment_content ); 
    678677    if ( $wpdb->get_var($dupe) ) { 
    679678        do_action( 'comment_duplicate_trigger', $commentdata ); 
     
    12631262function wp_insert_comment($commentdata) { 
    12641263    global $wpdb; 
    1265     extract(stripslashes_deep($commentdata), EXTR_SKIP); 
     1264    extract($commentdata, EXTR_SKIP); 
    12661265 
    12671266    if ( ! isset($comment_author_IP) ) 
     
    14921491    $comment = get_comment($commentarr['comment_ID'], ARRAY_A); 
    14931492 
    1494     // Escape data pulled from DB. 
    1495     $comment = esc_sql($comment); 
    1496  
    14971493    $old_status = $comment['comment_approved']; 
    14981494 
     
    15031499 
    15041500    // Now extract the merged array. 
    1505     extract(stripslashes_deep($commentarr), EXTR_SKIP); 
     1501    extract($commentarr, EXTR_SKIP); 
    15061502 
    15071503    $comment_content = apply_filters('comment_save_pre', $comment_content); 
  • trunk/wp-includes/cron.php

    r21996 r23416  
    231231 
    232232        ob_start(); 
    233         wp_redirect( add_query_arg('doing_wp_cron', $doing_wp_cron, stripslashes($_SERVER['REQUEST_URI'])) ); 
     233        wp_redirect( add_query_arg( 'doing_wp_cron', $doing_wp_cron, wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); 
    234234        echo ' '; 
    235235 
  • trunk/wp-includes/default-filters.php

    r23414 r23416  
    1515// Strip, trim, kses, special chars for string saves 
    1616foreach ( array( 'pre_term_name', 'pre_comment_author_name', 'pre_link_name', 'pre_link_target', 'pre_link_rel', 'pre_user_display_name', 'pre_user_first_name', 'pre_user_last_name', 'pre_user_nickname' ) as $filter ) { 
    17     add_filter( $filter, 'sanitize_text_field'  ); 
    18     add_filter( $filter, 'wp_filter_kses'      ); 
     17    add_filter( $filter, 'sanitize_text_field' ); 
     18    add_filter( $filter, 'wp_kses_data' ); 
    1919    add_filter( $filter, '_wp_specialchars', 30 ); 
    2020} 
     
    3232// Kses only for textarea saves 
    3333foreach ( array( 'pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description' ) as $filter ) { 
    34     add_filter( $filter, 'wp_filter_kses' ); 
     34    add_filter( $filter, 'wp_kses_data' ); 
    3535} 
    3636 
     
    4747    add_filter( $filter, 'trim'           ); 
    4848    add_filter( $filter, 'sanitize_email' ); 
    49     add_filter( $filter, 'wp_filter_kses' ); 
     49    add_filter( $filter, 'wp_kses_data' ); 
    5050} 
    5151 
  • trunk/wp-includes/default-widgets.php

    r23413 r23416  
    413413            $instance['text'] =  $new_instance['text']; 
    414414        else 
    415             $instance['text'] = stripslashes( wp_filter_post_kses( addslashes($new_instance['text']) ) ); // wp_filter_post_kses() expects slashed 
     415            $instance['text'] = wp_kses_post( $new_instance['text'] ); 
    416416        $instance['filter'] = isset($new_instance['filter']); 
    417417        return $instance; 
     
    10571057 
    10581058    function update( $new_instance, $old_instance ) { 
    1059         $instance['title'] = strip_tags(stripslashes($new_instance['title'])); 
    1060         $instance['taxonomy'] = stripslashes($new_instance['taxonomy']); 
     1059        $instance['title'] = strip_tags( $new_instance['title'] ); 
     1060        $instance['taxonomy'] =  $new_instance['taxonomy']; 
    10611061        return $instance; 
    10621062    } 
     
    11191119 
    11201120    function update( $new_instance, $old_instance ) { 
    1121         $instance['title'] = strip_tags( stripslashes($new_instance['title']) ); 
     1121        $instance['title'] = strip_tags( $new_instance['title'] ); 
    11221122        $instance['nav_menu'] = (int) $new_instance['nav_menu']; 
    11231123        return $instance; 
  • trunk/wp-includes/deprecated.php

    r23197 r23416  
    23842384    /** @todo Might need fix because usermeta data is assumed to be already escaped */ 
    23852385    if ( is_string($meta_value) ) 
    2386         $meta_value = stripslashes($meta_value); 
     2386        $meta_value = $meta_value; 
    23872387    $meta_value = maybe_serialize($meta_value); 
    23882388 
  • trunk/wp-includes/feed.php

    r22811 r23416  
    489489function self_link() { 
    490490    $host = @parse_url(home_url()); 
    491     echo esc_url( set_url_scheme( 'http://' . $host['host'] . stripslashes($_SERVER['REQUEST_URI']) ) ); 
     491    echo esc_url( set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); 
    492492} 
    493493 
  • trunk/wp-includes/formatting.php

    r23368 r23416  
    17171717 */ 
    17181718function wp_rel_nofollow( $text ) { 
    1719     // This is a pre save filter, so text is already escaped. 
    1720     $text = stripslashes($text); 
    17211719    $text = preg_replace_callback('|<a (.+?)>|i', 'wp_rel_nofollow_callback', $text); 
    1722     $text = esc_sql($text); 
    17231720    return $text; 
    17241721} 
     
