Changeset 23563

Timestamp:

03/01/2013 05:00:25 PM (10 years ago)

Author:

ryan

Message:

Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().

see #21767

Location:

trunk/wp-admin

Files:

• admin.php (modified) (2 diffs)
• edit-comments.php (modified) (3 diffs)
• edit-form-advanced.php (modified) (1 diff)
• edit-form-comment.php (modified) (1 diff)
• edit-tags.php (modified) (2 diffs)
• edit.php (modified) (1 diff)
• includes/ajax-actions.php (modified) (11 diffs)
• includes/bookmark.php (modified) (3 diffs)
• includes/class-wp-comments-list-table.php (modified) (1 diff)
• includes/class-wp-ms-sites-list-table.php (modified) (1 diff)
• includes/class-wp-ms-themes-list-table.php (modified) (1 diff)
• includes/class-wp-ms-users-list-table.php (modified) (2 diffs)
• includes/class-wp-plugin-install-list-table.php (modified) (2 diffs)
• includes/class-wp-plugins-list-table.php (modified) (2 diffs)
• includes/class-wp-terms-list-table.php (modified) (2 diffs)
• includes/class-wp-theme-install-list-table.php (modified) (2 diffs)
• includes/class-wp-themes-list-table.php (modified) (2 diffs)
• includes/class-wp-upgrader.php (modified) (1 diff)
• includes/class-wp-users-list-table.php (modified) (1 diff)
• includes/dashboard.php (modified) (1 diff)
• includes/deprecated.php (modified) (2 diffs)
• includes/file.php (modified) (3 diffs)
• includes/image-edit.php (modified) (2 diffs)
• includes/media.php (modified) (4 diffs)
• includes/misc.php (modified) (1 diff)
• includes/plugin-install.php (modified) (5 diffs)
• includes/post.php (modified) (7 diffs)
• includes/taxonomy.php (modified) (1 diff)

trunk/wp-admin/admin.php

@@ -44 +44 @@
 } elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) {
     if ( !is_multisite() ) {
-        wp_redirect(admin_url('upgrade.php?_wp_http_referer=' . urlencode(stripslashes($_SERVER['REQUEST_URI']))));
+        wp_redirect( admin_url( 'upgrade.php?_wp_http_referer=' . urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
         exit;
     } elseif ( apply_filters( 'do_mu_upgrade', true ) ) {
@@ -83 +83 @@
 
 if ( isset($_GET['page']) ) {
-    $plugin_page = stripslashes($_GET['page']);
+    $plugin_page = wp_unslash( $_GET['page'] );
     $plugin_page = plugin_basename($plugin_page);
 }

trunk/wp-admin/edit-comments.php

@@ -21 +21 @@
 
     if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
-        $comment_status = $wpdb->escape( $_REQUEST['comment_status'] );
-        $delete_time = $wpdb->escape( $_REQUEST['pagegen_timestamp'] );
-        $comment_ids = $wpdb->get_col( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = '$comment_status' AND '$delete_time' > comment_date_gmt" );
+        $comment_status = $_REQUEST['comment_status'];
+        $delete_time = $_REQUEST['pagegen_timestamp'];
+        $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
         $doaction = 'delete';
     } elseif ( isset( $_REQUEST['delete_comments'] ) ) {
@@ -96 +96 @@
     exit;
 } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
-     wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
+     wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
      exit;
 }
@@ -154 +154 @@
 
 if ( isset($_REQUEST['s']) && $_REQUEST['s'] )
-    printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( stripslashes( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?>
+    printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?>
 </h2>
 

trunk/wp-admin/edit-form-advanced.php

@@ -315 +315 @@
 <input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr( $post_type ) ?>" />
 <input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr( $post->post_status) ?>" />
-<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
+<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url(wp_unslash(wp_get_referer())); ?>" />
 <?php if ( ! empty( $active_post_lock ) ) { ?>
 <input type="hidden" id="active_post_lock" value="<?php echo esc_attr( implode( ':', $active_post_lock ) ); ?>" />

