WordPress.org

Make WordPress Core

Changeset 23591


Ignore:
Timestamp:
03/03/2013 04:30:38 PM (6 years ago)
Author:
ryan
Message:

Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().

see #WP21767

Location:
trunk
Files:
11 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/user-new.php

    r23554 r23591  
    117117            $add_user_errors = $user_details[ 'errors' ];
    118118        } else {
    119             $new_user_login = apply_filters('pre_user_login', sanitize_user(stripslashes($_REQUEST['user_login']), true));
     119            $new_user_login = apply_filters('pre_user_login', sanitize_user(wp_unslash($_REQUEST['user_login']), true));
    120120            if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
    121121                add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email
     
    310310    if( isset( $_POST['createuser'] ) ) {
    311311        if ( ! isset($$var) )
    312             $$var = isset( $_POST[$post_field] ) ? stripslashes( $_POST[$post_field] ) : '';
     312            $$var = isset( $_POST[$post_field] ) ? wp_unslash( $_POST[$post_field] ) : '';
    313313    } else {
    314314        $$var = false;
  • trunk/wp-admin/users.php

    r23554 r23591  
    6565
    6666if ( empty($_REQUEST) ) {
    67     $referer = '<input type="hidden" name="wp_http_referer" value="'. esc_attr(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
     67    $referer = '<input type="hidden" name="wp_http_referer" value="'. esc_attr( wp_unslash( $_SERVER['REQUEST_URI'] ) ) . '" />';
    6868} elseif ( isset($_REQUEST['wp_http_referer']) ) {
    69     $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), stripslashes($_REQUEST['wp_http_referer']));
     69    $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), wp_unslash( $_REQUEST['wp_http_referer'] ) );
    7070    $referer = '<input type="hidden" name="wp_http_referer" value="' . esc_attr($redirect) . '" />';
    7171} else {
     
    358358
    359359    if ( !empty($_GET['_wp_http_referer']) ) {
    360         wp_redirect(remove_query_arg(array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI'])));
     360        wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
    361361        exit;
    362362    }
     
    382382            if ( isset( $_GET['id'] ) && ( $user_id = $_GET['id'] ) && current_user_can( 'edit_user', $user_id ) ) {
    383383                $messages[] = '<div id="message" class="updated"><p>' . sprintf( __( 'New user created. <a href="%s">Edit user</a>' ),
    384                     esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ),
     384                    esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ),
    385385                        self_admin_url( 'user-edit.php?user_id=' . $user_id ) ) ) ) . '</p></div>';
    386386            } else {
  • trunk/wp-includes/class-wp-customize-manager.php

    r23554 r23591  
    311311        if ( ! isset( $this->_post_values ) ) {
    312312            if ( isset( $_POST['customized'] ) )
    313                 $this->_post_values = json_decode( stripslashes( $_POST['customized'] ), true );
     313                $this->_post_values = json_decode( wp_unslash( $_POST['customized'] ), true );
    314314            else
    315315                $this->_post_values = false;
  • trunk/wp-includes/class-wp-customize-setting.php

    r23554 r23591  
    145145     */
    146146    public function sanitize( $value ) {
    147         $value = stripslashes_deep( $value );
     147        $value = wp_unslash( $value );
    148148        return apply_filters( "customize_sanitize_{$this->id}", $value, $this );
    149149    }
  • trunk/wp-includes/class-wp-xmlrpc-server.php

    r23554 r23591  
    281281                $pmeta = get_metadata_by_mid( 'post', $meta['id'] );
    282282                if ( isset($meta['key']) ) {
    283                     $meta['key'] = stripslashes( $meta['key'] );
     283                    $meta['key'] = wp_unslash( $meta['key'] );
    284284                    if ( $meta['key'] != $pmeta->meta_key )
    285285                        continue;
    286                     $meta['value'] = stripslashes_deep( $meta['value'] );
     286                    $meta['value'] = wp_unslash( $meta['value'] );
    287287                    if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) )
    288288                        update_metadata_by_mid( 'post', $meta['id'], $meta['value'] );
     
    290290                    delete_metadata_by_mid( 'post', $meta['id'] );
    291291                }
    292             } elseif ( current_user_can( 'add_post_meta', $post_id, stripslashes( $meta['key'] ) ) ) {
     292            } elseif ( current_user_can( 'add_post_meta', $post_id, wp_unslash( $meta['key'] ) ) ) {
    293293                add_post_meta( $post_id, $meta['key'], $meta['value'] );
    294294            }
     
    37473747        $categories = implode(',', wp_get_post_categories($post_ID));
    37483748
    3749         $content  = '<title>'.stripslashes($post_data['post_title']).'</title>';
     3749        $content  = '<title>'.wp_unslash($post_data['post_title']).'</title>';
    37503750        $content .= '<category>'.$categories.'</category>';
    3751         $content .= stripslashes($post_data['post_content']);
     3751        $content .= wp_unslash($post_data['post_content']);
    37523752
    37533753        $struct = array(
     
