Changeset 23567

Timestamp:

03/01/2013 05:14:09 PM (12 years ago)

Author:

ryan

Message:

Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().

Location:

trunk/wp-admin

Files:

• edit-comments.php (modified) (1 diff)
• includes/template.php (modified) (1 diff)
• includes/theme-install.php (modified) (2 diffs)
• includes/upgrade.php (modified) (3 diffs)
• includes/user.php (modified) (1 diff)
• install.php (modified) (2 diffs)
• link-manager.php (modified) (2 diffs)
• network.php (modified) (1 diff)
• network/site-info.php (modified) (1 diff)
• network/site-new.php (modified) (1 diff)
• network/site-settings.php (modified) (1 diff)
• network/sites.php (modified) (1 diff)
• options-head.php (modified) (1 diff)
• options.php (modified) (3 diffs)
• plugin-editor.php (modified) (3 diffs)
• press-this.php (modified) (1 diff)
• setup-config.php (modified) (1 diff)
• theme-editor.php (modified) (2 diffs)
• upgrade.php (modified) (2 diffs)
• upload.php (modified) (1 diff)

trunk/wp-admin/edit-comments.php

@@ -21 +21 @@
 
     if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
-        $comment_status = $_REQUEST['comment_status'];
-        $delete_time = $_REQUEST['pagegen_timestamp'];
+        $comment_status = wp_unslash( $_REQUEST['comment_status'] );
+        $delete_time = wp_unslash ( $_REQUEST['pagegen_timestamp'] );
         $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
         $doaction = 'delete';

trunk/wp-admin/includes/template.php

@@ -1334 +1334 @@
  */
 function _admin_search_query() {
-    echo isset($_REQUEST['s']) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : '';
+    echo isset($_REQUEST['s']) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : '';
 }
 

trunk/wp-admin/includes/theme-install.php

@@ -51 +51 @@
  */
 function install_theme_search_form( $type_selector = true ) {
-    $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
-    $term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : '';
+    $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
+    $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : '';
     if ( ! $type_selector )
         echo '<p class="install-help">' . __( 'Search for themes by keyword.' ) . '</p>';
@@ -180 +180 @@
     global $tab, $themes_allowedtags, $wp_list_table;
 
-    $theme = themes_api( 'theme_information', array( 'slug' => stripslashes( $_REQUEST['theme'] ) ) );
+    $theme = themes_api( 'theme_information', array( 'slug' => wp_unslash( $_REQUEST['theme'] ) ) );
 
     if ( is_wp_error( $theme ) )

trunk/wp-admin/includes/upgrade.php

@@ -133 +133 @@
 
         if ( empty($first_post) )
-            $first_post = stripslashes( __( 'Welcome to <a href="SITE_URL">SITE_NAME</a>. This is your first post. Edit or delete it, then start blogging!' ) );
+            $first_post = __( 'Welcome to <a href="SITE_URL">SITE_NAME</a>. This is your first post. Edit or delete it, then start blogging!' );
 
