Changeset 23416 for trunk/wp-includes/class-wp-xmlrpc-server.php
- Timestamp:
- 02/14/2013 10:51:06 PM (12 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-includes/class-wp-xmlrpc-server.php
r23363 r23416 281 281 $pmeta = get_metadata_by_mid( 'post', $meta['id'] ); 282 282 if ( isset($meta['key']) ) { 283 $meta['key'] = stripslashes( $meta['key'] );284 283 if ( $meta['key'] != $pmeta->meta_key ) 285 284 continue; 286 $meta['value'] = stripslashes_deep( $meta['value'] );287 285 if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) ) 288 286 update_metadata_by_mid( 'post', $meta['id'], $meta['value'] ); … … 290 288 delete_metadata_by_mid( 'post', $meta['id'] ); 291 289 } 292 } elseif ( current_user_can( 'add_post_meta', $post_id, stripslashes( $meta['key'] )) ) {293 add_post_meta( $post_id, $meta['key'], $meta['value'] );290 } elseif ( current_user_can( 'add_post_meta', $post_id, $meta['key'] ) ) { 291 wp_add_post_meta( $post_id, $meta['key'], $meta['value'] ); 294 292 } 295 293 } … … 463 461 } 464 462 465 $this->escape( $args );466 467 463 $username = $args[0]; 468 464 $password = $args[1]; … … 956 952 return $this->error; 957 953 958 $this->escape( $args );959 960 954 $blog_id = (int) $args[0]; 961 955 $username = $args[1]; … … 1240 1234 return $this->error; 1241 1235 1242 $this->escape( $args );1243 1244 1236 $blog_id = (int) $args[0]; 1245 1237 $username = $args[1]; … … 1275 1267 $post['post_date_gmt'] = $this->_convert_date( $post['post_date_gmt'] ); 1276 1268 1277 $this->escape( $post );1278 1269 $merged_content_struct = array_merge( $post, $content_struct ); 1279 1270 … … 1301 1292 if ( ! $this->minimum_args( $args, 4 ) ) 1302 1293 return $this->error; 1303 1304 $this->escape( $args );1305 1294 1306 1295 $blog_id = (int) $args[0]; … … 1378 1367 return $this->error; 1379 1368 1380 $this->escape( $args );1381 1382 1369 $blog_id = (int) $args[0]; 1383 1370 $username = $args[1]; … … 1434 1421 if ( ! $this->minimum_args( $args, 3 ) ) 1435 1422 return $this->error; 1436 1437 $this->escape( $args );1438 1423 1439 1424 $blog_id = (int) $args[0]; … … 1529 1514 if ( ! $this->minimum_args( $args, 4 ) ) 1530 1515 return $this->error; 1531 1532 $this->escape( $args );1533 1516 1534 1517 $blog_id = (int) $args[0]; … … 1617 1600 return $this->error; 1618 1601 1619 $this->escape( $args );1620 1621 1602 $blog_id = (int) $args[0]; 1622 1603 $username = $args[1]; … … 1708 1689 if ( ! $this->minimum_args( $args, 5 ) ) 1709 1690 return $this->error; 1710 1711 $this->escape( $args );1712 1691 1713 1692 $blog_id = (int) $args[0]; … … 1776 1755 return $this->error; 1777 1756 1778 $this->escape( $args );1779 1780 1757 $blog_id = (int) $args[0]; 1781 1758 $username = $args[1]; … … 1829 1806 return $this->error; 1830 1807 1831 $this->escape( $args );1832 1833 1808 $blog_id = (int) $args[0]; 1834 1809 $username = $args[1]; … … 1904 1879 return $this->error; 1905 1880 1906 $this->escape( $args );1907 1908 1881 $blog_id = (int) $args[0]; 1909 1882 $username = $args[1]; … … 1947 1920 if ( ! $this->minimum_args( $args, 3 ) ) 1948 1921 return $this->error; 1949 1950 $this->escape( $args );1951 