trunk/wp-admin/edit-form-comment.php

@@ -133 +133 @@
 <input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID) ?>" />
 <input type="hidden" name="p" value="<?php echo esc_attr($comment->comment_post_ID) ?>" />
-<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
+<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(wp_unslash(wp_get_referer())); ?>" />
 <?php wp_original_referer_field(true, 'previous'); ?>
 <input type="hidden" name="noredir" value="1" />

trunk/wp-admin/edit-tags.php

@@ -165 +165 @@
 default:
 if ( ! empty($_REQUEST['_wp_http_referer']) ) {
-    $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) );
+    $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) );
 
     if ( ! empty( $_REQUEST['paged'] ) )
@@ -266 +266 @@
 <h2><?php echo esc_html( $title );
 if ( !empty($_REQUEST['s']) )
-    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?>
+    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( wp_unslash($_REQUEST['s']) ) ); ?>
 </h2>
 

trunk/wp-admin/edit.php

@@ -139 +139 @@
     exit();
 } elseif ( ! empty($_REQUEST['_wp_http_referer']) ) {
-     wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ) );
+     wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) ) );
      exit;
 }

trunk/wp-admin/includes/ajax-actions.php

@@ -60 +60 @@
     }
 
-    $s = stripslashes( $_GET['q'] );
+    $s = wp_unslash( $_GET['q'] );
 
     $comma = _x( ',', 'tag delimiter' );
@@ -573 +573 @@
         else if ( is_array( $cat_id ) )
             $cat_id = $cat_id['term_id'];
-        $cat_name = esc_html(stripslashes($cat_name));
+        $cat_name = esc_html(wp_unslash($cat_name));
         $x->add( array(
             'what' => 'link-category',
@@ -958 +958 @@
     } else { // Update?
         $mid = (int) key( $_POST['meta'] );
-        $key = stripslashes( $_POST['meta'][$mid]['key'] );
-        $value = stripslashes( $_POST['meta'][$mid]['value'] );
+        $key = wp_unslash( $_POST['meta'][$mid]['key'] );
+        $value = wp_unslash( $_POST['meta'][$mid]['value'] );
         if ( '' == trim($key) )
             wp_die( __( 'Please provide a custom field name.' ) );
@@ -1228 +1228 @@
 
     if ( isset( $_POST['search'] ) )
-        $args['s'] = stripslashes( $_POST['search'] );
+        $args['s'] = wp_unslash( $_POST['search'] );
     $args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1;
 
@@ -1329 +1329 @@
 
     $post = get_post( $post_ID, ARRAY_A );
-    $post = add_magic_quotes($post); //since it is from db
+    $post = wp_slash($post); //since it is from db
 
     $data['content'] = $post['post_content'];
@@ -1426 +1426 @@
     unset( $post_types['attachment'] );
 
-    $s = stripslashes( $_POST['ps'] );
+    $s = wp_unslash( $_POST['ps'] );
     $searchand = $search = '';
     $args = array(
@@ -1891 +1891 @@
     if ( isset( $changes['alt'] ) ) {
         $alt = get_post_meta( $id, '_wp_attachment_image_alt', true );
-        $new_alt = stripslashes( $changes['alt'] );
+        $new_alt = wp_unslash( $changes['alt'] );
         if ( $alt != $new_alt ) {
             $new_alt = wp_strip_all_tags( $new_alt, true );
@@ -1991 +1991 @@
     check_ajax_referer( 'media-send-to-editor', 'nonce' );
 
-    $attachment = stripslashes_deep( $_POST['attachment'] );
+    $attachment = wp_unslash( $_POST['attachment'] );
 
     $id = intval( $attachment['id'] );
@@ -2046 +2046 @@
     check_ajax_referer( 'media-send-to-editor', 'nonce' );
 
-    if ( ! $src = stripslashes( $_POST['src'] ) )
+    if ( ! $src = wp_unslash( $_POST['src'] ) )
         wp_send_json_error();
 