         $first_post = str_replace( "SITE_URL", esc_url( network_home_url() ), $first_post );
@@ -637 +637 @@
     foreach ( $users as $user ) :
         if ( !empty( $user->user_firstname ) )
-            update_user_meta( $user->ID, 'first_name', $wpdb->escape($user->user_firstname) );
+            update_user_meta( $user->ID, 'first_name', wp_slash($user->user_firstname) );
         if ( !empty( $user->user_lastname ) )
-            update_user_meta( $user->ID, 'last_name', $wpdb->escape($user->user_lastname) );
+            update_user_meta( $user->ID, 'last_name', wp_slash($user->user_lastname) );
         if ( !empty( $user->user_nickname ) )
-            update_user_meta( $user->ID, 'nickname', $wpdb->escape($user->user_nickname) );
+            update_user_meta( $user->ID, 'nickname', wp_slash($user->user_nickname) );
         if ( !empty( $user->user_level ) )
             update_user_meta( $user->ID, $wpdb->prefix . 'user_level', $user->user_level );
         if ( !empty( $user->user_icq ) )
-            update_user_meta( $user->ID, 'icq', $wpdb->escape($user->user_icq) );
+            update_user_meta( $user->ID, 'icq', wp_slash($user->user_icq) );
         if ( !empty( $user->user_aim ) )
-            update_user_meta( $user->ID, 'aim', $wpdb->escape($user->user_aim) );
+            update_user_meta( $user->ID, 'aim', wp_slash($user->user_aim) );
         if ( !empty( $user->user_msn ) )
-            update_user_meta( $user->ID, 'msn', $wpdb->escape($user->user_msn) );
+            update_user_meta( $user->ID, 'msn', wp_slash($user->user_msn) );
         if ( !empty( $user->user_yim ) )
-            update_user_meta( $user->ID, 'yim', $wpdb->escape($user->user_icq) );
+            update_user_meta( $user->ID, 'yim', wp_slash($user->user_icq) );
         if ( !empty( $user->user_description ) )
-            update_user_meta( $user->ID, 'description', $wpdb->escape($user->user_description) );
+            update_user_meta( $user->ID, 'description', wp_slash($user->user_description) );
 
         if ( isset( $user->user_idmode ) ):
@@ -855 +855 @@
             $cat_id = (int) $category->cat_id;
             $term_id = 0;
-            $name = $wpdb->escape($category->cat_name);
+            $name = wp_slash($category->cat_name);
             $slug = sanitize_title($name);
             $term_group = 0;

trunk/wp-admin/includes/user.php

@@ -35 +35 @@
         $user->ID = (int) $user_id;
         $userdata = get_userdata( $user_id );
-        $user->user_login = $wpdb->escape( $userdata->user_login );
+        $user->user_login = wp_slash( $userdata->user_login );
     } else {
         $update = false;

trunk/wp-admin/install.php

@@ -85 +85 @@
         $blog_public = isset( $_POST['blog_public'] );
 
-    $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';
-    $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';
-    $admin_password = isset($_POST['admin_password']) ? trim( stripslashes( $_POST['admin_password'] ) ) : '';
-    $admin_email  = isset( $_POST['admin_email']  ) ? trim( stripslashes( $_POST['admin_email'] ) ) : '';
+    $weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : '';
+    $user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin';
+    $admin_password = isset($_POST['admin_password']) ? trim( wp_unslash( $_POST['admin_password'] ) ) : '';
+    $admin_email  = isset( $_POST['admin_email']  ) ? trim( wp_unslash( $_POST['admin_email'] ) ) : '';
 
     if ( ! is_null( $error ) ) {
@@ -190 +190 @@
         display_header();
         // Fill in the data we gathered
-        $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';
-        $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';
-        $admin_password = isset($_POST['admin_password']) ? $_POST['admin_password'] : '';
-        $admin_password_check = isset($_POST['admin_password2']) ? $_POST['admin_password2'] : '';
-        $admin_email  = isset( $_POST['admin_email']  ) ?trim( stripslashes( $_POST['admin_email'] ) ) : '';
+        $weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : '';
+        $user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin';
+        $admin_password = isset($_POST['admin_password']) ? wp_unslash( $_POST['admin_password'] ) : '';
+        $admin_password_check = isset($_POST['admin_password2']) ? wp_unslash( $_POST['admin_password2'] ) : '';
+        $admin_email  = isset( $_POST['admin_email']  ) ?trim( wp_unslash( $_POST['admin_email'] ) ) : '';
         $public       = isset( $_POST['blog_public']  ) ? (int) $_POST['blog_public'] : 0;
         // check e-mail address

trunk/wp-admin/link-manager.php

@@ -32 +32 @@
     }
 } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
-     wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
+     wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
      exit;
 }
@@ -73 +73 @@
 <h2><?php echo esc_html( $title ); ?> <a href="link-add.php" class="add-new-h2"><?php echo esc_html_x('Add New', 'link'); ?></a> <?php
 if ( !empty($_REQUEST['s']) )
-    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?>
+    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( wp_unslash($_REQUEST['s']) ) ); ?>
 </h2>
 

