Changeset 23416 for trunk/wp-admin/includes/user.php
- Timestamp:
- 02/14/2013 10:51:06 PM (12 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-admin/includes/user.php
r23380 r23416 35 35 $user->ID = (int) $user_id; 36 36 $userdata = get_userdata( $user_id ); 37 $user->user_login = $ wpdb->escape( $userdata->user_login );37 $user->user_login = $userdata->user_login; 38 38 } else { 39 39 $update = false; 40 40 } 41 41 42 if ( !$update && isset( $_POST['user_login'] ) ) 43 $user->user_login = sanitize_user($_POST['user_login'], true); 42 // get clean data before we get started. 43 $post_data = wp_unslash( $_POST ); 44 45 if ( !$update && isset( $post_data['user_login'] ) ) 46 $user->user_login = sanitize_user($post_data['user_login'], true); 44 47 45 48 $pass1 = $pass2 = ''; 46 if ( isset( $ _POST['pass1'] ))47 $pass1 = $ _POST['pass1'];48 if ( isset( $ _POST['pass2'] ))49 $pass2 = $ _POST['pass2'];50 51 if ( isset( $ _POST['role'] ) && current_user_can( 'edit_users' ) ) {52 $new_role = sanitize_text_field( $ _POST['role'] );49 if ( isset( $post_data['pass1'] )) 50 $pass1 = $post_data['pass1']; 51 if ( isset( $post_data['pass2'] )) 52 $pass2 = $post_data['pass2']; 53 54 if ( isset( $post_data['role'] ) && current_user_can( 'edit_users' ) ) { 55 $new_role = sanitize_text_field( $post_data['role'] ); 53 56 $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false; 54 57 // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. … … 63 66 } 64 67 65 if ( isset( $ _POST['email'] ))66 $user->user_email = sanitize_text_field( $ _POST['email'] );67 if ( isset( $ _POST['url'] ) ) {68 if ( empty ( $ _POST['url'] ) || $_POST['url'] == 'http://' ) {68 if ( isset( $post_data['email'] )) 69 $user->user_email = sanitize_text_field( $post_data['email'] ); 70 if ( isset( $post_data['url'] ) ) { 71 if ( empty ( $post_data['url'] ) || $post_data['url'] == 'http://' ) { 69 72 $user->user_url = ''; 70 73 } else { 71 $user->user_url = esc_url_raw( $ _POST['url'] );74 $user->user_url = esc_url_raw( $post_data['url'] ); 72 75 $protocols = implode( '|', array_map( 'preg_quote', wp_allowed_protocols() ) ); 73 76 $user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url; 74 77 } 75 78 } 76 if ( isset( $ _POST['first_name'] ) )77 $user->first_name = sanitize_text_field( $ _POST['first_name'] );78 if ( isset( $ _POST['last_name'] ) )79 $user->last_name = sanitize_text_field( $ _POST['last_name'] );80 if ( isset( $ _POST['nickname'] ) )81 $user->nickname = sanitize_text_field( $ _POST['nickname'] );82 if ( isset( $ _POST['display_name'] ) )83 $user->display_name = sanitize_text_field( $ _POST['display_name'] );84 85 if ( isset( $ _POST['description'] ) )86 $user->description = trim( $ _POST['description'] );79 if ( isset( $post_data['first_name'] ) ) 80 $user->first_name = sanitize_text_field( $post_data['first_name'] ); 81 if ( isset( $post_data['last_name'] ) ) 82 $user->last_name = sanitize_text_field( $post_data['last_name'] ); 83 if ( isset( $post_data['nickname'] ) ) 84 $user->nickname = sanitize_text_field( $post_data['nickname'] ); 85 if ( isset( $post_data['display_name'] ) ) 86 $user->display_name = sanitize_text_field( $post_data['display_name'] ); 87 88 if ( isset( $post_data['description'] ) ) 89 $user->description = trim( $post_data['description'] ); 87 90 88 91 foreach ( _wp_get_user_contactmethods( $user ) as $method => $name ) { 89 if ( isset( $ _POST[$method] ))90 $user->$method = sanitize_text_field( $ _POST[$method] );92 if ( isset( $post_data[$method] )) 93 $user->$method = sanitize_text_field( $post_data[$method] ); 91 94 } 92 95 93 96 if ( $update ) { 94 $user->rich_editing = isset( $ _POST['rich_editing'] ) && 'false' == $_POST['rich_editing'] ? 'false' : 'true';95 $user->admin_color = isset( $ _POST['admin_color'] ) ? sanitize_text_field( $_POST['admin_color'] ) : 'fresh';96 $user->show_admin_bar_front = isset( $ _POST['admin_bar_front'] ) ? 'true' : 'false';97 } 98 99 $user->comment_shortcuts = isset( $ _POST['comment_shortcuts'] ) && 'true' == $_POST['comment_shortcuts'] ? 'true' : '';97 $user->rich_editing = isset( $post_data['rich_editing'] ) && 'false' == $post_data['rich_editing'] ? 'false' : 'true'; 98 $user->admin_color = isset( $post_data['admin_color'] ) ? sanitize_text_field( $post_data['admin_color'] ) : 'fresh'; 99 $user->show_admin_bar_front = isset( $post_data['admin_bar_front'] ) ? 'true' : 'false'; 100 } 101 102 $user->comment_shortcuts = isset( $post_data['comment_shortcuts'] ) && 'true' == $post_data['comment_shortcuts'] ? 'true' : ''; 100 103 101 104 $user->use_ssl = 0; 102 if ( !empty($ _POST['use_ssl']) )105 if ( !empty($post_data['use_ssl']) ) 103 106 $user->use_ssl = 1; 104 107 … … 125 128 126 129 /* Check for "\" in password */ 127 if ( false !== strpos( stripslashes($pass1), "\\" ) )130 if ( false !== strpos( $pass1, "\\" ) ) 128 131 $errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) ); 129 132 … … 135 138 $user->user_pass = $pass1; 136 139 137 if ( !$update && isset( $ _POST['user_login'] ) && !validate_username( $_POST['user_login'] ) )140 if ( !$update && isset( $post_data['user_login'] ) && !validate_username( $post_data['user_login'] ) ) 138 141 $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' )); 139 142 … … 160 163 } else { 161 164 $user_id = wp_insert_user( $user ); 162 wp_new_user_notification( $user_id, isset($ _POST['send_password']) ? $pass1 : '' );165 wp_new_user_notification( $user_id, isset($post_data['send_password']) ? $pass1 : '' ); 163 166 } 164 167 return $user_id;
Note: See TracChangeset
for help on using the changeset viewer.