@@ -2055 +2055 @@
         wp_send_json_error();
 
-    if ( ! $title = trim( stripslashes( $_POST['title'] ) ) )
+    if ( ! $title = trim( wp_unslash( $_POST['title'] ) ) )
         $title = wp_basename( $src );
 
@@ -2115 +2115 @@
 
     if ( ! empty($_POST['data']) ) {
-        $data = stripslashes_deep( (array) $_POST['data'] );
+        $data = wp_unslash( (array) $_POST['data'] );
         $response = apply_filters( 'heartbeat_nopriv_received', $response, $data, $screen_id );
     }

trunk/wp-admin/includes/bookmark.php

@@ -56 +56 @@
     $link = new stdClass;
     if ( isset( $_GET['linkurl'] ) )
-        $link->link_url = esc_url( $_GET['linkurl'] );
+        $link->link_url = esc_url( wp_unslash( $_GET['linkurl'] ) );
     else
         $link->link_url = '';
 
     if ( isset( $_GET['name'] ) )
-        $link->link_name = esc_attr( $_GET['name'] );
+        $link->link_name = esc_attr( wp_unslash( $_GET['name'] ) );
     else
         $link->link_name = '';
@@ -138 +138 @@
     $linkdata = sanitize_bookmark( $linkdata, 'db' );
 
-    extract( stripslashes_deep( $linkdata ), EXTR_SKIP );
+    extract( wp_unslash( $linkdata ), EXTR_SKIP );
 
     $update = false;
@@ -252 +252 @@
 
     // Escape data pulled from DB.
-    $link = add_magic_quotes( $link );
+    $link = wp_slash( $link );
 
     // Passed link category list overwrites existing category list if not empty.

trunk/wp-admin/includes/class-wp-comments-list-table.php

@@ -171 +171 @@
             // I toyed with this, but decided against it. Leaving it in here in case anyone thinks it is a good idea. ~ Mark
             if ( !empty( $_REQUEST['s'] ) )
-                $link = add_query_arg( 's', esc_attr( stripslashes( $_REQUEST['s'] ) ), $link );
+                $link = add_query_arg( 's', esc_attr( wp_unslash( $_REQUEST['s'] ) ), $link );
             */
             $status_links[$status] = "<a href='$link'$class>" . sprintf(

trunk/wp-admin/includes/class-wp-ms-sites-list-table.php

@@ -30 +30 @@
         $pagenum = $this->get_pagenum();
 
-        $s = isset( $_REQUEST['s'] ) ? stripslashes( trim( $_REQUEST[ 's' ] ) ) : '';
+        $s = isset( $_REQUEST['s'] ) ? wp_unslash( trim( $_REQUEST[ 's' ] ) ) : '';
         $wild = '';
         if ( false !== strpos($s, '*') ) {

trunk/wp-admin/includes/class-wp-ms-themes-list-table.php

@@ -127 +127 @@
         static $term;
         if ( is_null( $term ) )
-            $term = stripslashes( $_REQUEST['s'] );
+            $term = wp_unslash( $_REQUEST['s'] );
 
         foreach ( array( 'Name', 'Description', 'Author', 'Author', 'AuthorURI' ) as $field ) {

trunk/wp-admin/includes/class-wp-ms-users-list-table.php

@@ -174 +174 @@
                     case 'username':
                         $avatar = get_avatar( $user->user_email, 32 );
-                        $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) );
+                        $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) );
 
                         echo "<td $attributes>"; ?>
-                            <?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo stripslashes( $user->user_login ); ?></a><?php
+                            <?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo $user->user_login; ?></a><?php
                             if ( in_array( $user->user_login, $super_admins ) )
                                 echo ' - ' . __( 'Super Admin' );
@@ -187 +187 @@
 