trunk/wp-admin/network.php

@@ -521 +521 @@
     $subdomain_install = allow_subdomain_install() ? !empty( $_POST['subdomain_install'] ) : false;
     if ( ! network_domain_check() ) {
-        $result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), stripslashes( $_POST['sitename'] ), $base, $subdomain_install );
+        $result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), wp_unslash( $_POST['sitename'] ), $base, $subdomain_install );
         if ( is_wp_error( $result ) ) {
             if ( 1 == count( $result->get_error_codes() ) && 'no_wildcard_dns' == $result->get_error_code() )

trunk/wp-admin/network/site-info.php

@@ -63 +63 @@
 
     // update blogs table
-    $blog_data = stripslashes_deep( $_POST['blog'] );
+    $blog_data = wp_unslash( $_POST['blog'] );
     $existing_details = get_blog_details( $id, false );
     $blog_data_checkboxes = array( 'public', 'archived', 'spam', 'mature', 'deleted' );

trunk/wp-admin/network/site-new.php

@@ -89 +89 @@
 
 Address: %2$s
-Name: %3$s' ), $current_user->user_login , get_site_url( $id ), stripslashes( $title ) );
+Name: %3$s' ), $current_user->user_login , get_site_url( $id ), wp_unslash( $title ) );
         wp_mail( get_site_option('admin_email'), sprintf( __( '[%s] New Site Created' ), $current_site->site_name ), $content_mail, 'From: "Site Admin" <' . get_site_option( 'admin_email' ) . '>' );
         wpmu_welcome_notification( $id, $user_id, $password, $title, array( 'public' => 1 ) );

trunk/wp-admin/network/site-settings.php

@@ -54 +54 @@
     $skip_options = array( 'allowedthemes' ); // Don't update these options since they are handled elsewhere in the form.
     foreach ( (array) $_POST['option'] as $key => $val ) {
+        $key = wp_unslash( $key );
+        $val = wp_unslash( $val );
         if ( $key === 0 || is_array( $val ) || in_array($key, $skip_options) )
             continue; // Avoids "0 is a protected WP option and may not be modified" error when edit blog options
         if ( $c == $count )
-            update_option( $key, stripslashes( $val ) );
+            update_option( $key, $val );
         else
-            update_option( $key, stripslashes( $val ), false ); // no need to refresh blog details yet
+            update_option( $key, $val, false ); // no need to refresh blog details yet
         $c++;
     }

trunk/wp-admin/network/sites.php

@@ -80 +80 @@
                     <input type="hidden" name="_wp_http_referer" value="<?php echo esc_attr( wp_get_referer() ); ?>" />
                     <?php wp_nonce_field( $_GET['action2'], '_wpnonce', false ); ?>
-                    <p><?php echo esc_html( stripslashes( $_GET['msg'] ) ); ?></p>
+                    <p><?php echo esc_html( wp_unslash( $_GET['msg'] ) ); ?></p>
                     <?php submit_button( __('Confirm'), 'button' ); ?>
                 </form>

trunk/wp-admin/options-head.php

@@ -3 +3 @@
  * WordPress Options Header.
  *
- * Resets variables: 'action', 'standalone', and 'option_group_id'. Displays
- * updated message, if updated variable is part of the URL query.
+ * Displays updated message, if updated variable is part of the URL query.
  *
  * @package WordPress

trunk/wp-admin/options.php

@@ -121 +121 @@
         if ( is_multisite() && ! is_super_admin() )
             wp_die( __( 'You do not have sufficient permissions to modify unregistered settings for this site.' ) );
-        $options = explode( ',', stripslashes( $_POST[ 'page_options' ] ) );
+        $options = explode( ',', wp_unslash( $_POST[ 'page_options' ] ) );
     } else {
         $options = $whitelist_options[ $option_page ];
@@ -128 +128 @@
     // Handle custom date/time formats
     if ( 'general' == $option_page ) {
-        if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['date_format'] ) )
+        if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['date_format'] ) )
             $_POST['date_format'] = $_POST['date_format_custom'];
-        if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['time_format'] ) )
+        if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['time_format'] ) )
             $_POST['time_format'] = $_POST['time_format_custom'];
         // Map UTC+- timezones to gmt_offsets and set timezone_string to empty.
@@ -151 +151 @@
                 if ( ! is_array( $value ) )
                     $value = trim( $value );
-                $value = stripslashes_deep( $value );
+                $value = wp_unslash( $value );
             }
             update_option( $option, $value );