    33433340    return apply_filters( 'sanitize_trackback_urls', $urls_to_ping, $to_ping ); 
    33443341} 
     3342 
     3343/** 
     3344 * Conditionally add slashes to a string or array of strings. When GPCS 
     3345 * slashing is turned on, slashes are added. When GPCS slashing is turned off, 
     3346 * slashes are not added. 
     3347 * 
     3348 * This should be used when preparing data for core API that deal directly with GPCS data. 
     3349 * Outside of unit tests, this should be rare. At a future date GPCS will no longer 
     3350 * be slashed and this function will noop. Do not use it in situations where adding slashes 
     3351 * is always required regardless of whether GPCS is slashed. 
     3352 * 
     3353 * @since 3.6.0 
     3354 * 
     3355 * @param string|array $value String or array of strings to slash. 
     3356 * @return string|array Slashed $value 
     3357 */ 
     3358function wp_slash( $value ) { 
     3359    if ( is_array( $value ) ) {  
     3360        foreach ( $value as $k => $v ) { 
     3361            if ( is_array( $v ) ) { 
     3362                $value[$k] = wp_slash( $v ); 
     3363            } else { 
     3364                $value[$k] = addslashes( $v ); 
     3365            } 
     3366        } 
     3367    } else { 
     3368        $value = addslashes( $value );  
     3369    }  
     3370 
     3371    return $value;  
     3372} 
     3373 
     3374/** 
     3375 * Conditionally removes slashes from a string or array of strings. When GPCS 
     3376 * slashing is turned on, slashes are stripped. When GPCS slashing is turned off, 
     3377 * slashes are not stripped. 
     3378 * 
     3379 * This should be used for GPCS data before passing it along to core API. At a future 
     3380 * date GPCS will no longer be slashed and this function will noop. Do not use it 
     3381 * in situations where slash stripping is always required regardless of whether GPCS 
     3382 * is slashed. 
     3383 * 
     3384 * @since 3.6.0 
     3385 * 
     3386 * @param string|array $value String or array of strings to unslash. 
     3387 * @return string|array Unslashed $value 
     3388 */ 
     3389function wp_unslash( $value ) { 
     3390    return stripslashes_deep( $value );  
     3391} 
  • trunk/wp-includes/functions.php

    r23411 r23416  
    469469 
    470470                if ( in_array( substr( $type, 0, strpos( $type, "/" ) ), $allowed_types ) ) { 
    471                     add_post_meta( $post_ID, 'enclosure', "$url\n$len\n$mime\n" ); 
     471                    wp_add_post_meta( $post_ID, 'enclosure', "$url\n$len\n$mime\n" ); 
    472472                } 
    473473            } 
     
    12571257 */ 
    12581258function wp_original_referer_field( $echo = true, $jump_back_to = 'current' ) { 
    1259     $jump_back_to = ( 'previous' == $jump_back_to ) ? wp_get_referer() : $_SERVER['REQUEST_URI']; 
     1259    $jump_back_to = ( 'previous' == $jump_back_to ) ? wp_get_referer() : wp_unslash( $_SERVER['REQUEST_URI'] ); 
    12601260    $ref = ( wp_get_original_referer() ) ? wp_get_original_referer() : $jump_back_to; 
    1261     $orig_referer_field = '<input type="hidden" name="_wp_original_http_referer" value="' . esc_attr( stripslashes( $ref ) ) . '" />'; 
     1261    $orig_referer_field = '<input type="hidden" name="_wp_original_http_referer" value="' . esc_attr( $ref ) . '" />'; 
    12621262    if ( $echo ) 
    12631263        echo $orig_referer_field; 
     
    12781278    $ref = false; 
    12791279    if ( ! empty( $_REQUEST['_wp_http_referer'] ) ) 
    1280         $ref = $_REQUEST['_wp_http_referer']; 
     1280        $ref = wp_unslash( $_REQUEST['_wp_http_referer'] ); 
    12811281    else if ( ! empty( $_SERVER['HTTP_REFERER'] ) ) 
    1282         $ref = $_SERVER['HTTP_REFERER']; 
    1283  
    1284     if ( $ref && $ref !== $_SERVER['REQUEST_URI'] ) 
     1282        $ref = wp_unslash( $_SERVER['HTTP_REFERER'] ); 
     1283 
     1284    if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) ) 
    12851285        return $ref; 
    12861286    return false; 
     