                                 if ( current_user_can( 'delete_user', $user->ID ) && ! in_array( $user->user_login, $super_admins ) ) {
-                                    $actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>';
+                                    $actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>';
                                 }
 

trunk/wp-admin/includes/class-wp-plugin-install-list-table.php

@@ -49 +49 @@
         switch ( $tab ) {
             case 'search':
-                $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
-                $term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : '';
+                $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
+                $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : '';
 
                 switch ( $type ) {
@@ -74 +74 @@
 
             case 'favorites':
-                $user = isset( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
+                $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
                 update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
                 if ( $user )

trunk/wp-admin/includes/class-wp-plugins-list-table.php

@@ -23 +23 @@
 
         if ( isset($_REQUEST['s']) )
-            $_SERVER['REQUEST_URI'] = add_query_arg('s', stripslashes($_REQUEST['s']) );
+            $_SERVER['REQUEST_URI'] = add_query_arg('s', wp_unslash($_REQUEST['s']) );
 
         $page = $this->get_pagenum();
@@ -141 +141 @@
         static $term;
         if ( is_null( $term ) )
-            $term = stripslashes( $_REQUEST['s'] );
+            $term = wp_unslash( $_REQUEST['s'] );
 
         foreach ( $plugin as $value )

trunk/wp-admin/includes/class-wp-terms-list-table.php

@@ -53 +53 @@
         }
 
-        $search = !empty( $_REQUEST['s'] ) ? trim( stripslashes( $_REQUEST['s'] ) ) : '';
+        $search = !empty( $_REQUEST['s'] ) ? trim( wp_unslash( $_REQUEST['s'] ) ) : '';
 
         $args = array(
@@ -62 +62 @@
 
         if ( !empty( $_REQUEST['orderby'] ) )
-            $args['orderby'] = trim( stripslashes( $_REQUEST['orderby'] ) );
+            $args['orderby'] = trim( wp_unslash( $_REQUEST['orderby'] ) );
 
         if ( !empty( $_REQUEST['order'] ) )
-            $args['order'] = trim( stripslashes( $_REQUEST['order'] ) );
+            $args['order'] = trim( wp_unslash( $_REQUEST['order'] ) );
 
         $this->callback_args = $args;

trunk/wp-admin/includes/class-wp-theme-install-list-table.php

@@ -25 +25 @@
         $search_string = '';
         if ( ! empty( $_REQUEST['s'] ) ){
-            $search_string = strtolower( stripslashes( $_REQUEST['s'] ) );
+            $search_string = strtolower( wp_unslash( $_REQUEST['s'] ) );
             $search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', $search_string ) ) ) );
         }
@@ -60 +60 @@
         switch ( $tab ) {
             case 'search':
-                $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
+                $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
                 switch ( $type ) {
                     case 'tag':

trunk/wp-admin/includes/class-wp-themes-list-table.php

@@ -29 +29 @@
 
         if ( ! empty( $_REQUEST['s'] ) )
-            $this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( stripslashes( $_REQUEST['s'] ) ) ) ) ) );
+            $this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( wp_unslash( $_REQUEST['s'] ) ) ) ) ) );
 
         if ( ! empty( $_REQUEST['features'] ) )
@@ -236 +236 @@
      */
      function _js_vars( $extra_args = array() ) {
-        $search_string = isset( $_REQUEST['s'] ) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : '';
+        $search_string = isset( $_REQUEST['s'] ) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : '';
 
         $args = array(

trunk/wp-admin/includes/class-wp-upgrader.php

@@ -1428 +1428 @@
         $install_actions = array();
 
-        $from = isset($_GET['from']) ? stripslashes($_GET['from']) : 'plugins';
+        $from = isset($_GET['from']) ? wp_unslash( $_GET['from'] ) : 'plugins';
 
         if ( 'import' == $from )

trunk/wp-admin/includes/class-wp-users-list-table.php

@@ -242 +242 @@
         if ( current_user_can( 'list_users' ) ) {
             // Set up the user editing link
-            $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) );
+            $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) );
 
