Changeset 23416 for trunk/wp-includes/comment.php
- Timestamp:
- 02/14/2013 10:51:06 PM (12 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-includes/comment.php
r23401 r23416 634 634 function sanitize_comment_cookies() { 635 635 if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) { 636 $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);637 $comment_author = stripslashes($comment_author);636 $comment_author = wp_unslash( $_COOKIE['comment_author_'.COOKIEHASH] ); 637 $comment_author = apply_filters('pre_comment_author_name', $comment_author); 638 638 $comment_author = esc_attr($comment_author); 639 639 $_COOKIE['comment_author_'.COOKIEHASH] = $comment_author; … … 641 641 642 642 if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) { 643 $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);644 $comment_author_email = stripslashes($comment_author_email);643 $comment_author_email = wp_unslash( $_COOKIE['comment_author_email_'.COOKIEHASH] ); 644 $comment_author_email = apply_filters('pre_comment_author_email', $comment_author_email); 645 645 $comment_author_email = esc_attr($comment_author_email); 646 646 $_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email; … … 648 648 649 649 if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) { 650 $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);651 $comment_author_url = stripslashes($comment_author_url);650 $comment_author_url = wp_unslash( $_COOKIE['comment_author_url_'.COOKIEHASH] ); 651 $comment_author_url = apply_filters('pre_comment_author_url', $comment_author_url); 652 652 $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url; 653 653 } … … 671 671 672 672 // Simple duplicate check 673 // expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content) 674 $dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_parent = '$comment_parent' AND comment_approved != 'trash' AND ( comment_author = '$comment_author' "; 673 $dupe = $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_parent = %s AND comment_approved != 'trash' AND ( comment_author = %s ", $comment_post_ID, $comment_parent, $comment_author ); 675 674 if ( $comment_author_email ) 676 $dupe .= "OR comment_author_email = '$comment_author_email' ";677 $dupe .= ") AND comment_content = '$comment_content' LIMIT 1";675 $dupe .= $wpdb->prepare( "OR comment_author_email = %s ", $comment_author_email ); 676 $dupe .= $wpdb->prepare( ") AND comment_content = %s LIMIT 1", $comment_content ); 678 677 if ( $wpdb->get_var($dupe) ) { 679 678 do_action( 'comment_duplicate_trigger', $commentdata ); … … 1263 1262 function wp_insert_comment($commentdata) { 1264 1263 global $wpdb; 1265 extract( stripslashes_deep($commentdata), EXTR_SKIP);1264 extract($commentdata, EXTR_SKIP); 1266 1265 1267 1266 if ( ! isset($comment_author_IP) ) … … 1492 1491 $comment = get_comment($commentarr['comment_ID'], ARRAY_A); 1493 1492 1494 // Escape data pulled from DB.1495 $comment = esc_sql($comment);1496 1497 1493 $old_status = $comment['comment_approved']; 1498 1494 … … 1503 1499 1504 1500 // Now extract the merged array. 1505 extract( stripslashes_deep($commentarr), EXTR_SKIP);1501 extract($commentarr, EXTR_SKIP); 1506 1502 1507 1503 $comment_content = apply_filters('comment_save_pre', $comment_content);
Note: See TracChangeset
for help on using the changeset viewer.