1922 1952 1923 $blog_id = (int) $args[0]; … … 2017 1988 return $this->error; 2018 1989 2019 $this->escape( $args );2020 2021 1990 $blog_id = (int) $args[0]; 2022 1991 $username = $args[1]; … … 2070 2039 return $this->error; 2071 2040 2072 $this->escape( $args );2073 2074 2041 $blog_id = (int) $args[0]; 2075 2042 $username = $args[1]; … … 2137 2104 if ( ! $this->minimum_args( $args, 3 ) ) 2138 2105 return $this->error; 2139 2140 $this->escape( $args );2141 2106 2142 2107 $blog_id = (int) $args[0]; … … 2185 2150 return $this->error; 2186 2151 2187 $this->escape( $args );2188 2189 2152 $blog_id = (int) $args[0]; 2190 2153 $username = $args[1]; … … 2250 2213 */ 2251 2214 function wp_getPage($args) { 2252 $this->escape($args);2253 2254 2215 $blog_id = (int) $args[0]; 2255 2216 $page_id = (int) $args[1]; … … 2293 2254 */ 2294 2255 function wp_getPages($args) { 2295 $this->escape($args);2296 2297 2256 $blog_id = (int) $args[0]; 2298 2257 $username = $args[1]; … … 2337 2296 */ 2338 2297 function wp_newPage($args) { 2339 // Items not escaped here will be escaped in newPost. 2340 $username = $this->escape($args[1]); 2341 $password = $this->escape($args[2]); 2298 $username = $args[1]; 2299 $password = $args[2]; 2342 2300 $page = $args[3]; 2343 2301 $publish = $args[4]; … … 2364 2322 */ 2365 2323 function wp_deletePage($args) { 2366 $this->escape($args);2367 2368 2324 $blog_id = (int) $args[0]; 2369 2325 $username = $args[1]; … … 2405 2361 */ 2406 2362 function wp_editPage($args) { 2407 // Items not escaped here will be escaped in editPost.2408 2363 $blog_id = (int) $args[0]; 2409 $page_id = (int) $ this->escape($args[1]);2410 $username = $ this->escape($args[2]);2411 $password = $ this->escape($args[3]);2364 $page_id = (int) $args[1]; 2365 $username = $args[2]; 2366 $password = $args[3]; 2412 2367 $content = $args[4]; 2413 2368 $publish = $args[5]; … … 2453 2408 function wp_getPageList($args) { 2454 2409 global $wpdb; 2455 2456 $this->escape($args);2457 2410 2458 2411 $blog_id = (int) $args[0]; … … 2504 2457 */ 2505 2458 function wp_getAuthors($args) { 2506 2507 $this->escape($args);2508 2509 2459 $blog_id = (int) $args[0]; 2510 2460 $username = $args[1]; … … 2540 2490 */ 2541 2491 function wp_getTags( $args ) { 2542 $this->escape( $args );2543 2544 2492 $blog_id = (int) $args[0]; 2545 2493 $username = $args[1]; … … 2581 2529 */ 2582 2530 function wp_newCategory($args) { 2583 $this->escape($args);2584 2585 2531 $blog_id = (int) $args[0]; 2586 2532 $username = $args[1]; … … 2642 2588 */ 2643 2589 function wp_deleteCategory($args) { 2644 $this->escape($args);2645 2646 2590 $blog_id = (int) $args[0]; 2647 2591 $username = $args[1]; … … 2674 2618 */ 2675 2619 function wp_suggestCategories($args) { 2676 $this->escape($args);2677 2678 2620 $blog_id = (int) $args[0]; 2679 2621 $username = $args[1]; … … 2711 2653 */ 2712 2654 function wp_getComment($args) { 2713 $this->escape($args);2714 2715 2655 $blog_id = (int) $args[0]; 2716 2656 $username = $args[1]; … … 2752 2692 */ 2753 2693 function wp_getComments($args) { 2754 $this->escape($args);2755 2756 2694 $blog_id = (int) $args[0]; 2757 2695 $username = $args[1]; … … 2812 2750 */ 2813 2751 function wp_deleteComment($args) { 2814 $this->escape($args);2815 2816 2752 $blog_id = (int) $args[0]; 2817 2753 $username = $args[1]; … … 2866 2802 */ 2867 2803 function wp_editComment($args) { 2868 $this->escape($args);2869 2870 2804 $blog_id = (int) $args[0]; 2871 2805 $username = $args[1]; … … 2942 2876 function wp_newComment($args) { 2943 2877 global $wpdb; 2944 2945 $this->escape($args);2946 2878 2947 2879 $blog_id = (int) $args[0]; … … 2979 2911 2980 2912 if ( $logged_in ) { 2981 $comment['comment_author'] = $ wpdb->escape( $user->display_name );2982 $comment['comment_author_email'] = $ wpdb->escape( $user->user_email );2983 $comment['comment_author_url'] = $ wpdb->escape( $user->user_url );2913 $comment['comment_author'] = $user->display_name; 2914 $comment['comment_author_email'] = $user->user_email; 2915 $comment['comment_author_url'] = $user->user_url; 2984 2916 $comment['user_ID'] = $user->ID; 2985 2917 } else { … … 3028 2960 */ 3029 2961 function wp_getCommentStatusList($args) { 3030 $this->escape( $args );3031 3032 2962 $blog_id = (int) $args[0]; 3033 2963 $username = $args[1]; … … 3054 2984 */ 3055 2985 function wp_getCommentCount( $args ) { 3056 $this->escape($args);3057 3058 2986 $blog_id = (int) $args[0]; 3059 2987 $username = $args[1]; … … 3087 3015 */ 3088 3016 function wp_getPostStatusList( $args ) { 3089 $this->escape( $args );3090 3091 3017 $blog_id = (int) $args[0]; 3092 3018 $username = $args[1]; … … 3113 3039 */ 3114 3040 function wp_getPageStatusList( $args ) { 3115 $this->escape( $args );3116 3117 3041 $blog_id = (int) $args[0]; 3118 3042 $username = $args[1]; … … 3139 3063 */ 3140 3064 function wp_getPageTemplates( $args ) { 3141 $this->escape( $args );3142 3143 3065 $blog_id = (int) $args[0]; 3144 3066 $username = $args[1]; … … 3166 3088 */ 3167 3089 function wp_getOptions( $args ) { 3168 $this->escape( $args );3169 3170 3090 $blog_id = (int) $args[0]; 3171 3091 $username = $args[1]; … … 3216 3136 */ 3217 3137 function wp_setOptions( $args ) { 3218 $this->escape( $args );3219 3220 3138 $blog_id = (int) $args[0]; 3221 3139 $username = $args[1]; … … 3265 3183 */ 3266 3184 function wp_getMediaItem($args) { 3267 $this->escape($args);3268 3269 3185 $blog_id = (int) $args[0]; 3270 3186 $username = $args[1]; … … 3310 3226 */ 3311 3227 function wp_getMediaLibrary($args) { 3312 $this->escape($args);3313 3314 3228 $blog_id = (int) $args[0]; 3315 3229 $username = $args[1]; … … 3352 3266 */ 3353 3267 function wp_getPostFormats( $args ) { 3354 $this->escape( $args );3355 3356 3268 $blog_id = (int) $args[0]; 3357 3269 $username = $args[1]; … … 3412 3324 return $this->error; 3413 3325 3414 $this->escape( $args );3415 3416 3326 $blog_id = (int) $args[0]; 3417 3327 $username = $args[1]; … … 3458 3368 return $this->error; 3459 3369 3460 $this->escape( $args );3461 3462 3370 $blog_id = (int) $args[0]; 3463 3371 $username = $args[1]; … … 3512 3420 return $this->error; 3513 3421 3514 $this->escape( $args );3515 3516 3422 $blog_id = (int) $args[0]; 3517 3423 $username = $args[1]; … … 3578 3484 return $this->error; 3579 