             // Set up the hover actions for this user

trunk/wp-admin/includes/dashboard.php

@@ -1094 +1094 @@
 
     if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset($_POST['widget-rss'][$number]) ) {
-        $_POST['widget-rss'][$number] = stripslashes_deep( $_POST['widget-rss'][$number] );
+        $_POST['widget-rss'][$number] = wp_unslash( $_POST['widget-rss'][$number] );
         $widget_options[$widget_id] = wp_widget_rss_process( $_POST['widget-rss'][$number] );
         // title is optional. If black, fill it if possible

trunk/wp-admin/includes/deprecated.php

@@ -473 +473 @@
         _deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' );
 
-        $this->search_term = stripslashes( $search_term );
+        $this->search_term = wp_unslash( $search_term );
         $this->raw_page = ( '' == $page ) ? false : (int) $page;
         $this->page = (int) ( '' == $page ) ? 1 : $page;
@@ -552 +552 @@
      */
     function prepare_vars_for_template_usage() {
-        $this->search_term = stripslashes($this->search_term); // done with DB, from now on we want slashes gone
+        $this->search_term = wp_unslash($this->search_term); // done with DB, from now on we want slashes gone
     }
 

trunk/wp-admin/includes/file.php

@@ -902 +902 @@
 
     // If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option)
-    $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? stripslashes($_POST['hostname']) : $credentials['hostname']);
-    $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? stripslashes($_POST['username']) : $credentials['username']);
-    $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? stripslashes($_POST['password']) : '');
+    $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? wp_unslash( $_POST['hostname'] ) : $credentials['hostname']);
+    $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? wp_unslash( $_POST['username'] ) : $credentials['username']);
+    $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? wp_unslash( $_POST['password'] ) : '');
 
     // Check to see if we are setting the public/private keys for ssh
-    $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? stripslashes($_POST['public_key']) : '');
-    $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? stripslashes($_POST['private_key']) : '');
+    $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? wp_unslash( $_POST['public_key'] ) : '');
+    $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? wp_unslash( $_POST['private_key'] ) : '');
 
     //sanitize the hostname, Some people might pass in odd-data:
@@ -926 +926 @@
         $credentials['connection_type'] = 'ftps';
     else if ( !empty($_POST['connection_type']) )
-        $credentials['connection_type'] = stripslashes($_POST['connection_type']);
+        $credentials['connection_type'] = wp_unslash( $_POST['connection_type'] );
     else if ( !isset($credentials['connection_type']) ) //All else fails (And it's not defaulted to something else saved), Default to FTP
         $credentials['connection_type'] = 'ftp';
@@ -1051 +1051 @@
 foreach ( (array) $extra_fields as $field ) {
     if ( isset( $_POST[ $field ] ) )
-        echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( stripslashes( $_POST[ $field ] ) ) . '" />';
+        echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( wp_unslash( $_POST[ $field ] ) ) . '" />';
 }
 submit_button( __( 'Proceed' ), 'button', 'upgrade' );

trunk/wp-admin/includes/image-edit.php

@@ -455 +455 @@
         return false;
 
-    $changes = !empty($_REQUEST['history']) ? json_decode( stripslashes($_REQUEST['history']) ) : null;
+    $changes = !empty($_REQUEST['history']) ? json_decode( wp_unslash($_REQUEST['history']) ) : null;
     if ( $changes )
         $img = image_edit_apply_changes( $img, $changes );
@@ -588 +588 @@
         }
     } elseif ( !empty($_REQUEST['history']) ) {
-        $changes = json_decode( stripslashes($_REQUEST['history']) );
+        $changes = json_decode( wp_unslash($_REQUEST['history']) );
         if ( $changes )
             $img = image_edit_apply_changes($img, $changes);

trunk/wp-admin/includes/media.php

@@ -469 +469 @@
         if ( isset($attachment['image_alt']) ) {
             $image_alt = get_post_meta($attachment_id, '_wp_attachment_image_alt', true);
-            if ( $image_alt != stripslashes($attachment['image_alt']) ) {
-                $image_alt = wp_strip_all_tags( stripslashes($attachment['image_alt']), true );
+            if ( $image_alt != wp_unslash($attachment['image_alt']) ) {
+                $image_alt = wp_strip_all_tags( wp_unslash($attachment['image_alt']), true );
                 // update_meta expects slashed
                 update_post_meta( $attachment_id, '_wp_attachment_image_alt', addslashes($image_alt) );
@@ -502 +502 @@
 
     if ( isset($send_id) ) {
-        $attachment = stripslashes_deep( $_POST['attachments'][$send_id] );
+        $attachment = wp_unslash( $_POST['attachments'][$send_id] );
 
