WordPress.org

Make WordPress Core


Ignore:
Timestamp:
02/14/2013 10:51:06 PM (6 years ago)
Author:
ryan
Message:

Change all core API to expect unslashed rather than slashed arguments.

The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.

Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.

Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.

Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.

Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.

Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.

Plugins should use wp_unslash() on data being passed to core API.

Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.

Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.

Remove many no longer necessary calls to $wpdb->escape() and esc_sql().

In wp_get_referer() and wp_get_original_referer(), return unslashed data.

Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.

Switch several queries over to prepare().

Expect something to break.

Props alexkingorg
see #21767

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/ajax-actions.php

    r23382 r23416  
    6060    }
    6161
    62     $s = stripslashes( $_GET['q'] );
     62    $s = wp_unslash( $_GET['q'] );
    6363
    6464    $comma = _x( ',', 'tag delimiter' );
     
    280280
    281281function _wp_ajax_add_hierarchical_term() {
    282     $action = $_POST['action'];
     282    $post_data = wp_unslash( $_POST );
     283
     284    $action = $post_data['action'];
    283285    $taxonomy = get_taxonomy(substr($action, 4));
    284286    check_ajax_referer( $action, '_ajax_nonce-add-' . $taxonomy->name );
    285287    if ( !current_user_can( $taxonomy->cap->edit_terms ) )
    286288        wp_die( -1 );
    287     $names = explode(',', $_POST['new'.$taxonomy->name]);
    288     $parent = isset($_POST['new'.$taxonomy->name.'_parent']) ? (int) $_POST['new'.$taxonomy->name.'_parent'] : 0;
     289    $names = explode(',', $post_data['new'.$taxonomy->name]);
     290    $parent = isset($post_data['new'.$taxonomy->name.'_parent']) ? (int) $post_data['new'.$taxonomy->name.'_parent'] : 0;
    289291    if ( 0 > $parent )
    290292        $parent = 0;
    291293    if ( $taxonomy->name == 'category' )
    292         $post_category = isset($_POST['post_category']) ? (array) $_POST['post_category'] : array();
     294        $post_category = isset( $post_data['post_category'] ) ? (array) $post_data['post_category'] : array();
    293295    else
    294         $post_category = ( isset($_POST['tax_input']) && isset($_POST['tax_input'][$taxonomy->name]) ) ? (array) $_POST['tax_input'][$taxonomy->name] : array();
     296        $post_category = ( isset( $post_data['tax_input'] ) && isset( $post_data['tax_input'][$taxonomy->name] ) ) ? (array) $post_data['tax_input'][$taxonomy->name] : array();
    295297    $checked_categories = array_map( 'absint', (array) $post_category );
    296298    $popular_ids = wp_popular_terms_checklist($taxonomy->name, 0, 10, false);
     
    560562    if ( !current_user_can( 'manage_categories' ) )
    561563        wp_die( -1 );
    562     $names = explode(',', $_POST['newcat']);
     564    $names = explode( ',', wp_unslash( $_POST['newcat'] ) );
    563565    $x = new WP_Ajax_Response();
    564566    foreach ( $names as $cat_name ) {
     
    573575        else if ( is_array( $cat_id ) )
    574576            $cat_id = $cat_id['term_id'];
    575         $cat_name = esc_html(stripslashes($cat_name));
     577        $cat_name = esc_html( wp_unslash( $cat_name ) );
    576578        $x->add( array(
    577579            'what' => 'link-category',
     
    587589    global $wp_list_table;
    588590
     591    $post_data = wp_unslash( $_POST );
     592
    589593    check_ajax_referer( 'add-tag', '_wpnonce_add-tag' );
    590     $post_type = !empty($_POST['post_type']) ? $_POST['post_type'] : 'post';
    591     $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag';
     594    $post_type = !empty($post_data['post_type']) ? $post_data['post_type'] : 'post';
     595    $taxonomy = !empty($post_data['taxonomy']) ? $post_data['taxonomy'] : 'post_tag';
    592596    $tax = get_taxonomy($taxonomy);
    593597
     
