Make WordPress Core


Ignore:
Timestamp:
03/01/2013 04:28:40 PM (11 years ago)
Author:
ryan
Message:

Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/user.php

    r23416 r23554  
    3535        $user->ID = (int) $user_id;
    3636        $userdata = get_userdata( $user_id );
    37         $user->user_login = $userdata->user_login;
     37        $user->user_login = $wpdb->escape( $userdata->user_login );
    3838    } else {
    3939        $update = false;
    4040    }
    4141
    42     // get clean data before we get started.
    43     $post_data = wp_unslash( $_POST );
    44 
    45     if ( !$update && isset( $post_data['user_login'] ) )
    46         $user->user_login = sanitize_user($post_data['user_login'], true);
     42    if ( !$update && isset( $_POST['user_login'] ) )
     43        $user->user_login = sanitize_user($_POST['user_login'], true);
    4744
    4845    $pass1 = $pass2 = '';
    49     if ( isset( $post_data['pass1'] ))
    50         $pass1 = $post_data['pass1'];
    51     if ( isset( $post_data['pass2'] ))
    52         $pass2 = $post_data['pass2'];
    53 
    54     if ( isset( $post_data['role'] ) && current_user_can( 'edit_users' ) ) {
    55         $new_role = sanitize_text_field( $post_data['role'] );
     46    if ( isset( $_POST['pass1'] ))
     47        $pass1 = $_POST['pass1'];
     48    if ( isset( $_POST['pass2'] ))
     49        $pass2 = $_POST['pass2'];
     50
     51    if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) {
     52        $new_role = sanitize_text_field( $_POST['role'] );
    5653        $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false;
    5754        // Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
     
    6663    }
    6764
    68     if ( isset( $post_data['email'] ))
    69         $user->user_email = sanitize_text_field( $post_data['email'] );
    70     if ( isset( $post_data['url'] ) ) {
    71         if ( empty ( $post_data['url'] ) || $post_data['url'] == 'http://' ) {
     65    if ( isset( $_POST['email'] ))
     66        $user->user_email = sanitize_text_field( $_POST['email'] );
     67    if ( isset( $_POST['url'] ) ) {
     68        if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) {
    7269            $user->user_url = '';
    7370        } else {
    74             $user->user_url = esc_url_raw( $post_data['url'] );
     71            $user->user_url = esc_url_raw( $_POST['url'] );
    7572            $protocols = implode( '|', array_map( 'preg_quote', wp_allowed_protocols() ) );
    7673            $user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url;
    7774        }
    7875    }
    79     if ( isset( $post_data['first_name'] ) )
    80         $user->first_name = sanitize_text_field( $post_data['first_name'] );
    81     if ( isset( $post_data['last_name'] ) )
    82         $user->last_name = sanitize_text_field( $post_data['last_name'] );
    83     if ( isset( $post_data['nickname'] ) )
    84         $user->nickname = sanitize_text_field( $post_data['nickname'] );
    85     if ( isset( $post_data['display_name'] ) )
    86         $user->display_name = sanitize_text_field( $post_data['display_name'] );
    87 
    88     if ( isset( $post_data['description'] ) )
    89         $user->description = trim( $post_data['description'] );
     76    if ( isset( $_POST['first_name'] ) )
     77        $user->first_name = sanitize_text_field( $_POST['first_name'] );
     78    if ( isset( $_POST['last_name'] ) )
     79        $user->last_name = sanitize_text_field( $_POST['last_name'] );
     80    if ( isset( $_POST['nickname'] ) )
     81        $user->nickname = sanitize_text_field( $_POST['nickname'] );
     82    if ( isset( $_POST['display_name'] ) )
     83        $user->display_name = sanitize_text_field( $_POST['display_name'] );
     84
     85    if ( isset( $_POST['description'] ) )
     86        $user->description = trim( $_POST['description'] );
    9087
    9188    foreach ( _wp_get_user_contactmethods( $user ) as $method => $name ) {
    92         if ( isset( $post_data[$method] ))
    93             $user->$method = sanitize_text_field( $post_data[$method] );
     89        if ( isset( $_POST[$method] ))
     90            $user->$method = sanitize_text_field( $_POST[$method] );
    9491    }
    9592
    9693    if ( $update ) {
    97         $user->rich_editing = isset( $post_data['rich_editing'] ) && 'false' == $post_data['rich_editing'] ? 'false' : 'true';
    98         $user->admin_color = isset( $post_data['admin_color'] ) ? sanitize_text_field( $post_data['admin_color'] ) : 'fresh';
    99         $user->show_admin_bar_front = isset( $post_data['admin_bar_front'] ) ? 'true' : 'false';
    100     }
    101 
    102     $user->comment_shortcuts = isset( $post_data['comment_shortcuts'] ) && 'true' == $post_data['comment_shortcuts'] ? 'true' : '';
     94        $user->rich_editing = isset( $_POST['rich_editing'] ) && 'false' == $_POST['rich_editing'] ? 'false' : 'true';
     95        $user->admin_color = isset( $_POST['admin_color'] ) ? sanitize_text_field( $_POST['admin_color'] ) : 'fresh';
     96        $user->show_admin_bar_front = isset( $_POST['admin_bar_front'] ) ? 'true' : 'false';
     97    }
     98
     99    $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] ) && 'true' == $_POST['comment_shortcuts'] ? 'true' : '';
    103100
    104101    $user->use_ssl = 0;
    105     if ( !empty($post_data['use_ssl']) )
     102    if ( !empty($_POST['use_ssl']) )
    106103        $user->use_ssl = 1;
    107104
     
    128125
    129126    /* Check for "\" in password */
    130     if ( false !== strpos( $pass1, "\\" ) )
     127    if ( false !== strpos( stripslashes($pass1), "\\" ) )
    131128        $errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) );
    132129
     
    138135        $user->user_pass = $pass1;
    139136
    140     if ( !$update && isset( $post_data['user_login'] ) && !validate_username( $post_data['user_login'] ) )
     137    if ( !$update && isset( $_POST['user_login'] ) && !validate_username( $_POST['user_login'] ) )
    141138        $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ));
    142139
     
    163160    } else {
    164161        $user_id = wp_insert_user( $user );
    165         wp_new_user_notification( $user_id, isset($post_data['send_password']) ? $pass1 : '' );
     162        wp_new_user_notification( $user_id, isset($_POST['send_password']) ? $pass1 : '' );
    166163    }
    167164    return $user_id;
Note: See TracChangeset for help on using the changeset viewer.