3485 3580 $this->escape( $args );3581 3582 3486 $blog_id = (int) $args[0]; 3583 3487 $username = $args[1]; … … 3628 3532 if ( is_multisite() ) 3629 3533 return $this->_multisite_getUsersBlogs($args); 3630 3631 $this->escape($args);3632 3534 3633 3535 $username = $args[1]; … … 3692 3594 */ 3693 3595 function blogger_getUserInfo($args) { 3694 3695 $this->escape($args);3696 3697 3596 $username = $args[1]; 3698 3597 $password = $args[2]; … … 3726 3625 */ 3727 3626 function blogger_getPost($args) { 3728 3729 $this->escape($args);3730 3731 3627 $post_ID = (int) $args[1]; 3732 3628 $username = $args[2]; … … 3747 3643 $categories = implode(',', wp_get_post_categories($post_ID)); 3748 3644 3749 $content = '<title>'. stripslashes($post_data['post_title']).'</title>';3645 $content = '<title>'.$post_data['post_title'].'</title>'; 3750 3646 $content .= '<category>'.$categories.'</category>'; 3751 $content .= stripslashes($post_data['post_content']);3647 $content .= $post_data['post_content']; 3752 3648 3753 3649 $struct = array( … … 3770 3666 */ 3771 3667 function blogger_getRecentPosts($args) { 3772 3773 $this->escape($args);3774 3775 3668 // $args[0] = appkey - ignored 3776 3669 $blog_ID = (int) $args[1]; /* though we don't use it yet */ … … 3801 3694 $categories = implode(',', wp_get_post_categories($entry['ID'])); 3802 3695 3803 $content = '<title>'. stripslashes($entry['post_title']).'</title>';3696 $content = '<title>'.$entry['post_title'].'</title>'; 3804 3697 $content .= '<category>'.$categories.'</category>'; 3805 $content .= stripslashes($entry['post_content']);3698 $content .= $entry['post_content']; 3806 3699 3807 3700 $struct[] = array( … … 3851 3744 */ 3852 3745 function blogger_newPost($args) { 3853 3854 $this->escape($args);3855 3856 3746 $blog_ID = (int) $args[1]; /* though we don't use it yet */ 3857 3747 $username = $args[2]; … … 3905 3795 */ 3906 3796 function blogger_editPost($args) { 3907 3908 $this->escape($args);3909 3910 3797 $post_ID = (int) $args[1]; 3911 3798 $username = $args[2]; … … 3924 3811 return new IXR_Error(404, __('Sorry, no such post.')); 3925 3812 3926 $this->escape($actual_post);3927 3928 3813 if ( !current_user_can('edit_post', $post_ID) ) 3929 3814 return new IXR_Error(401, __('Sorry, you do not have the right to edit this post.')); … … 3961 3846 */ 3962 3847 function blogger_deletePost($args) { 3963 $this->escape($args);3964 3965 3848 $post_ID = (int) $args[1]; 3966 3849 $username = $args[2]; … … 4031 3914 */ 4032 3915 function mw_newPost($args) { 4033 $this->escape($args); 4034 4035 $blog_ID = (int) $args[0]; 4036 $username = $args[1]; 4037 $password = $args[2]; 3916 $blog_ID = (int) $args[0]; 3917 $username = $args[1]; 3918 $password = $args[2]; 4038 3919 $content_struct = $args[3]; 4039 $publish = isset( $args[4] ) ? $args[4] : 0;3920 $publish = isset( $args[4] ) ? $args[4] : 0; 4040 3921 4041 3922 if ( !$user = $this->login($username, $password) ) … … 4317 4198 } 4318 4199 if (!