WordPress.org

Make WordPress Core


Ignore:
Timestamp:
03/01/2013 04:28:40 PM (9 years ago)
Author:
ryan
Message:

Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/post.php

    r23449 r23554  
    150150function edit_post( $post_data = null ) {
    151151
    152     if ( empty( $post_data ) )
    153         $post_data = wp_unslash( $_POST );
     152    if ( empty($post_data) )
     153        $post_data = &$_POST;
    154154
    155155    // Clear out any data in internal vars.
     
    237237        if ( isset( $post_data[ '_wp_attachment_image_alt' ] ) ) {
    238238            $image_alt = get_post_meta( $post_ID, '_wp_attachment_image_alt', true );
    239             if ( $image_alt != $post_data['_wp_attachment_image_alt'] ) {
    240                 $image_alt = wp_strip_all_tags( $post_data['_wp_attachment_image_alt'], true );
    241                 wp_update_post_meta( $post_ID, '_wp_attachment_image_alt', $image_alt );
     239            if ( $image_alt != stripslashes( $post_data['_wp_attachment_image_alt'] ) ) {
     240                $image_alt = wp_strip_all_tags( stripslashes( $post_data['_wp_attachment_image_alt'] ), true );
     241                // update_meta expects slashed
     242                update_post_meta( $post_ID, '_wp_attachment_image_alt', addslashes( $image_alt ) );
    242243            }
    243244        }
     
    249250    add_meta( $post_ID );
    250251
    251     wp_update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
     252    update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
    252253
    253254    wp_update_post( $post_data );
     
    430431    $post_title = '';
    431432    if ( !empty( $_REQUEST['post_title'] ) )
    432         $post_title = esc_html( wp_unslash( $_REQUEST['post_title'] ));
     433        $post_title = esc_html( stripslashes( $_REQUEST['post_title'] ));
    433434
    434435    $post_content = '';
    435436    if ( !empty( $_REQUEST['content'] ) )
    436         $post_content = esc_html( wp_unslash( $_REQUEST['content'] ));
     437        $post_content = esc_html( stripslashes( $_REQUEST['content'] ));
    437438
    438439    $post_excerpt = '';
    439440    if ( !empty( $_REQUEST['excerpt'] ) )
    440         $post_excerpt = esc_html( wp_unslash( $_REQUEST['excerpt'] ));
     441        $post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] ));
    441442
    442443    if ( $create_in_db ) {
     
    487488    global $wpdb;
    488489
    489     $post_title = sanitize_post_field( 'post_title', $title, 0, 'db' );
    490     $post_content = sanitize_post_field( 'post_content', $content, 0, 'db' );
    491     $post_date = sanitize_post_field( 'post_date', $date, 0, 'db' );
     490    $post_title = stripslashes( sanitize_post_field( 'post_title', $title, 0, 'db' ) );
     491    $post_content = stripslashes( sanitize_post_field( 'post_content', $content, 0, 'db' ) );
     492    $post_date = stripslashes( sanitize_post_field( 'post_date', $date, 0, 'db' ) );
    492493
    493494    $query = "SELECT ID FROM $wpdb->posts WHERE 1=1";
     
    567568
    568569    // Create the post.
    569     $post_ID = wp_insert_post( wp_unslash( $_POST ) );
     570    $post_ID = wp_insert_post( $_POST );
    570571    if ( is_wp_error( $post_ID ) )
    571572        return $post_ID;
     
    576577    add_meta( $post_ID );
    577578
    578     wp_add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
     579    add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
    579580
    580581    // Now that we have an ID we can fix any attachment anchor hrefs
     
    620621    $post_ID = (int) $post_ID;
    621622
    622     $metakeyselect = isset($_POST['metakeyselect']) ? wp_unslash( trim( $_POST['metakeyselect'] ) ) : '';
    623     $metakeyinput = isset($_POST['metakeyinput']) ? wp_unslash( trim( $_POST['metakeyinput'] ) ) : '';
    624     $metavalue = isset($_POST['metavalue']) ? wp_unslash( trim( $_POST['metavalue'] ) ) : '';
     623    $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
     624    $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
     625    $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : '';
    625626    if ( is_string( $metavalue ) )
    626627        $metavalue = trim( $metavalue );
     
    639640            return false;
    640641
    641         return wp_add_post_meta( $post_ID, $metakey, $metavalue );
     642        $metakey = esc_sql( $metakey );
     643
     644        return add_post_meta( $post_ID, $metakey, $metavalue );
    642645    }
    643646
     
    712715 *
    713716 * @param unknown_type $meta_id
    714  * @param unknown_type $meta_key
    715  * @param unknown_type $meta_value
     717 * @param unknown_type $meta_key Expect Slashed
     718 * @param unknown_type $meta_value Expect Slashed
    716719 * @return unknown
    717720 */
    718721function update_meta( $meta_id, $meta_key, $meta_value ) {
     722    $meta_key = stripslashes( $meta_key );
     723    $meta_value = stripslashes_deep( $meta_value );
     724
    719725    return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key );
    720726}
     
    770776    if ( $replace ) {
    771777        $post['post_content'] = $content;
     778        // Escape data pulled from DB.
     779        $post = add_magic_quotes($post);
    772780
    773781        return wp_update_post($post);
     
    11801188    $lock = "$now:$user_id";
    11811189
    1182     wp_update_post_meta( $post->ID, '_edit_lock', $lock );
     1190    update_post_meta( $post->ID, '_edit_lock', $lock );
    11831191    return array( $now, $user_id );
    11841192}
     
    12311239    // Only store one autosave. If there is already an autosave, overwrite it.
    12321240    if ( $old_autosave = wp_get_post_autosave( $post_id ) ) {
    1233         $new_autosave = _wp_post_revision_fields( wp_unslash( $_POST ), true );
     1241        $new_autosave = _wp_post_revision_fields( $_POST, true );
    12341242        $new_autosave['ID'] = $old_autosave->ID;
    12351243        $new_autosave['post_author'] = get_current_user_id();
     
    12381246
    12391247    // _wp_put_post_revision() expects unescaped.
    1240     $_POST = wp_unslash( $_POST );
     1248    $_POST = stripslashes_deep($_POST);
    12411249
    12421250    // Otherwise create the new autosave as a special post revision
Note: See TracChangeset for help on using the changeset viewer.