         $html = isset( $attachment['post_title'] ) ? $attachment['post_title'] : '';
@@ -547 +547 @@
 
         if ( isset( $_POST['media_type'] ) && 'image' != $_POST['media_type'] ) {
-            $title = esc_html( stripslashes( $_POST['title'] ) );
+            $title = esc_html( wp_unslash( $_POST['title'] ) );
             if ( empty( $title ) )
                 $title = esc_html( basename( $src ) );
@@ -562 +562 @@
         } else {
             $align = '';
-            $alt = esc_attr( stripslashes( $_POST['alt'] ) );
+            $alt = esc_attr( wp_unslash( $_POST['alt'] ) );
             if ( isset($_POST['align']) ) {
-                $align = esc_attr( stripslashes( $_POST['align'] ) );
+                $align = esc_attr( wp_unslash( $_POST['align'] ) );
                 $class = " class='align$align'";
             }

trunk/wp-admin/includes/misc.php

@@ -221 +221 @@
  */
 function url_shorten( $url ) {
-    $short_url = str_replace( 'http://', '', stripslashes( $url ));
+    $short_url = str_replace( 'http://', '', wp_unslash( $url ));
     $short_url = str_replace( 'www.', '', $short_url );
     $short_url = untrailingslashit( $short_url );

trunk/wp-admin/includes/plugin-install.php

@@ -117 +117 @@
  */
 function install_search_form( $type_selector = true ) {
-    $type = isset($_REQUEST['type']) ? stripslashes( $_REQUEST['type'] ) : 'term';
-    $term = isset($_REQUEST['s']) ? stripslashes( $_REQUEST['s'] ) : '';
+    $type = isset($_REQUEST['type']) ? wp_unslash( $_REQUEST['type'] ) : 'term';
+    $term = isset($_REQUEST['s']) ? wp_unslash( $_REQUEST['s'] ) : '';
 
     ?><form id="search-plugins" method="get" action="">
@@ -161 +161 @@
  */
 function install_plugins_favorites_form() {
-    $user = ! empty( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
+    $user = ! empty( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
     ?>
     <p class="install-help"><?php _e( 'If you have marked plugins as favorites on WordPress.org, you can browse them here.' ); ?></p>
@@ -252 +252 @@
     }
     if ( isset($_GET['from']) )
-        $url .= '&amp;from=' . urlencode(stripslashes($_GET['from']));
+        $url .= '&amp;from=' . urlencode( wp_unslash( $_GET['from'] ) );
 
     return compact('status', 'url', 'version');
@@ -265 +265 @@
     global $tab;
 
-    $api = plugins_api('plugin_information', array('slug' => stripslashes( $_REQUEST['plugin'] ) ));
+    $api = plugins_api('plugin_information', array('slug' => wp_unslash( $_REQUEST['plugin'] ) ));
 
     if ( is_wp_error($api) )
@@ -296 +296 @@
     }
 
-    $section = isset($_REQUEST['section']) ? stripslashes( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English.
+    $section = isset($_REQUEST['section']) ? wp_unslash( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English.
     if ( empty($section) || ! isset($api->sections[ $section ]) )
         $section = array_shift( $section_titles = array_keys((array)$api->sections) );

trunk/wp-admin/includes/post.php

@@ -198 +198 @@
 
     if ( isset( $post_data[ '_wp_format_url' ] ) ) {
-        update_post_meta( $post_ID, '_wp_format_url', addslashes( esc_url_raw( stripslashes( $post_data['_wp_format_url'] ) ) ) );
+        update_post_meta( $post_ID, '_wp_format_url', addslashes( esc_url_raw( wp_unslash( $post_data['_wp_format_url'] ) ) ) );
     }
 
