WordPress.org

Make WordPress Core


Ignore:
Timestamp:
03/01/2013 04:28:40 PM (7 years ago)
Author:
ryan
Message:

Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/comment.php

    r23416 r23554  
    634634function sanitize_comment_cookies() {
    635635    if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
    636         $comment_author = wp_unslash( $_COOKIE['comment_author_'.COOKIEHASH] );
    637         $comment_author = apply_filters('pre_comment_author_name', $comment_author);
     636        $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
     637        $comment_author = stripslashes($comment_author);
    638638        $comment_author = esc_attr($comment_author);
    639639        $_COOKIE['comment_author_'.COOKIEHASH] = $comment_author;
     
    641641
    642642    if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
    643         $comment_author_email = wp_unslash( $_COOKIE['comment_author_email_'.COOKIEHASH] );
    644         $comment_author_email = apply_filters('pre_comment_author_email', $comment_author_email);
     643        $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
     644        $comment_author_email = stripslashes($comment_author_email);
    645645        $comment_author_email = esc_attr($comment_author_email);
    646646        $_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email;
     
    648648
    649649    if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
    650         $comment_author_url = wp_unslash( $_COOKIE['comment_author_url_'.COOKIEHASH] );
    651         $comment_author_url = apply_filters('pre_comment_author_url', $comment_author_url);
     650        $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
     651        $comment_author_url = stripslashes($comment_author_url);
    652652        $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
    653653    }
     
    671671
    672672    // Simple duplicate check
    673     $dupe = $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_parent = %s AND comment_approved != 'trash' AND ( comment_author = %s ", $comment_post_ID, $comment_parent, $comment_author );
     673    // expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content)
     674    $dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_parent = '$comment_parent' AND comment_approved != 'trash' AND ( comment_author = '$comment_author' ";
    674675    if ( $comment_author_email )
    675         $dupe .= $wpdb->prepare( "OR comment_author_email = %s ", $comment_author_email );
    676     $dupe .= $wpdb->prepare( ") AND comment_content = %s LIMIT 1", $comment_content );
     676        $dupe .= "OR comment_author_email = '$comment_author_email' ";
     677    $dupe .= ") AND comment_content = '$comment_content' LIMIT 1";
    677678    if ( $wpdb->get_var($dupe) ) {
    678679        do_action( 'comment_duplicate_trigger', $commentdata );
     
    12621263function wp_insert_comment($commentdata) {
    12631264    global $wpdb;
    1264     extract($commentdata, EXTR_SKIP);
     1265    extract(stripslashes_deep($commentdata), EXTR_SKIP);
    12651266
    12661267    if ( ! isset($comment_author_IP) )
     
    14911492    $comment = get_comment($commentarr['comment_ID'], ARRAY_A);
    14921493
     1494    // Escape data pulled from DB.
     1495    $comment = esc_sql($comment);
     1496
    14931497    $old_status = $comment['comment_approved'];
    14941498
     
    14991503
    15001504    // Now extract the merged array.
    1501     extract($commentarr, EXTR_SKIP);
     1505    extract(stripslashes_deep($commentarr), EXTR_SKIP);
    15021506
    15031507    $comment_content = apply_filters('comment_save_pre', $comment_content);
Note: See TracChangeset for help on using the changeset viewer.