    597601    $x = new WP_Ajax_Response();
    598602
    599     $tag = wp_insert_term($_POST['tag-name'], $taxonomy, $_POST );
     603    $tag = wp_insert_term( $post_data['tag-name'], $taxonomy, $post_data );
    600604
    601605    if ( !$tag || is_wp_error($tag) || (!$tag = get_term( $tag['term_id'], $taxonomy )) ) {
     
    611615    }
    612616
    613     $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $_POST['screen'] ) );
     617    $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $post_data['screen'] ) );
    614618
    615619    $level = 0;
     
    729733    if ( $user->exists() ) {
    730734        $user_ID = $user->ID;
    731         $comment_author       = $wpdb->escape($user->display_name);
    732         $comment_author_email = $wpdb->escape($user->user_email);
    733         $comment_author_url   = $wpdb->escape($user->user_url);
    734         $comment_content      = trim($_POST['content']);
     735        $comment_author       = $user->display_name;
     736        $comment_author_email = $user->user_email;
     737        $comment_author_url   = $user->user_url;
     738        $comment_content      = trim( wp_unslash( $_POST['content'] ) );
    735739        if ( current_user_can( 'unfiltered_html' ) ) {
    736740            if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {
     
    958962    } else { // Update?
    959963        $mid = (int) key( $_POST['meta'] );
    960         $key = stripslashes( $_POST['meta'][$mid]['key'] );
    961         $value = stripslashes( $_POST['meta'][$mid]['value'] );
     964        $key = wp_unslash( $_POST['meta'][$mid]['key'] );
     965        $value = wp_unslash( $_POST['meta'][$mid]['value'] );
    962966        if ( '' == trim($key) )
    963967            wp_die( __( 'Please provide a custom field name.' ) );
     
    12281232
    12291233    if ( isset( $_POST['search'] ) )
    1230         $args['s'] = stripslashes( $_POST['search'] );
     1234        $args['s'] = wp_unslash( $_POST['search'] );
    12311235    $args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1;
    12321236
     
    13291333
    13301334    $post = get_post( $post_ID, ARRAY_A );
    1331     $post = add_magic_quotes($post); //since it is from db
    13321335
    13331336    $data['content'] = $post['post_content'];
     
    13771380
    13781381    check_ajax_referer( 'taxinlineeditnonce', '_inline_edit' );
    1379 
    1380     $taxonomy = sanitize_key( $_POST['taxonomy'] );
     1382   
     1383    $post_data = wp_unslash( $_POST );
     1384
     1385    $taxonomy = sanitize_key( $post_data['taxonomy'] );
    13811386    $tax = get_taxonomy( $taxonomy );
    13821387    if ( ! $tax )
     
    13881393    $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) );
    13891394
    1390     if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) )
     1395    if ( ! isset($post_data['tax_ID']) || ! ( $id = (int) $post_data['tax_ID'] ) )
    13911396        wp_die( -1 );
    13921397
    13931398    $tag = get_term( $id, $taxonomy );
    1394     $_POST['description'] = $tag->description;
    1395 
    1396     $updated = wp_update_term($id, $taxonomy, $_POST);
     1399    $post_data['description'] = $tag->description;
     1400
     1401    $updated = wp_update_term($id, $taxonomy, $post_data );
    13971402    if ( $updated && !is_wp_error($updated) ) {
    13981403        $tag = get_term( $updated['term_id'], $taxonomy );
     
    14261431    unset( $post_types['attachment'] );
    14271432
    1428     $s = stripslashes( $_POST['ps'] );
     1433    $s = wp_unslash( $_POST['ps'] );
    14291434    $searchand = $search = '';
    14301435    $args = array(
     
    15971602    }
    15981603
    1599     $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
     1604    $post_data = isset( $_REQUEST['post_data'] ) ? wp_unslash( $_REQUEST['post_data'] ) : array();
    16001605
    16011606    // If the context is custom header or background, make sure the uploaded file is an image.
     