    12981298function wp_get_original_referer() { 
    12991299    if ( !empty( $_REQUEST['_wp_original_http_referer'] ) ) 
    1300         return $_REQUEST['_wp_original_http_referer']; 
     1300        return wp_unslash( $_REQUEST['_wp_original_http_referer'] ); 
    13011301    return false; 
    13021302} 
  • trunk/wp-includes/kses.php

    r21796 r23416  
    13271327function kses_init_filters() { 
    13281328    // Normal filtering 
    1329     add_filter('title_save_pre', 'wp_filter_kses'); 
     1329    add_filter('title_save_pre', 'wp_kses_data'); 
    13301330 
    13311331    // Comment filtering 
    13321332    if ( current_user_can( 'unfiltered_html' ) ) 
    1333         add_filter( 'pre_comment_content', 'wp_filter_post_kses' ); 
     1333        add_filter( 'pre_comment_content', 'wp_kses_post' ); 
    13341334    else 
    1335         add_filter( 'pre_comment_content', 'wp_filter_kses' ); 
     1335        add_filter( 'pre_comment_content', 'wp_kses_data' ); 
    13361336 
    13371337    // Post filtering 
    1338     add_filter('content_save_pre', 'wp_filter_post_kses'); 
    1339     add_filter('excerpt_save_pre', 'wp_filter_post_kses'); 
    1340     add_filter('content_filtered_save_pre', 'wp_filter_post_kses'); 
     1338    add_filter('content_save_pre', 'wp_kses_post'); 
     1339    add_filter('excerpt_save_pre', 'wp_kses_post'); 
     1340    add_filter('content_filtered_save_pre', 'wp_kses_post'); 
    13411341} 
    13421342 
     
    13551355function kses_remove_filters() { 
    13561356    // Normal filtering 
    1357     remove_filter('title_save_pre', 'wp_filter_kses'); 
     1357    remove_filter('title_save_pre', 'wp_kses_data'); 
    13581358 
    13591359    // Comment filtering 
    1360     remove_filter( 'pre_comment_content', 'wp_filter_post_kses' ); 
    1361     remove_filter( 'pre_comment_content', 'wp_filter_kses' ); 
     1360    remove_filter( 'pre_comment_content', 'wp_kses_post' ); 
     1361    remove_filter( 'pre_comment_content', 'wp_kses_data' ); 
    13621362 
    13631363    // Post filtering 
    1364     remove_filter('content_save_pre', 'wp_filter_post_kses'); 
    1365     remove_filter('excerpt_save_pre', 'wp_filter_post_kses'); 
    1366     remove_filter('content_filtered_save_pre', 'wp_filter_post_kses'); 
     1364    remove_filter('content_save_pre', 'wp_kses_post'); 
     1365    remove_filter('excerpt_save_pre', 'wp_kses_post'); 
     1366    remove_filter('content_filtered_save_pre', 'wp_kses_post'); 
    13671367} 
    13681368 
  • trunk/wp-includes/link-template.php

    r23305 r23416  
    747747        $search = get_search_query( false ); 
    748748    else 
    749         $search = stripslashes($query); 
     749        $search = $query; 
    750750 
    751751    $permastruct = $wp_rewrite->get_search_permastruct(); 
  • trunk/wp-includes/meta.php

    r22231 r23416  
    4343    $column = esc_sql($meta_type . '_id'); 
    4444 
    45     // expected_slashed ($meta_key) 
    46     $meta_key = stripslashes($meta_key); 
    47     $meta_value = stripslashes_deep($meta_value); 
    4845    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); 
    4946 
     
    114111    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; 
    115112 
    116     // expected_slashed ($meta_key) 
    117     $meta_key = stripslashes($meta_key); 
    118113    $passed_value = $meta_value; 
    119     $meta_value = stripslashes_deep($meta_value); 
    120114    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); 
    121115 
     
    196190    $type_column = esc_sql($meta_type . '_id'); 
    197191    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; 
    198     // expected_slashed ($meta_key) 
    199     $meta_key = stripslashes($meta_key); 
    200     $meta_value = stripslashes_deep($meta_value); 
    201192 
    202193    $check = apply_filters( "delete_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $delete_all ); 
  • trunk/wp-includes/ms-files.php

    r19712 r23416  
    5959 
    6060// Support for Conditional GET 
    61 $client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false; 
     61$client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? wp_unslash( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false; 
    6262 
    6363if( ! isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) ) 
  • trunk/wp-includes/ms-functions.php

    r23412 r23416  
    280280 */ 
    281281function create_empty_blog( $domain, $path, $weblog_title, $site_id = 1 ) { 
    282     $domain         = addslashes( $domain ); 
    283     $weblog_title   = addslashes( $weblog_title ); 
    284  
    285282    if ( empty($path) ) 
    286283        $path = '/'; 
     
    583580    $blogname = apply_filters( 'newblogname', $blogname ); 
    584581 
    585     $blog_title = stripslashes(  $blog_title ); 
     582    $blog_title = $blog_title; 
    586583 
    587584    if ( empty( $blog_title ) ) 
     
    636633 
    637634    $key = substr( md5( time() . rand() . $domain ), 0, 16 ); 
    638     $meta = serialize($meta); 
    639     $domain = $wpdb->escape($domain); 
    640     $path = $wpdb->escape($path); 
    641     $title = $wpdb->escape($title); 
     635    $meta = serialize( $meta ); 
    642636 
    643637    $wpdb->insert( $wpdb->signups, array( 
     