trunk/wp-admin/plugin-editor.php

@@ -29 +29 @@
 
 if ( isset($_REQUEST['file']) )
-    $plugin = stripslashes($_REQUEST['file']);
+    $plugin = wp_unslash($_REQUEST['file']);
 
 if ( empty($plugin) ) {
@@ -40 +40 @@
 if ( empty($file) )
     $file = $plugin_files[0];
-else
-    $file = stripslashes($file);
 
 $file = validate_file_to_edit($file, $plugin_files);
@@ -53 +51 @@
     check_admin_referer('edit-plugin_' . $file);
 
-    $newcontent = stripslashes($_POST['newcontent']);
+    $newcontent = wp_unslash( $_POST['newcontent'] );
     if ( is_writeable($real_file) ) {
         $f = fopen($real_file, 'w+');

trunk/wp-admin/press-this.php

@@ -92 +92 @@
 
 // Set Variables
-$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( stripslashes( $_GET['t'] ) , ENT_QUOTES) ) ) : '';
+$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( wp_unslash( $_GET['t'] ) , ENT_QUOTES) ) ) : '';
 
 $selection = '';
 if ( !empty($_GET['s']) ) {
-    $selection = str_replace(''', "'", stripslashes($_GET['s']));
+    $selection = str_replace(''', "'", wp_unslash($_GET['s']));
     $selection = trim( htmlspecialchars( html_entity_decode($selection, ENT_QUOTES) ) );
 }

trunk/wp-admin/setup-config.php

@@ -165 +165 @@
     case 2:
     foreach ( array( 'dbname', 'uname', 'pwd', 'dbhost', 'prefix' ) as $key )
-        $$key = trim( stripslashes( $_POST[ $key ] ) );
+        $$key = trim( wp_unslash( $_POST[ $key ] ) );
 
     $tryagain_link = '</p><p class="step"><a href="setup-config.php?step=1" onclick="javascript:history.go(-1);return false;" class="button button-large">' . __( 'Try again' ) . '</a>';

trunk/wp-admin/theme-editor.php

@@ -69 +69 @@
     $file = $allowed_files['style.css'];
 } else {
-    $relative_file = stripslashes( $file );
+    $relative_file = wp_unslash( $file );
     $file = $theme->get_stylesheet_directory() . '/' . $relative_file;
 }
@@ -79 +79 @@
 case 'update':
     check_admin_referer( 'edit-theme_' . $file . $stylesheet );
-    $newcontent = stripslashes( $_POST['newcontent'] );
+    $newcontent = wp_unslash( $_POST['newcontent'] );
     $location = 'theme-editor.php?file=' . urlencode( $relative_file ) . '&theme=' . urlencode( $stylesheet ) . '&scrollto=' . $scrollto;
     if ( is_writeable( $file ) ) {

trunk/wp-admin/upgrade.php

@@ -78 +78 @@
 switch ( $step ) :
     case 0:
-        $goback = stripslashes( wp_get_referer() );
+        $goback = wp_unslash( wp_get_referer() );
         $goback = esc_url_raw( $goback );
         $goback = urlencode( $goback );
@@ -91 +91 @@
         wp_upgrade();
 
-            $backto = !empty($_GET['backto']) ? stripslashes( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/';
+            $backto = !empty($_GET['backto']) ? wp_unslash( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/';
             $backto = esc_url( $backto );
             $backto = wp_validate_redirect($backto, __get_option( 'home' ) . '/');

trunk/wp-admin/upload.php

@@ -133 +133 @@
     exit;
 } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
-     wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
+     wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
      exit;
 }