    16311636    if ( isset( $post_data['context'] ) && isset( $post_data['theme'] ) ) {
    16321637        if ( 'custom-background' === $post_data['context'] )
    1633             update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] );
     1638            wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] );
    16341639
    16351640        if ( 'custom-header' === $post_data['context'] )
    1636             update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] );
     1641            wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] );
    16371642    }
    16381643
     
    17791784
    17801785    $new_lock = ( time() - apply_filters( 'wp_check_post_lock_window', AUTOSAVE_INTERVAL * 2 ) + 5 ) . ':' . $active_lock[1];
    1781     update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) );
     1786    wp_update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) );
    17821787    wp_die( 1 );
    17831788}
     
    18741879        wp_send_json_error();
    18751880
    1876     $changes = $_REQUEST['changes'];
     1881    $changes = wp_unslash( $_REQUEST['changes'] );
    18771882    $post    = get_post( $id, ARRAY_A );
    18781883
     
    18911896    if ( isset( $changes['alt'] ) ) {
    18921897        $alt = get_post_meta( $id, '_wp_attachment_image_alt', true );
    1893         $new_alt = stripslashes( $changes['alt'] );
     1898        $new_alt = $changes['alt'];
    18941899        if ( $alt != $new_alt ) {
    18951900            $new_alt = wp_strip_all_tags( $new_alt, true );
    1896             update_post_meta( $id, '_wp_attachment_image_alt', addslashes( $new_alt ) );
     1901            wp_update_post_meta( $id, '_wp_attachment_image_alt', $new_alt );
    18971902        }
    18981903    }
     
    19161921    if ( empty( $_REQUEST['attachments'] ) || empty( $_REQUEST['attachments'][ $id ] ) )
    19171922        wp_send_json_error();
    1918     $attachment_data = $_REQUEST['attachments'][ $id ];
     1923    $attachment_data = wp_unslash( $_REQUEST['attachments'][ $id ] );
    19191924
    19201925    check_ajax_referer( 'update-post_' . $id, 'nonce' );
     
    19601965    check_ajax_referer( 'update-post_' . $post_id, 'nonce' );
    19611966
    1962     $attachments = $_REQUEST['attachments'];
     1967    $attachments = wp_unslash( $_REQUEST['attachments'] );
    19631968
    19641969    if ( ! current_user_can( 'edit_post', $post_id ) )
     
    19911996    check_ajax_referer( 'media-send-to-editor', 'nonce' );
    19921997
    1993     $attachment = stripslashes_deep( $_POST['attachment'] );
     1998    $attachment = wp_unslash( $_POST['attachment'] );
    19941999
    19952000    $id = intval( $attachment['id'] );
     
    20462051    check_ajax_referer( 'media-send-to-editor', 'nonce' );
    20472052
    2048     if ( ! $src = stripslashes( $_POST['src'] ) )
     2053    if ( ! $src = wp_unslash( $_POST['src'] ) )
    20492054        wp_send_json_error();
    20502055
     
    20552060        wp_send_json_error();
    20562061
    2057     if ( ! $title = trim( stripslashes( $_POST['title'] ) ) )
     2062    if ( ! $title = trim( wp_unslash( $_POST['title'] ) ) )
    20582063        $title = wp_basename( $src );
    20592064
     
    20842089   
    20852090    if ( ! empty($_POST['data']) ) {
    2086         $data = (array) $_POST['data'];
     2091        $data = wp_unslash( (array) $_POST['data'] );
    20872092        // todo: how much to sanitize and preset and what to leave to be accessed from $data or $_POST..?
    20882093        $user = wp_get_current_user();
Note: See TracChangeset for help on using the changeset viewer.