    652646    ) ); 
    653647 
    654     wpmu_signup_blog_notification($domain, $path, $title, $user, $user_email, $key, $meta); 
     648    wpmu_signup_blog_notification( $domain, $path, $title, $user, $user_email, $key, $meta ); 
    655649} 
    656650 
     
    842836 
    843837    $meta = maybe_unserialize($signup->meta); 
    844     $user_login = $wpdb->escape($signup->user_login); 
    845     $user_email = $wpdb->escape($signup->user_email); 
     838    $user_login = $signup->user_login; 
     839    $user_email = $signup->user_email; 
    846840    $password = wp_generate_password( 12, false ); 
    847841 
     
    11601154        update_option( 'upload_path', get_blog_option( $current_site->blog_id, 'upload_path' ) ); 
    11611155 
    1162     update_option( 'blogname', stripslashes( $blog_title ) ); 
     1156    update_option( 'blogname', $blog_title ); 
    11631157    update_option( 'admin_email', '' ); 
    11641158 
     
    12171211        return false; 
    12181212 
    1219     $welcome_email = stripslashes( get_site_option( 'welcome_email' ) ); 
     1213    $welcome_email = get_site_option( 'welcome_email' ); 
    12201214    if ( $welcome_email == false ) 
    1221         $welcome_email = stripslashes( __( 'Dear User, 
     1215        $welcome_email = __( 'Dear User, 
    12221216 
    12231217Your new SITE_NAME site has been successfully set up at: 
     
    12311225We hope you enjoy your new site. Thanks! 
    12321226 
    1233 --The Team @ SITE_NAME' ) ); 
     1227--The Team @ SITE_NAME' ); 
    12341228 
    12351229    $url = get_blogaddress_by_id($blog_id); 
     
    12551249        $current_site->site_name = 'WordPress'; 
    12561250 
    1257     $subject = apply_filters( 'update_welcome_subject', sprintf(__('New %1$s Site: %2$s'), $current_site->site_name, stripslashes( $title ) ) ); 
     1251    $subject = apply_filters( 'update_welcome_subject', sprintf(__('New %1$s Site: %2$s'), $current_site->site_name, $title ) ); 
    12581252    wp_mail($user->user_email, $subject, $message, $message_headers); 
    12591253    return true; 
     
    15101504    global $wpdb; 
    15111505    $user = get_userdata( (int) $user_id ); 
    1512     $wpdb->insert( $wpdb->registration_log, array('email' => $user->user_email, 'IP' => preg_replace( '/[^0-9., ]/', '',$_SERVER['REMOTE_ADDR'] ), 'blog_id' => $blog_id, 'date_registered' => current_time('mysql')) ); 
     1506    $wpdb->insert( $wpdb->registration_log, array('email' => $user->user_email, 'IP' => preg_replace( '/[^0-9., ]/', '', wp_unslash( $_SERVER['REMOTE_ADDR'] ) ), 'blog_id' => $blog_id, 'date_registered' => current_time('mysql')) ); 
    15131507} 
    15141508 
  • trunk/wp-includes/nav-menu.php

    r22399 r23416  
    370370    $menu_item_db_id = (int) $menu_item_db_id; 
    371371 
    372     update_post_meta( $menu_item_db_id, '_menu_item_type', sanitize_key($args['menu-item-type']) ); 
    373     update_post_meta( $menu_item_db_id, '_menu_item_menu_item_parent', strval( (int) $args['menu-item-parent-id'] ) ); 
    374     update_post_meta( $menu_item_db_id, '_menu_item_object_id', strval( (int) $args['menu-item-object-id'] ) ); 
    375     update_post_meta( $menu_item_db_id, '_menu_item_object', sanitize_key($args['menu-item-object']) ); 
    376     update_post_meta( $menu_item_db_id, '_menu_item_target', sanitize_key($args['menu-item-target']) ); 
     372    wp_update_post_meta( $menu_item_db_id, '_menu_item_type', sanitize_key($args['menu-item-type']) ); 
     373    wp_update_post_meta( $menu_item_db_id, '_menu_item_menu_item_parent', strval( (int) $args['menu-item-parent-id'] ) ); 
     374    wp_update_post_meta( $menu_item_db_id, '_menu_item_object_id', strval( (int) $args['menu-item-object-id'] ) ); 
     375    wp_update_post_meta( $menu_item_db_id, '_menu_item_object', sanitize_key($args['menu-item-object']) ); 
     376    wp_update_post_meta( $menu_item_db_id, '_menu_item_target', sanitize_key($args['menu-item-target']) ); 
    377377 
    378378    $args['menu-item-classes'] = array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-classes'] ) ); 
    379379    $args['menu-item-xfn'] = implode( ' ', array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-xfn'] ) ) ); 
    380     update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] ); 
    381     update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] ); 
    382     update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw($args['menu-item-url']) ); 
     380    wp_update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] ); 
     381    wp_update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] ); 
     382    wp_update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw($args['menu-item-url']) ); 
    383383 
    384384    if ( 0 == $menu_id ) 
    385         update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() ); 
     385        wp_update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() ); 
    386386    elseif ( get_post_meta( $menu_item_db_id, '_menu_item_orphaned' ) ) 
    387387        delete_post_meta( $menu_item_db_id, '_menu_item_orphaned' ); 
  • trunk/wp-includes/pluggable.php

