WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
03/01/2013 04:28:40 PM (11 years ago)
Author:
ryan
Message:

Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/wp-admin/includes/ajax-actions.php

    r23509 r23554  
    6060    }
    6161
    62     $s = wp_unslash( $_GET['q'] );
     62    $s = stripslashes( $_GET['q'] );
    6363
    6464    $comma = _x( ',', 'tag delimiter' );
     
    280280
    281281function _wp_ajax_add_hierarchical_term() {
    282     $post_data = wp_unslash( $_POST );
    283 
    284     $action = $post_data['action'];
     282    $action = $_POST['action'];
    285283    $taxonomy = get_taxonomy(substr($action, 4));
    286284    check_ajax_referer( $action, '_ajax_nonce-add-' . $taxonomy->name );
    287285    if ( !current_user_can( $taxonomy->cap->edit_terms ) )
    288286        wp_die( -1 );
    289     $names = explode(',', $post_data['new'.$taxonomy->name]);
    290     $parent = isset($post_data['new'.$taxonomy->name.'_parent']) ? (int) $post_data['new'.$taxonomy->name.'_parent'] : 0;
     287    $names = explode(',', $_POST['new'.$taxonomy->name]);
     288    $parent = isset($_POST['new'.$taxonomy->name.'_parent']) ? (int) $_POST['new'.$taxonomy->name.'_parent'] : 0;
    291289    if ( 0 > $parent )
    292290        $parent = 0;
    293291    if ( $taxonomy->name == 'category' )
    294         $post_category = isset( $post_data['post_category'] ) ? (array) $post_data['post_category'] : array();
     292        $post_category = isset($_POST['post_category']) ? (array) $_POST['post_category'] : array();
    295293    else
    296         $post_category = ( isset( $post_data['tax_input'] ) && isset( $post_data['tax_input'][$taxonomy->name] ) ) ? (array) $post_data['tax_input'][$taxonomy->name] : array();
     294        $post_category = ( isset($_POST['tax_input']) && isset($_POST['tax_input'][$taxonomy->name]) ) ? (array) $_POST['tax_input'][$taxonomy->name] : array();
    297295    $checked_categories = array_map( 'absint', (array) $post_category );
    298296    $popular_ids = wp_popular_terms_checklist($taxonomy->name, 0, 10, false);
     
    562560    if ( !current_user_can( 'manage_categories' ) )
    563561        wp_die( -1 );
    564     $names = explode( ',', wp_unslash( $_POST['newcat'] ) );
     562    $names = explode(',', $_POST['newcat']);
    565563    $x = new WP_Ajax_Response();
    566564    foreach ( $names as $cat_name ) {
     
    575573        else if ( is_array( $cat_id ) )
    576574            $cat_id = $cat_id['term_id'];
    577         $cat_name = esc_html( wp_unslash( $cat_name ) );
     575        $cat_name = esc_html(stripslashes($cat_name));
    578576        $x->add( array(
    579577            'what' => 'link-category',
     
    589587    global $wp_list_table;
    590588
    591     $post_data = wp_unslash( $_POST );
    592 
    593589    check_ajax_referer( 'add-tag', '_wpnonce_add-tag' );
    594     $post_type = !empty($post_data['post_type']) ? $post_data['post_type'] : 'post';
    595     $taxonomy = !empty($post_data['taxonomy']) ? $post_data['taxonomy'] : 'post_tag';
     590    $post_type = !empty($_POST['post_type']) ? $_POST['post_type'] : 'post';
     591    $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag';
    596592    $tax = get_taxonomy($taxonomy);
    597593
     
    601597    $x = new WP_Ajax_Response();
    602598
    603     $tag = wp_insert_term( $post_data['tag-name'], $taxonomy, $post_data );
     599    $tag = wp_insert_term($_POST['tag-name'], $taxonomy, $_POST );
    604600
    605601    if ( !$tag || is_wp_error($tag) || (!$tag = get_term( $tag['term_id'], $taxonomy )) ) {
     
    615611    }
    616612
    617     $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $post_data['screen'] ) );
     613    $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $_POST['screen'] ) );
    618614
    619615    $level = 0;
     
    733729    if ( $user->exists() ) {
    734730        $user_ID = $user->ID;
    735         $comment_author       = $user->display_name;
    736         $comment_author_email = $user->user_email;
    737         $comment_author_url   = $user->user_url;
    738         $comment_content      = trim( wp_unslash( $_POST['content'] ) );
     731        $comment_author       = $wpdb->escape($user->display_name);
     732        $comment_author_email = $wpdb->escape($user->user_email);
     733        $comment_author_url   = $wpdb->escape($user->user_url);
     734        $comment_content      = trim($_POST['content']);
    739735        if ( current_user_can( 'unfiltered_html' ) ) {
    740736            if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {
     
    962958    } else { // Update?
    963959        $mid = (int) key( $_POST['meta'] );
    964         $key = wp_unslash( $_POST['meta'][$mid]['key'] );
    965         $value = wp_unslash( $_POST['meta'][$mid]['value'] );
     960        $key = stripslashes( $_POST['meta'][$mid]['key'] );
     961        $value = stripslashes( $_POST['meta'][$mid]['value'] );
    966962        if ( '' == trim($key) )
    967963            wp_die( __( 'Please provide a custom field name.' ) );
     
    12321228
    12331229    if ( isset( $_POST['search'] ) )
    1234         $args['s'] = wp_unslash( $_POST['search'] );
     1230        $args['s'] = stripslashes( $_POST['search'] );
    12351231    $args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1;
    12361232
     
    13331329
    13341330    $post = get_post( $post_ID, ARRAY_A );
     1331    $post = add_magic_quotes($post); //since it is from db
    13351332
    13361333    $data['content'] = $post['post_content'];
     
