Changeset 23416 for trunk/wp-admin/includes/post.php
- Timestamp:
- 02/14/2013 10:51:06 PM (12 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-admin/includes/post.php
r23094 r23416 150 150 function edit_post( $post_data = null ) { 151 151 152 if ( empty( $post_data) )153 $post_data = &$_POST;152 if ( empty( $post_data ) ) 153 $post_data = wp_unslash( $_POST ); 154 154 155 155 // Clear out any data in internal vars. … … 229 229 if ( isset( $post_data[ '_wp_attachment_image_alt' ] ) ) { 230 230 $image_alt = get_post_meta( $post_ID, '_wp_attachment_image_alt', true ); 231 if ( $image_alt != stripslashes( $post_data['_wp_attachment_image_alt'] ) ) { 232 $image_alt = wp_strip_all_tags( stripslashes( $post_data['_wp_attachment_image_alt'] ), true ); 233 // update_meta expects slashed 234 update_post_meta( $post_ID, '_wp_attachment_image_alt', addslashes( $image_alt ) ); 231 if ( $image_alt != $post_data['_wp_attachment_image_alt'] ) { 232 $image_alt = wp_strip_all_tags( $post_data['_wp_attachment_image_alt'], true ); 233 wp_update_post_meta( $post_ID, '_wp_attachment_image_alt', $image_alt ); 235 234 } 236 235 } … … 242 241 add_meta( $post_ID ); 243 242 244 update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );243 wp_update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); 245 244 246 245 wp_update_post( $post_data ); … … 423 422 $post_title = ''; 424 423 if ( !empty( $_REQUEST['post_title'] ) ) 425 $post_title = esc_html( stripslashes( $_REQUEST['post_title'] ));424 $post_title = esc_html( wp_unslash( $_REQUEST['post_title'] )); 426 425 427 426 $post_content = ''; 428 427 if ( !empty( $_REQUEST['content'] ) ) 429 $post_content = esc_html( stripslashes( $_REQUEST['content'] ));428 $post_content = esc_html( wp_unslash( $_REQUEST['content'] )); 430 429 431 430 $post_excerpt = ''; 432 431 if ( !empty( $_REQUEST['excerpt'] ) ) 433 $post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] ));432 $post_excerpt = esc_html( wp_unslash( $_REQUEST['excerpt'] )); 434 433 435 434 if ( $create_in_db ) { … … 480 479 global $wpdb; 481 480 482 $post_title = s tripslashes( sanitize_post_field( 'post_title', $title, 0, 'db' ));483 $post_content = s tripslashes( sanitize_post_field( 'post_content', $content, 0, 'db' ));484 $post_date = s tripslashes( sanitize_post_field( 'post_date', $date, 0, 'db' ));481 $post_title = sanitize_post_field( 'post_title', $title, 0, 'db' ); 482 $post_content = sanitize_post_field( 'post_content', $content, 0, 'db' ); 483 $post_date = sanitize_post_field( 'post_date', $date, 0, 'db' ); 485 484 486 485 $query = "SELECT ID FROM $wpdb->posts WHERE 1=1"; … … 560 559 561 560 // Create the post. 562 $post_ID = wp_insert_post( $_POST);561 $post_ID = wp_insert_post( wp_unslash( $_POST ) ); 563 562 if ( is_wp_error( $post_ID ) ) 564 563 return $post_ID; … … 569 568 add_meta( $post_ID ); 570 569 571 add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );570 wp_add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); 572 571 573 572 // Now that we have an ID we can fix any attachment anchor hrefs … … 613 612 $post_ID = (int) $post_ID; 614 613 615 $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';616 $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';617 $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue']: '';614 $metakeyselect = isset($_POST['metakeyselect']) ? wp_unslash( trim( $_POST['metakeyselect'] ) ) : ''; 615 $metakeyinput = isset($_POST['metakeyinput']) ? wp_unslash( trim( $_POST['metakeyinput'] ) ) : ''; 616 $metavalue = isset($_POST['metavalue']) ? wp_unslash( trim( $_POST['metavalue'] ) ) : ''; 618 617 if ( is_string( $metavalue ) ) 619 618 $metavalue = trim( $metavalue ); … … 632 631 return false; 633 632 634 $metakey = esc_sql( $metakey ); 635 636 return add_post_meta( $post_ID, $metakey, $metavalue ); 633 return wp_add_post_meta( $post_ID, $metakey, $metavalue ); 637 634 } 638 635 … … 707 704 * 708 705 * @param unknown_type $meta_id 709 * @param unknown_type $meta_key Expect Slashed710 * @param unknown_type $meta_value Expect Slashed706 * @param unknown_type $meta_key 707 * @param unknown_type $meta_value 711 708 * @return unknown 712 709 */ 713 710 function update_meta( $meta_id, $meta_key, $meta_value ) { 714 $meta_key = stripslashes( $meta_key );715 $meta_value = stripslashes_deep( $meta_value );716 717 711 return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key ); 718 712 } … … 768 762 if ( $replace ) { 769 763 $post['post_content'] = $content; 770 // Escape data pulled from DB.771 $post = add_magic_quotes($post);772 764 773 765 return wp_update_post($post); … … 1180 1172 $lock = "$now:$user_id"; 1181 1173 1182 update_post_meta( $post->ID, '_edit_lock', $lock );1174 wp_update_post_meta( $post->ID, '_edit_lock', $lock ); 1183 1175 return array( $now, $user_id ); 1184 1176 } … … 1231 1223 // Only store one autosave. If there is already an autosave, overwrite it. 1232 1224 if ( $old_autosave = wp_get_post_autosave( $post_id ) ) { 1233 $new_autosave = _wp_post_revision_fields( $_POST, true );1225 $new_autosave = _wp_post_revision_fields( wp_unslash( $_POST ), true ); 1234 1226 $new_autosave['ID'] = $old_autosave->ID; 1235 1227 $new_autosave['post_author'] = get_current_user_id(); … … 1238 1230 1239 1231 // _wp_put_post_revision() expects unescaped. 1240 $_POST = stripslashes_deep($_POST);1232 $_POST = wp_unslash( $_POST ); 1241 1233 1242 1234 // Otherwise create the new autosave as a special post revision
Note: See TracChangeset
for help on using the changeset viewer.