    r23388 r23416  
    783783    nocache_headers(); 
    784784 
    785     $redirect = ( strpos( $_SERVER['REQUEST_URI'], '/options.php' ) && wp_get_referer() ) ? wp_get_referer() : set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ); 
     785    $redirect = ( strpos( $_SERVER['REQUEST_URI'], '/options.php' ) && wp_get_referer() ) ? wp_get_referer() : set_url_scheme( 'http://' . wp_unslash( $_SERVER['HTTP_HOST'] ) . wp_unslash( $_SERVER['REQUEST_URI'] ) ); 
    786786 
    787787    $login_url = wp_login_url($redirect, true); 
     
    11981198    $user = get_userdata( $user_id ); 
    11991199 
    1200     $user_login = stripslashes($user->user_login); 
    1201     $user_email = stripslashes($user->user_email); 
     1200    $user_login = $user->user_login; 
     1201    $user_email = $user->user_email; 
    12021202 
    12031203    // The blogname option is escaped with esc_html on the way into the database in sanitize_option 
  • trunk/wp-includes/post-template.php

    r22634 r23416  
    584584    } 
    585585 
    586     $hash = stripslashes( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] ); 
     586    $hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] ); 
    587587 
    588588    return ! $wp_hasher->CheckPassword( $post->post_password, $hash ); 
  • trunk/wp-includes/post.php

    r23415 r23416  
    17431743 * 
    17441744 * @param int $post_id Post ID. 
    1745  * @param string $meta_key Metadata name. 
    1746  * @param mixed $meta_value Metadata value. 
     1745 * @param string $meta_key Metadata name (expected slashed). 
     1746 * @param mixed $meta_value Metadata value (expected slashed). 
    17471747 * @param bool $unique Optional, default is false. Whether the same key should not be added. 
    17481748 * @return bool False for failure. True for success. 
    17491749 */ 
    1750 function add_post_meta($post_id, $meta_key, $meta_value, $unique = false) { 
     1750function add_post_meta( $post_id, $meta_key, $meta_value, $unique = false ) { 
     1751    //_deprecated_function( __FUNCTION__, '3.6', 'wp_add_post_meta() (expects unslashed data)' ); 
     1752 
     1753    // expected slashed 
     1754    $meta_key = stripslashes( $meta_key ); 
     1755    $meta_value = stripslashes_deep( $meta_value ); 
     1756 
     1757    return wp_add_post_meta( $post_id, $meta_key, $meta_value, $unique ); 
     1758} 
     1759 
     1760/** 
     1761 * Add meta data field to a post. 
     1762 * 
     1763 * Post meta data is called "Custom Fields" on the Administration Screen. 
     1764 * 
     1765 * @since 3.6.0 
     1766 * @link http://codex.wordpress.org/Function_Reference/wp_add_post_meta 
     1767 * 
     1768 * @param int $post_id Post ID. 
     1769 * @param string $meta_key Metadata name (clean, slashes already stripped). 
     1770 * @param mixed $meta_value Metadata value (clean, slashes already stripped). 
     1771 * @param bool $unique Optional, default is false. Whether the same key should not be added. 
     1772 * @return bool False for failure. True for success. 
     1773 */ 
     1774function wp_add_post_meta( $post_id, $meta_key, $meta_value, $unique = false ) { 
    17511775    // make sure meta is added to the post, not a revision 
    1752     if ( $the_post = wp_is_post_revision($post_id) ) 
     1776    if ( $the_post = wp_is_post_revision( $post_id ) ) 
    17531777        $post_id = $the_post; 
    17541778 
    1755     return add_metadata('post', $post_id, $meta_key, $meta_value, $unique); 
     1779    return add_metadata( 'post', $post_id, $meta_key, $meta_value, $unique ); 
    17561780} 
    17571781 
     
