Changeset 23554 for trunk/wp-admin/includes/post.php

Timestamp:

03/01/2013 04:28:40 PM (12 years ago)

Author:

ryan

Message:

Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767

File:

• trunk/wp-admin/includes/post.php (modified) (14 diffs)

trunk/wp-admin/includes/post.php

@@ -150 +150 @@
 function edit_post( $post_data = null ) {
 
-    if ( empty( $post_data ) )
-        $post_data = wp_unslash( $_POST );
+    if ( empty($post_data) )
+        $post_data = &$_POST;
 
     // Clear out any data in internal vars.
@@ -237 +237 @@
         if ( isset( $post_data[ '_wp_attachment_image_alt' ] ) ) {
             $image_alt = get_post_meta( $post_ID, '_wp_attachment_image_alt', true );
-            if ( $image_alt != $post_data['_wp_attachment_image_alt'] ) {
-                $image_alt = wp_strip_all_tags( $post_data['_wp_attachment_image_alt'], true );
-                wp_update_post_meta( $post_ID, '_wp_attachment_image_alt', $image_alt );
+            if ( $image_alt != stripslashes( $post_data['_wp_attachment_image_alt'] ) ) {
+                $image_alt = wp_strip_all_tags( stripslashes( $post_data['_wp_attachment_image_alt'] ), true );
+                // update_meta expects slashed
+                update_post_meta( $post_ID, '_wp_attachment_image_alt', addslashes( $image_alt ) );
             }
         }
@@ -249 +250 @@
     add_meta( $post_ID );
 
-    wp_update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
+    update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
 
     wp_update_post( $post_data );
@@ -430 +431 @@
     $post_title = '';
     if ( !empty( $_REQUEST['post_title'] ) )
-        $post_title = esc_html( wp_unslash( $_REQUEST['post_title'] ));
+        $post_title = esc_html( stripslashes( $_REQUEST['post_title'] ));
 
     $post_content = '';
     if ( !empty( $_REQUEST['content'] ) )
-        $post_content = esc_html( wp_unslash( $_REQUEST['content'] ));
+        $post_content = esc_html( stripslashes( $_REQUEST['content'] ));
 
     $post_excerpt = '';
     if ( !empty( $_REQUEST['excerpt'] ) )
-        $post_excerpt = esc_html( wp_unslash( $_REQUEST['excerpt'] ));
+        $post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] ));
 
     if ( $create_in_db ) {
@@ -487 +488 @@
     global $wpdb;
 
-    $post_title = sanitize_post_field( 'post_title', $title, 0, 'db' );
-    $post_content = sanitize_post_field( 'post_content', $content, 0, 'db' );
-    $post_date = sanitize_post_field( 'post_date', $date, 0, 'db' );
+    $post_title = stripslashes( sanitize_post_field( 'post_title', $title, 0, 'db' ) );
+    $post_content = stripslashes( sanitize_post_field( 'post_content', $content, 0, 'db' ) );
+    $post_date = stripslashes( sanitize_post_field( 'post_date', $date, 0, 'db' ) );
 
     $query = "SELECT ID FROM $wpdb->posts WHERE 1=1";
@@ -567 +568 @@
 
     // Create the post.
-    $post_ID = wp_insert_post( wp_unslash( $_POST ) );
+    $post_ID = wp_insert_post( $_POST );
     if ( is_wp_error( $post_ID ) )
         return $post_ID;
@@ -576 +577 @@
     add_meta( $post_ID );
 
-    wp_add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
+    add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
 
     // Now that we have an ID we can fix any attachment anchor hrefs
@@ -620 +621 @@
     $post_ID = (int) $post_ID;
 
-    $metakeyselect = isset($_POST['metakeyselect']) ? wp_unslash( trim( $_POST['metakeyselect'] ) ) : '';
-    $metakeyinput = isset($_POST['metakeyinput']) ? wp_unslash( trim( $_POST['metakeyinput'] ) ) : '';
-    $metavalue = isset($_POST['metavalue']) ? wp_unslash( trim( $_POST['metavalue'] ) ) : '';
+    $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
+    $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
+    $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : '';
     if ( is_string( $metavalue ) )
         $metavalue = trim( $metavalue );
@@ -639 +640 @@
             return false;
 
-        return wp_add_post_meta( $post_ID, $metakey, $metavalue );
+        $metakey = esc_sql( $metakey );
+
+        return add_post_meta( $post_ID, $metakey, $metavalue );
     }
 
@@ -712 +715 @@
  *
  * @param unknown_type $meta_id
- * @param unknown_type $meta_key
- * @param unknown_type $meta_value
+ * @param unknown_type $meta_key Expect Slashed
+ * @param unknown_type $meta_value Expect Slashed
  * @return unknown
  */
 function update_meta( $meta_id, $meta_key, $meta_value ) {
+    $meta_key = stripslashes( $meta_key );
+    $meta_value = stripslashes_deep( $meta_value );
+
     return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key );
 }
@@ -770 +776 @@
     if ( $replace ) {
         $post['post_content'] = $content;
+        // Escape data pulled from DB.
+        $post = add_magic_quotes($post);
 
         return wp_update_post($post);
@@ -1180 +1188 @@
     $lock = "$now:$user_id";
 
-    wp_update_post_meta( $post->ID, '_edit_lock', $lock );
+    update_post_meta( $post->ID, '_edit_lock', $lock );
     return array( $now, $user_id );
 }
@@ -1231 +1239 @@
     // Only store one autosave. If there is already an autosave, overwrite it.
     if ( $old_autosave = wp_get_post_autosave( $post_id ) ) {
-        $new_autosave = _wp_post_revision_fields( wp_unslash( $_POST ), true );
+        $new_autosave = _wp_post_revision_fields( $_POST, true );
         $new_autosave['ID'] = $old_autosave->ID;
         $new_autosave['post_author'] = get_current_user_id();
@@ -1238 +1246 @@
 
     // _wp_put_post_revision() expects unescaped.
-    $_POST = wp_unslash( $_POST );
+    $_POST = stripslashes_deep($_POST);
 
     // Otherwise create the new autosave as a special post revision