$found) 4319 add_post_meta( $post_ID, 'enclosure', $encstring );4200 wp_add_post_meta( $post_ID, 'enclosure', $encstring ); 4320 4201 } 4321 4202 } … … 4351 4232 */ 4352 4233 function mw_editPost($args) { 4353 4354 $this->escape($args);4355 4356 4234 $post_ID = (int) $args[0]; 4357 4235 $username = $args[1]; … … 4392 4270 } 4393 4271 4394 $this->escape($postdata);4395 4272 extract($postdata, EXTR_SKIP); 4396 4273 … … 4620 4497 */ 4621 4498 function mw_getPost($args) { 4622 4623 $this->escape($args);4624 4625 4499 $post_ID = (int) $args[0]; 4626 4500 $username = $args[1]; … … 4744 4618 */ 4745 4619 function mw_getRecentPosts($args) { 4746 4747 $this->escape($args);4748 4749 4620 $blog_ID = (int) $args[0]; 4750 4621 $username = $args[1]; … … 4859 4730 */ 4860 4731 function mw_getCategories($args) { 4861 4862 $this->escape($args);4863 4864 4732 $blog_ID = (int) $args[0]; 4865 4733 $username = $args[1]; … … 4908 4776 global $wpdb; 4909 4777 4910 $blog_ID 4911 $username = $ wpdb->escape($args[1]);4912 $password = $wpdb->escape($args[2]);4913 $data 4778 $blog_ID = (int) $args[0]; 4779 $username = $args[1]; 4780 $password = $args[2]; 4781 $data = $args[3]; 4914 4782 4915 4783 $name = sanitize_file_name( $data['name'] ); … … 4998 4866 */ 4999 4867 function mt_getRecentPostTitles($args) { 5000 5001 $this->escape($args);5002 5003 4868 $blog_ID = (int) $args[0]; 5004 4869 $username = $args[1]; … … 5058 4923 */ 5059 4924 function mt_getCategoryList($args) { 5060 5061 $this->escape($args);5062 5063 4925 $blog_ID = (int) $args[0]; 5064 4926 $username = $args[1]; … … 5096 4958 */ 5097 4959 function mt_getPostCategories($args) { 5098 5099 $this->escape($args);5100 5101 4960 $post_ID = (int) $args[0]; 5102 4961 $username = $args[1]; … … 5139 4998 */ 5140 4999 function mt_setPostCategories($args) { 5141 5142 $this->escape($args);5143 5144 5000 $post_ID = (int) $args[0]; 5145 5001 $username = $args[1]; … … 5251 5107 */ 5252 5108 function mt_publishPost($args) { 5253 5254 $this->escape($args);5255 5256 5109 $post_ID = (int) $args[0]; 5257 5110 $username = $args[1]; … … 5275 5128 $cats = wp_get_post_categories($post_ID); 5276 5129 $postdata['post_category'] = $cats; 5277 $this->escape($postdata);5278 5130 5279 5131 $result = wp_update_post($postdata); … … 5298 5150 5299 5151 do_action('xmlrpc_call', 'pingback.ping'); 5300 5301 $this->escape($args);5302 5152 5303 5153 $pagelinkedfrom = $args[0]; … … 5436 5286 5437 5287 $context = '[...] ' . esc_html( $excerpt ) . ' [...]'; 5438 $pagelinkedfrom = $ wpdb->escape( $pagelinkedfrom );5288 $pagelinkedfrom = $pagelinkedfrom; 5439 5289 5440 5290 $comment_post_ID = (int) $post_ID; 5441 5291 $comment_author = $title; 5442 5292 $comment_author_email = ''; 5443 $ this->escape($comment_author);5293 $comment_author; 5444 5294 $comment_author_url = $pagelinkedfrom; 5445 5295 $comment_content = $context; 5446 $ this->escape($comment_content);5296 $comment_content; 5447 5297 $comment_type = 'pingback'; 5448 5298 … … 5466 5316 */ 5467 5317 function pingback_extensions_getPingbacks($args) { 5468 5469 5318 global $wpdb; 5470 5319 5471 5320 do_action('xmlrpc_call', 'pingback.extensions.getPingbacks'); 5472 5473 $this->escape($args);5474 5321 5475 5322 $url = $args;
Note: See TracChangeset
for help on using the changeset viewer.