    18101834 * 
    18111835 * @param int $post_id Post ID. 
    1812  * @param string $meta_key Metadata key. 
    1813  * @param mixed $meta_value Metadata value. 
     1836 * @param string $meta_key Metadata key (expected slashed). 
     1837 * @param mixed $meta_value Metadata value (expected slashed). 
    18141838 * @param mixed $prev_value Optional. Previous value to check before removing. 
    18151839 * @return bool False on failure, true if success. 
    18161840 */ 
    1817 function update_post_meta($post_id, $meta_key, $meta_value, $prev_value = '') { 
     1841function update_post_meta( $post_id, $meta_key, $meta_value, $prev_value = '' ) { 
     1842    //_deprecated_function( __FUNCTION__, '3.6', 'wp_update_post_meta() (expects unslashed data)' ); 
     1843 
     1844    // expected slashed 
     1845    $meta_key = stripslashes( $meta_key ); 
     1846    $meta_value = stripslashes_deep( $meta_value ); 
     1847 
     1848    return wp_update_post_meta( $post_id, $meta_key, $meta_value, $prev_value ); 
     1849} 
     1850 
     1851/** 
     1852 * Update post meta field based on post ID. 
     1853 * 
     1854 * Use the $prev_value parameter to differentiate between meta fields with the 
     1855 * same key and post ID. 
     1856 * 
     1857 * If the meta field for the post does not exist, it will be added. 
     1858 * 
     1859 * @since 3.6.0 
     1860 * @uses $wpdb 
     1861 * @link http://codex.wordpress.org/Function_Reference/wp_update_post_meta 
     1862 * 
     1863 * @param int $post_id Post ID. 
     1864 * @param string $meta_key Metadata key (clean, slashes already stripped). 
     1865 * @param mixed $meta_value Metadata value (clean, slashes already stripped). 
     1866 * @param mixed $prev_value Optional. Previous value to check before removing. 
     1867 * @return bool False on failure, true if success. 
     1868 */ 
     1869function wp_update_post_meta( $post_id, $meta_key, $meta_value, $prev_value = '' ) { 
    18181870    // make sure meta is added to the post, not a revision 
    1819     if ( $the_post = wp_is_post_revision($post_id) ) 
     1871    if ( $the_post = wp_is_post_revision( $post_id ) ) 
    18201872        $post_id = $the_post; 
    18211873 
    1822     return update_metadata('post', $post_id, $meta_key, $meta_value, $prev_value); 
     1874    return update_metadata( 'post', $post_id, $meta_key, $meta_value, $prev_value ); 
    18231875} 
    18241876 
     
    24072459    do_action('wp_trash_post', $post_id); 
    24082460 
    2409     add_post_meta($post_id,'_wp_trash_meta_status', $post['post_status']); 
    2410     add_post_meta($post_id,'_wp_trash_meta_time', time()); 
     2461    wp_add_post_meta($post_id,'_wp_trash_meta_status', $post['post_status']); 
     2462    wp_add_post_meta($post_id,'_wp_trash_meta_time', time()); 
    24112463 
    24122464    $post['post_status'] = 'trash'; 
     
    24842536    foreach ( $comments as $comment ) 
    24852537        $statuses[$comment->comment_ID] = $comment->comment_approved; 
    2486     add_post_meta($post_id, '_wp_trash_meta_comments_status', $statuses); 
     2538    wp_add_post_meta($post_id, '_wp_trash_meta_comments_status', $statuses); 
    24872539 
    24882540    // Set status for all comments to post-trashed 
     
    28602912    $post_name = wp_unique_post_slug($post_name, $post_ID, $post_status, $post_type, $post_parent); 
    28612913 
    2862     // expected_slashed (everything!) 
    28632914    $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'guid' ) ); 
    28642915    $data = apply_filters('wp_insert_post_data', $data, $postarr); 
    2865     $data = stripslashes_deep( $data ); 
    28662916    $where = array( 'ID' => $post_ID ); 
    28672917 
     
    28762926    } else { 
    28772927        if ( isset($post_mime_type) ) 
    2878             $data['post_mime_type'] = stripslashes( $post_mime_type ); // This isn't in the update 
     2928            $data['post_mime_type'] = $post_mime_type; // This isn't in the update 
    28792929        // If there is a suggested ID, use it if not already present 
    28802930        if ( !empty($import_id) ) { 
     
    29372987                return 0; 
    29382988        } 
    2939         update_post_meta($post_ID, '_wp_page_template',  $page_template); 
     2989        wp_update_post_meta($post_ID, '_wp_page_template',  $page_template); 
    29402990    } 
    29412991 
     
    29703020        // non-escaped post was passed 
    29713021        $postarr = get_object_vars($postarr); 
    2972         $postarr = add_magic_quotes($postarr); 
    29733022    } 
    29743023 
    29753024    // First, get all of the original fields 
    29763025    $post = get_post($postarr['ID'], ARRAY_A); 
    2977  
    2978     // Escape data pulled from DB. 
    2979     $post = add_magic_quotes($post); 
    29803026 
    29813027    // Passed post category list overwrites existing category list if not empty. 
     
    33933439        foreach( (array) $trackback_urls as $tb_url) { 
    33943440            $tb_url = trim($tb_url); 
    3395             trackback($tb_url, stripslashes($post_title), $excerpt, $post_id); 
     3441            trackback($tb_url, $post_title, $excerpt, $post_id); 
    33963442        } 
    33973443    } 
     
    37363782        $join = " LEFT JOIN $wpdb->postmeta ON ( $wpdb->posts.ID = $wpdb->postmeta.post_id )"; 
    37373783 
    3738         // meta_key and meta_value might be slashed 
    3739         $meta_key = stripslashes($meta_key); 
    3740         $meta_value = stripslashes($meta_value); 
    37413784        if ( ! empty( $meta_key ) ) 
    37423785            $where .= $wpdb->prepare(" AND $wpdb->postmeta.meta_key = %s", $meta_key); 
     
