Changeset 23554 for trunk/wp-includes/comment.php
- Timestamp:
- 03/01/2013 04:28:40 PM (12 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-includes/comment.php
r23416 r23554 634 634 function sanitize_comment_cookies() { 635 635 if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) { 636 $comment_author = wp_unslash( $_COOKIE['comment_author_'.COOKIEHASH]);637 $comment_author = apply_filters('pre_comment_author_name',$comment_author);636 $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]); 637 $comment_author = stripslashes($comment_author); 638 638 $comment_author = esc_attr($comment_author); 639 639 $_COOKIE['comment_author_'.COOKIEHASH] = $comment_author; … … 641 641 642 642 if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) { 643 $comment_author_email = wp_unslash( $_COOKIE['comment_author_email_'.COOKIEHASH]);644 $comment_author_email = apply_filters('pre_comment_author_email',$comment_author_email);643 $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]); 644 $comment_author_email = stripslashes($comment_author_email); 645 645 $comment_author_email = esc_attr($comment_author_email); 646 646 $_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email; … … 648 648 649 649 if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) { 650 $comment_author_url = wp_unslash( $_COOKIE['comment_author_url_'.COOKIEHASH]);651 $comment_author_url = apply_filters('pre_comment_author_url',$comment_author_url);650 $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]); 651 $comment_author_url = stripslashes($comment_author_url); 652 652 $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url; 653 653 } … … 671 671 672 672 // Simple duplicate check 673 $dupe = $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_parent = %s AND comment_approved != 'trash' AND ( comment_author = %s ", $comment_post_ID, $comment_parent, $comment_author ); 673 // expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content) 674 $dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_parent = '$comment_parent' AND comment_approved != 'trash' AND ( comment_author = '$comment_author' "; 674 675 if ( $comment_author_email ) 675 $dupe .= $wpdb->prepare( "OR comment_author_email = %s ", $comment_author_email );676 $dupe .= $wpdb->prepare( ") AND comment_content = %s LIMIT 1", $comment_content );676 $dupe .= "OR comment_author_email = '$comment_author_email' "; 677 $dupe .= ") AND comment_content = '$comment_content' LIMIT 1"; 677 678 if ( $wpdb->get_var($dupe) ) { 678 679 do_action( 'comment_duplicate_trigger', $commentdata ); … … 1262 1263 function wp_insert_comment($commentdata) { 1263 1264 global $wpdb; 1264 extract( $commentdata, EXTR_SKIP);1265 extract(stripslashes_deep($commentdata), EXTR_SKIP); 1265 1266 1266 1267 if ( ! isset($comment_author_IP) ) … … 1491 1492 $comment = get_comment($commentarr['comment_ID'], ARRAY_A); 1492 1493 1494 // Escape data pulled from DB. 1495 $comment = esc_sql($comment); 1496 1493 1497 $old_status = $comment['comment_approved']; 1494 1498 … … 1499 1503 1500 1504 // Now extract the merged array. 1501 extract( $commentarr, EXTR_SKIP);1505 extract(stripslashes_deep($commentarr), EXTR_SKIP); 1502 1506 1503 1507 $comment_content = apply_filters('comment_save_pre', $comment_content);
Note: See TracChangeset
for help on using the changeset viewer.