    38013801            $categories = implode(',', wp_get_post_categories($entry['ID']));
    38023802
    3803             $content  = '<title>'.stripslashes($entry['post_title']).'</title>';
     3803            $content  = '<title>'.wp_unslash($entry['post_title']).'</title>';
    38043804            $content .= '<category>'.$categories.'</category>';
    3805             $content .= stripslashes($entry['post_content']);
     3805            $content .= wp_unslash($entry['post_content']);
    38063806
    38073807            $struct[] = array(
  • trunk/wp-includes/comment.php

    r23571 r23591  
    635635    if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
    636636        $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
    637         $comment_author = stripslashes($comment_author);
     637        $comment_author = wp_unslash($comment_author);
    638638        $comment_author = esc_attr($comment_author);
    639639        $_COOKIE['comment_author_'.COOKIEHASH] = $comment_author;
     
    642642    if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
    643643        $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
    644         $comment_author_email = stripslashes($comment_author_email);
     644        $comment_author_email = wp_unslash($comment_author_email);
    645645        $comment_author_email = esc_attr($comment_author_email);
    646646        $_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email;
     
    649649    if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
    650650        $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
    651         $comment_author_url = stripslashes($comment_author_url);
     651        $comment_author_url = wp_unslash($comment_author_url);
    652652        $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
    653653    }
     
    12631263function wp_insert_comment($commentdata) {
    12641264    global $wpdb;
    1265     extract(stripslashes_deep($commentdata), EXTR_SKIP);
     1265    extract(wp_unslash($commentdata), EXTR_SKIP);
    12661266
    12671267    if ( ! isset($comment_author_IP) )
     
    15031503
    15041504    // Now extract the merged array.
    1505     extract(stripslashes_deep($commentarr), EXTR_SKIP);
     1505    extract(wp_unslash($commentarr), EXTR_SKIP);
    15061506
    15071507    $comment_content = apply_filters('comment_save_pre', $comment_content);
  • trunk/wp-includes/cron.php

    r23554 r23591  
    231231
    232232        ob_start();
    233         wp_redirect( add_query_arg('doing_wp_cron', $doing_wp_cron, stripslashes($_SERVER['REQUEST_URI'])) );
     233        wp_redirect( add_query_arg( 'doing_wp_cron', $doing_wp_cron, wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
    234234        echo ' ';
    235235
  • trunk/wp-includes/feed.php

    r23554 r23591  
    489489function self_link() {
    490490    $host = @parse_url(home_url());
    491     echo esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . stripslashes( $_SERVER['REQUEST_URI'] ) ) ) );
     491    echo esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
    492492}
    493493
  • trunk/wp-includes/formatting.php

    r23555 r23591  
    14241424        $gpc = stripslashes($gpc);
    14251425
    1426     return esc_sql($gpc);
     1426    return wp_slash($gpc);
    14271427}
    14281428
     
    17201720    $text = stripslashes($text);
    17211721    $text = preg_replace_callback('|<a (.+?)>|i', 'wp_rel_nofollow_callback', $text);
    1722     $text = esc_sql($text);
     1722    $text = wp_slash($text);
    17231723    return $text;
    17241724}
  • trunk/wp-includes/meta.php

    r23554 r23591  
    4444
    4545    // expected_slashed ($meta_key)
    46     $meta_key = stripslashes($meta_key);
    47     $meta_value = stripslashes_deep($meta_value);
     46    $meta_key = wp_unslash($meta_key);
     47    $meta_value = wp_unslash($meta_value);
    4848    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
    4949
     
    115115
    116116    // expected_slashed ($meta_key)
    117     $meta_key = stripslashes($meta_key);
     117    $meta_key = wp_unslash($meta_key);
    118118    $passed_value = $meta_value;
    119     $meta_value = stripslashes_deep($meta_value);
     119    $meta_value = wp_unslash($meta_value);
    120120    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
    121121
     
    197197    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
    198198    // expected_slashed ($meta_key)
    199     $meta_key = stripslashes($meta_key);
    200     $meta_value = stripslashes_deep($meta_value);
     199    $meta_key = wp_unslash($meta_key);
     200    $meta_value = wp_unslash($meta_value);
    201201
    202202    $check = apply_filters( "delete_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $delete_all );
  • trunk/wp-includes/ms-files.php

    r23554 r23591  
    5959
    6060// Support for Conditional GET
    61 $client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false;
     61$client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? wp_unslash( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false;
    6262
    6363if( ! isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) )
Note: See TracChangeset for help on using the changeset viewer.