    39634006        $post_name = sanitize_title($post_name); 
    39644007 
    3965     // expected_slashed ($post_name) 
    39664008    $post_name = wp_unique_post_slug($post_name, $post_ID, $post_status, $post_type, $post_parent); 
    39674009 
     
    40064048        $pinged = ''; 
    40074049 
    4008     // expected_slashed (everything!) 
    40094050    $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'guid' ) ); 
    4010     $data = stripslashes_deep( $data ); 
    40114051 
    40124052    if ( $update ) { 
     
    40534093 
    40544094    if ( ! empty( $context ) ) 
    4055         add_post_meta( $post_ID, '_wp_attachment_context', $context, true ); 
     4095        wp_add_post_meta( $post_ID, '_wp_attachment_context', $context, true ); 
    40564096 
    40574097    if ( $update) { 
     
    44404480    // if we haven't added this old slug before, add it now 
    44414481    if ( !empty( $post_before->post_name ) && !in_array($post_before->post_name, $old_slugs) ) 
    4442         add_post_meta($post_id, '_wp_old_slug', $post_before->post_name); 
     4482        wp_add_post_meta($post_id, '_wp_old_slug', $post_before->post_name); 
    44434483 
    44444484    // if the new slug was used previously, delete it from the list 
     
    48574897 
    48584898    if ( get_option('default_pingback_flag') ) 
    4859         add_post_meta( $post_id, '_pingme', '1' ); 
    4860     add_post_meta( $post_id, '_encloseme', '1' ); 
     4899        wp_add_post_meta( $post_id, '_pingme', '1' ); 
     4900    wp_add_post_meta( $post_id, '_encloseme', '1' ); 
    48614901 
    48624902    wp_schedule_single_event(time(), 'do_pings'); 
     
    50985138 
    50995139    $post = _wp_post_revision_fields( $post, $autosave ); 
    5100     $post = add_magic_quotes($post); //since data is from db 
    51015140 
    51025141    $revision_id = wp_insert_post( $post ); 
     
    51765215 
    51775216    $update['ID'] = $revision['post_parent']; 
    5178  
    5179     $update = add_magic_quotes( $update ); //since data is from db 
    51805217 
    51815218    $post_id = wp_update_post( $update ); 
     
    54005437    if ( $post && $thumbnail_id && get_post( $thumbnail_id ) ) { 
    54015438        if ( $thumbnail_html = wp_get_attachment_image( $thumbnail_id, 'thumbnail' ) ) 
    5402             return update_post_meta( $post->ID, '_thumbnail_id', $thumbnail_id ); 
     5439            return wp_update_post_meta( $post->ID, '_thumbnail_id', $thumbnail_id ); 
    54035440        else 
    54045441            return delete_post_meta( $post->ID, '_thumbnail_id' ); 
  • trunk/wp-includes/query.php

    r23191 r23416  
    17341734        if ( !empty($q['cat']) && '0' != $q['cat'] && !$this->is_singular && $this->query_vars_changed ) { 
    17351735            $q['cat'] = ''.urldecode($q['cat']).''; 
    1736             $q['cat'] = addslashes_gpc($q['cat']); 
    17371736            $cat_array = preg_split('/[,\s]+/', $q['cat']); 
    17381737            $q['cat'] = ''; 
     
    21812180        // If a search pattern is specified, load the posts that match 
    21822181        if ( !empty($q['s']) ) { 
    2183             // added slashes screw with quote grouping when done early, so done later 
    2184             $q['s'] = stripslashes($q['s']); 
    21852182            if ( empty( $_GET['s'] ) && $this->is_main_query() ) 
    21862183                $q['s'] = urldecode($q['s']); 
     
    22912288        } else { 
    22922289            $q['author'] = (string)urldecode($q['author']); 
    2293             $q['author'] = addslashes_gpc($q['author']); 
    22942290            if ( strpos($q['author'], '-') !== false ) { 
    22952291                $eq = '!='; 
     
    23532349            } 
    23542350            $q['orderby'] = urldecode($q['orderby']); 
    2355             $q['orderby'] = addslashes_gpc($q['orderby']); 
    23562351 
    23572352            $orderby_array = array(); 
  • trunk/wp-includes/taxonomy.php

    r23401 r23416  
    954954            return false; 
    955955    } else if ( 'name' == $field ) { 
    956         // Assume already escaped 
    957         $value = stripslashes($value); 
    958956        $field = 't.name'; 
    959957    } else { 
     
    14951493    } 
    14961494 
    1497     $term = trim( stripslashes( $term ) ); 
     1495    $term = trim( $term ); 
    14981496 
    14991497    if ( '' === $slug = sanitize_title($term) ) 
     
    20562054    $args = sanitize_term($args, $taxonomy, 'db'); 
    20572055    extract($args, EXTR_SKIP); 
    2058  
    2059     // expected_slashed ($name) 
    2060     $name = stripslashes($name); 
    2061     $description = stripslashes($description); 
    20622056 
    20632057    if ( empty($slug) ) 
     