    13811378    check_ajax_referer( 'taxinlineeditnonce', '_inline_edit' );
    13821379
    1383     $post_data = wp_unslash( $_POST );
    1384 
    1385     $taxonomy = sanitize_key( $post_data['taxonomy'] );
     1380    $taxonomy = sanitize_key( $_POST['taxonomy'] );
    13861381    $tax = get_taxonomy( $taxonomy );
    13871382    if ( ! $tax )
     
    13931388    $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) );
    13941389
    1395     if ( ! isset($post_data['tax_ID']) || ! ( $id = (int) $post_data['tax_ID'] ) )
     1390    if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) )
    13961391        wp_die( -1 );
    13971392
    13981393    $tag = get_term( $id, $taxonomy );
    1399     $post_data['description'] = $tag->description;
    1400 
    1401     $updated = wp_update_term($id, $taxonomy, $post_data );
     1394    $_POST['description'] = $tag->description;
     1395
     1396    $updated = wp_update_term($id, $taxonomy, $_POST);
    14021397    if ( $updated && !is_wp_error($updated) ) {
    14031398        $tag = get_term( $updated['term_id'], $taxonomy );
     
    14311426    unset( $post_types['attachment'] );
    14321427
    1433     $s = wp_unslash( $_POST['ps'] );
     1428    $s = stripslashes( $_POST['ps'] );
    14341429    $searchand = $search = '';
    14351430    $args = array(
     
    16021597    }
    16031598
    1604     $post_data = isset( $_REQUEST['post_data'] ) ? wp_unslash( $_REQUEST['post_data'] ) : array();
     1599    $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
    16051600
    16061601    // If the context is custom header or background, make sure the uploaded file is an image.
     
    16361631    if ( isset( $post_data['context'] ) && isset( $post_data['theme'] ) ) {
    16371632        if ( 'custom-background' === $post_data['context'] )
    1638             wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] );
     1633            update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] );
    16391634
    16401635        if ( 'custom-header' === $post_data['context'] )
    1641             wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] );
     1636            update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] );
    16421637    }
    16431638
     
    17841779
    17851780    $new_lock = ( time() - apply_filters( 'wp_check_post_lock_window', AUTOSAVE_INTERVAL * 2 ) + 5 ) . ':' . $active_lock[1];
    1786     wp_update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) );
     1781    update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) );
    17871782    wp_die( 1 );
    17881783}
     
    18791874        wp_send_json_error();
    18801875
    1881     $changes = wp_unslash( $_REQUEST['changes'] );
     1876    $changes = $_REQUEST['changes'];
    18821877    $post    = get_post( $id, ARRAY_A );
    18831878
     
    18961891    if ( isset( $changes['alt'] ) ) {
    18971892        $alt = get_post_meta( $id, '_wp_attachment_image_alt', true );
    1898         $new_alt = $changes['alt'];
     1893        $new_alt = stripslashes( $changes['alt'] );
    18991894        if ( $alt != $new_alt ) {
    19001895            $new_alt = wp_strip_all_tags( $new_alt, true );
    1901             wp_update_post_meta( $id, '_wp_attachment_image_alt', $new_alt );
     1896            update_post_meta( $id, '_wp_attachment_image_alt', addslashes( $new_alt ) );
    19021897        }
    19031898    }
     
    19211916    if ( empty( $_REQUEST['attachments'] ) || empty( $_REQUEST['attachments'][ $id ] ) )
    19221917        wp_send_json_error();
    1923     $attachment_data = wp_unslash( $_REQUEST['attachments'][ $id ] );
     1918    $attachment_data = $_REQUEST['attachments'][ $id ];
    19241919
    19251920    check_ajax_referer( 'update-post_' . $id, 'nonce' );
     
    19651960    check_ajax_referer( 'update-post_' . $post_id, 'nonce' );
    19661961
    1967     $attachments = wp_unslash( $_REQUEST['attachments'] );
     1962    $attachments = $_REQUEST['attachments'];
    19681963
    19691964    if ( ! current_user_can( 'edit_post', $post_id ) )
     
    19961991    check_ajax_referer( 'media-send-to-editor', 'nonce' );
    19971992
    1998     $attachment = wp_unslash( $_POST['attachment'] );
     1993    $attachment = stripslashes_deep( $_POST['attachment'] );
    19991994
    20001995    $id = intval( $attachment['id'] );
     
    20512046    check_ajax_referer( 'media-send-to-editor', 'nonce' );
    20522047
    2053     if ( ! $src = wp_unslash( $_POST['src'] ) )
     2048    if ( ! $src = stripslashes( $_POST['src'] ) )
    20542049        wp_send_json_error();
    20552050
     
    20602055        wp_send_json_error();
    20612056
    2062     if ( ! $title = trim( wp_unslash( $_POST['title'] ) ) )
     2057    if ( ! $title = trim( stripslashes( $_POST['title'] ) ) )
    20632058        $title = wp_basename( $src );
    20642059
     
    20892084
    20902085    if ( ! empty($_POST['data']) ) {
    2091         $data = wp_unslash( (array) $_POST['data'] );
     2086        $data = (array) $_POST['data'];
    20922087        // todo: how much to sanitize and preset and what to leave to be accessed from $data or $_POST..?
    20932088        $user = wp_get_current_user();
     
    21202115
    21212116    if ( ! empty($_POST['data']) ) {
    2122         $data = wp_unslash( (array) $_POST['data'] );
     2117        $data = stripslashes_deep( (array) $_POST['data'] );
    21232118        $response = apply_filters( 'heartbeat_nopriv_received', $response, $data, $screen_id );
    21242119    }
Note: See TracChangeset for help on using the changeset viewer.