@@ -237 +237 @@
         if ( isset( $post_data[ '_wp_attachment_image_alt' ] ) ) {
             $image_alt = get_post_meta( $post_ID, '_wp_attachment_image_alt', true );
-            if ( $image_alt != stripslashes( $post_data['_wp_attachment_image_alt'] ) ) {
-                $image_alt = wp_strip_all_tags( stripslashes( $post_data['_wp_attachment_image_alt'] ), true );
+            if ( $image_alt != wp_unslash( $post_data['_wp_attachment_image_alt'] ) ) {
+                $image_alt = wp_strip_all_tags( wp_unslash( $post_data['_wp_attachment_image_alt'] ), true );
                 // update_meta expects slashed
                 update_post_meta( $post_ID, '_wp_attachment_image_alt', addslashes( $image_alt ) );
@@ -431 +431 @@
     $post_title = '';
     if ( !empty( $_REQUEST['post_title'] ) )
-        $post_title = esc_html( stripslashes( $_REQUEST['post_title'] ));
+        $post_title = esc_html( wp_unslash( $_REQUEST['post_title'] ));
 
     $post_content = '';
     if ( !empty( $_REQUEST['content'] ) )
-        $post_content = esc_html( stripslashes( $_REQUEST['content'] ));
+        $post_content = esc_html( wp_unslash( $_REQUEST['content'] ));
 
     $post_excerpt = '';
     if ( !empty( $_REQUEST['excerpt'] ) )
-        $post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] ));
+        $post_excerpt = esc_html( wp_unslash( $_REQUEST['excerpt'] ));
 
     if ( $create_in_db ) {
@@ -488 +488 @@
     global $wpdb;
 
-    $post_title = stripslashes( sanitize_post_field( 'post_title', $title, 0, 'db' ) );
-    $post_content = stripslashes( sanitize_post_field( 'post_content', $content, 0, 'db' ) );
-    $post_date = stripslashes( sanitize_post_field( 'post_date', $date, 0, 'db' ) );
+    $post_title = wp_unslash( sanitize_post_field( 'post_title', $title, 0, 'db' ) );
+    $post_content = wp_unslash( sanitize_post_field( 'post_content', $content, 0, 'db' ) );
+    $post_date = wp_unslash( sanitize_post_field( 'post_date', $date, 0, 'db' ) );
 
     $query = "SELECT ID FROM $wpdb->posts WHERE 1=1";
@@ -621 +621 @@
     $post_ID = (int) $post_ID;
 
-    $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
-    $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
+    $metakeyselect = isset($_POST['metakeyselect']) ? wp_unslash( trim( $_POST['metakeyselect'] ) ) : '';
+    $metakeyinput = isset($_POST['metakeyinput']) ? wp_unslash( trim( $_POST['metakeyinput'] ) ) : '';
     $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : '';
     if ( is_string( $metavalue ) )
@@ -720 +720 @@
  */
 function update_meta( $meta_id, $meta_key, $meta_value ) {
-    $meta_key = stripslashes( $meta_key );
-    $meta_value = stripslashes_deep( $meta_value );
+    $meta_key = wp_unslash( $meta_key );
+    $meta_value = wp_unslash( $meta_value );
 
     return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key );
@@ -1246 +1246 @@
 
     // _wp_put_post_revision() expects unescaped.
-    $_POST = stripslashes_deep($_POST);
+    $_POST = wp_unslash($_POST);
 
     // Otherwise create the new autosave as a special post revision

trunk/wp-admin/includes/taxonomy.php

@@ -159 +159 @@
 
     // Escape data pulled from DB.
-    $category = add_magic_quotes($category);
+    $category = wp_slash($category);
 
     // Merge old and new fields with new fields overwriting old ones.