    24402434        return $term; 
    24412435 
    2442     // Escape data pulled from DB. 
    2443     $term = add_magic_quotes($term); 
    2444  
    24452436    // Merge old and new args with new args overwriting old ones. 
    24462437    $args = array_merge($term, $args); 
     
    24502441    $args = sanitize_term($args, $taxonomy, 'db'); 
    24512442    extract($args, EXTR_SKIP); 
    2452  
    2453     // expected_slashed ($name) 
    2454     $name = stripslashes($name); 
    2455     $description = stripslashes($description); 
    24562443 
    24572444    if ( '' == trim($name) ) 
  • trunk/wp-includes/user.php

    r23210 r23416  
    13911391 
    13921392    $data = compact( 'user_pass', 'user_email', 'user_url', 'user_nicename', 'display_name', 'user_registered' ); 
    1393     $data = stripslashes_deep( $data ); 
    13941393 
    13951394    if ( $update ) { 
     
    14631462    } 
    14641463 
    1465     // Escape data pulled from DB. 
    1466     $user = add_magic_quotes( $user ); 
    1467  
    14681464    // If password is changing, hash it now. 
    14691465    if ( ! empty($userdata['user_pass']) ) { 
     
    15051501 */ 
    15061502function wp_create_user($username, $password, $email = '') { 
    1507     $user_login = esc_sql( $username ); 
    1508     $user_email = esc_sql( $email    ); 
     1503    $user_login = $username; 
     1504    $user_email = $email; 
    15091505    $user_pass = $password; 
    15101506 
  • trunk/wp-includes/widgets.php

    r23199 r23416  
    225225 
    226226            foreach ( $settings as $number => $new_instance ) { 
    227                 $new_instance = stripslashes_deep($new_instance); 
     227                $new_instance = wp_unslash($new_instance); 
    228228                $this->_set($number); 
    229229 
  • trunk/wp-login.php

    r23336 r23416  
    397397 
    398398    // 10 days 
    399     setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH ); 
     399    setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH ); 
    400400 
    401401    wp_safe_redirect( wp_get_referer() ); 
     
    432432    login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '</p>', $errors); 
    433433 
    434     $user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : ''; 
     434    $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : ''; 
    435435 
    436436?> 
     
    531531    $user_email = ''; 
    532532    if ( $http_post ) { 
    533         $user_login = $_POST['user_login']; 
    534         $user_email = $_POST['user_email']; 
     533        $user_login = wp_unslash( $_POST['user_login'] ); 
     534        $user_email = wp_unslash( $_POST['user_email'] ); 
    535535        $errors = register_new_user($user_login, $user_email); 
    536536        if ( !is_wp_error($errors) ) { 
     
    548548    <p> 
    549549        <label for="user_login"><?php _e('Username') ?><br /> 
    550         <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(stripslashes($user_login)); ?>" size="20" /></label> 
     550        <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" /></label> 
    551551    </p> 
    552552    <p> 
    553553        <label for="user_email"><?php _e('E-mail') ?><br /> 
    554         <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(stripslashes($user_email)); ?>" size="25" /></label> 
     554        <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr( $user_email ); ?>" size="25" /></label> 
    555555    </p> 
    556556<?php do_action('register_form'); ?> 
     
    674674 
    675675    if ( isset($_POST['log']) ) 
    676         $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(stripslashes($_POST['log'])) : ''; 
     676        $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr( wp_unslash( $_POST['log'] ) ) : ''; 
    677677    $rememberme = ! empty( $_POST['rememberme'] ); 
    678678?> 
  • trunk/wp-mail.php

    r21996 r23416  
    203203 
    204204    $post_data = compact('post_content','post_title','post_date','post_date_gmt','post_author','post_category', 'post_status'); 
    205     $post_data = add_magic_quotes($post_data); 
    206205 
    207206    $post_ID = wp_insert_post($post_data); 
  • trunk/wp-trackback.php

    r19712 r23416  
    4646 
    4747// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding() 
    48 $title     = isset($_POST['title'])     ? stripslashes($_POST['title'])      : ''; 
    49 $excerpt   = isset($_POST['excerpt'])   ? stripslashes($_POST['excerpt'])    : ''; 
    50 $blog_name = isset($_POST['blog_name']) ? stripslashes($_POST['blog_name'])  : ''; 
     48$title     = isset($_POST['title'])     ? wp_unslash( $_POST['title'] )      : ''; 
     49$excerpt   = isset($_POST['excerpt'])   ? wp_unslash( $_POST['excerpt'] )    : ''; 
     50$blog_name = isset($_POST['blog_name']) ? wp_unslash( $_POST['blog_name'] )  : ''; 
    5151 
    5252if ($charset) 
     
    6464    $blog_name = mb_convert_encoding($blog_name, get_option('blog_charset'), $charset); 
    6565} 
    66  
    67 // Now that mb_convert_encoding() has been given a swing, we need to escape these three 
    68 $title     = $wpdb->escape($title); 
    69 $excerpt   = $wpdb->escape($excerpt); 
    70 $blog_name = $wpdb->escape($blog_name); 
    7166 
    7267if ( is_single() || is_page() ) 
Note: See TracChangeset for help on using the changeset viewer.