Make WordPress Core

Changeset 23594


Ignore:
Timestamp:
03/03/2013 09:11:40 PM (12 years ago)
Author:
ryan
Message:

Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().

see #21767

Location:
trunk
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/post-template.php

    r23554 r23594  
    584584    }
    585585
    586     $hash = stripslashes( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
     586    $hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
    587587
    588588    return ! $wp_hasher->CheckPassword( $post->post_password, $hash );
  • trunk/wp-includes/post.php

    r23554 r23594  
    361361    }
    362362
    363     // Strip leading and trailing whitespace
     363    // ` leading and trailing whitespace
    364364    $main = preg_replace('/^[\s]*(.*)[\s]*$/', '\\1', $main);
    365365    $extended = preg_replace('/^[\s]*(.*)[\s]*$/', '\\1', $extended);
     
    27982798    $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'guid' ) );
    27992799    $data = apply_filters('wp_insert_post_data', $data, $postarr);
    2800     $data = stripslashes_deep( $data );
     2800    $data = wp_unslash( $data );
    28012801    $where = array( 'ID' => $post_ID );
    28022802
     
    28112811    } else {
    28122812        if ( isset($post_mime_type) )
    2813             $data['post_mime_type'] = stripslashes( $post_mime_type ); // This isn't in the update
     2813            $data['post_mime_type'] = wp_unslash( $post_mime_type ); // This isn't in the update
    28142814        // If there is a suggested ID, use it if not already present
    28152815        if ( !empty($import_id) ) {
     
    29052905        // non-escaped post was passed
    29062906        $postarr = get_object_vars($postarr);
    2907         $postarr = add_magic_quotes($postarr);
     2907        $postarr = wp_slash($postarr);
    29082908    }
    29092909
     
    29122912
    29132913    // Escape data pulled from DB.
    2914     $post = add_magic_quotes($post);
     2914    $post = wp_slash($post);
    29152915
    29162916    // Passed post category list overwrites existing category list if not empty.
     
    32583258    $new = apply_filters('add_ping', $new);
    32593259    // expected_slashed ($new)
    3260     $new = stripslashes($new);
     3260    $new = wp_unslash($new);
    32613261    return $wpdb->update( $wpdb->posts, array( 'pinged' => $new ), array( 'ID' => $post_id ) );
    32623262}
     
    33513351        foreach( (array) $trackback_urls as $tb_url) {
    33523352            $tb_url = trim($tb_url);
    3353             trackback($tb_url, stripslashes($post_title), $excerpt, $post_id);
     3353            trackback($tb_url, wp_unslash($post_title), $excerpt, $post_id);
    33543354        }
    33553355    }
     
    36953695
    36963696        // meta_key and meta_value might be slashed
    3697         $meta_key = stripslashes($meta_key);
    3698         $meta_value = stripslashes($meta_value);
     3697        $meta_key = wp_unslash($meta_key);
     3698        $meta_value = wp_unslash($meta_value);
    36993699        if ( ! empty( $meta_key ) )
    37003700            $where .= $wpdb->prepare(" AND $wpdb->postmeta.meta_key = %s", $meta_key);
     
    39663966    // expected_slashed (everything!)
    39673967    $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'guid' ) );
    3968     $data = stripslashes_deep( $data );
     3968    $data = wp_unslash( $data );
    39693969
    39703970    if ( $update ) {
  • trunk/wp-includes/revision.php

    r23554 r23594  
    242242
    243243    $post = _wp_post_revision_fields( $post, $autosave );
    244     $post = add_magic_quotes($post); //since data is from db
     244    $post = wp_slash($post); //since data is from db
    245245
    246246    $revision_id = wp_insert_post( $post );
     
    321321    $update['ID'] = $revision['post_parent'];
    322322
    323     $update = add_magic_quotes( $update ); //since data is from db
     323    $update = wp_slash( $update ); //since data is from db
    324324
    325325    $post_id = wp_update_post( $update );
  • trunk/wp-includes/taxonomy.php

    r23554 r23594  
    960960    } else if ( 'name' == $field ) {
    961961        // Assume already escaped
    962         $value = stripslashes($value);
     962        $value = wp_unslash($value);
    963963        $field = 't.name';
    964964    } else {
     
    15001500    }
    15011501
    1502     $term = trim( stripslashes( $term ) );
     1502    $term = trim( wp_unslash( $term ) );
    15031503
    15041504    if ( '' === $slug = sanitize_title($term) )
     
    20632063
    20642064    // expected_slashed ($name)
    2065     $name = stripslashes($name);
    2066     $description = stripslashes($description);
     2065    $name = wp_unslash($name);
     2066    $description = wp_unslash($description);
    20672067
    20682068    if ( empty($slug) )
     
    24462446
    24472447    // Escape data pulled from DB.
    2448     $term = add_magic_quotes($term);
     2448    $term = wp_slash($term);
    24492449
    24502450    // Merge old and new args with new args overwriting old ones.
     
    24572457
    24582458    // expected_slashed ($name)
    2459     $name = stripslashes($name);
    2460     $description = stripslashes($description);
     2459    $name = wp_unslash($name);
     2460    $description = wp_unslash($description);
    24612461
    24622462    if ( '' == trim($name) )
  • trunk/wp-includes/user.php

    r23588 r23594  
    13911391
    13921392    $data = compact( 'user_pass', 'user_email', 'user_url', 'user_nicename', 'display_name', 'user_registered' );
    1393     $data = stripslashes_deep( $data );
     1393    $data = wp_unslash( $data );
    13941394
    13951395    if ( $update ) {
     
    15051505 */
    15061506function wp_create_user($username, $password, $email = '') {
    1507     $user_login = esc_sql( $username );
    1508     $user_email = esc_sql( $email    );
     1507    $user_login = wp_slash( $username );
     1508    $user_email = wp_slash( $email    );
    15091509    $user_pass = $password;
    15101510
  • trunk/wp-login.php

    r23558 r23594  
    400400
    401401    // 10 days
    402     setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH );
     402    setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH );
    403403
    404404    wp_safe_redirect( wp_get_referer() );
     
    435435    login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '</p>', $errors);
    436436
    437     $user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : '';
     437    $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : '';
    438438
    439439?>
     
    551551    <p>
    552552        <label for="user_login"><?php _e('Username') ?><br />
    553         <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(stripslashes($user_login)); ?>" size="20" /></label>
     553        <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(wp_unslash($user_login)); ?>" size="20" /></label>
    554554    </p>
    555555    <p>
    556556        <label for="user_email"><?php _e('E-mail') ?><br />
    557         <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(stripslashes($user_email)); ?>" size="25" /></label>
     557        <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(wp_unslash($user_email)); ?>" size="25" /></label>
    558558    </p>
    559559<?php do_action('register_form'); ?>
     
    671671
    672672    if ( isset($_POST['log']) )
    673         $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(stripslashes($_POST['log'])) : '';
     673        $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(wp_unslash($_POST['log'])) : '';
    674674    $rememberme = ! empty( $_POST['rememberme'] );
    675675?>
  • trunk/wp-mail.php

    r23554 r23594  
    203203
    204204    $post_data = compact('post_content','post_title','post_date','post_date_gmt','post_author','post_category', 'post_status');
    205     $post_data = add_magic_quotes($post_data);
     205    $post_data = wp_slash($post_data);
    206206
    207207    $post_ID = wp_insert_post($post_data);
  • trunk/wp-trackback.php

    r23554 r23594  
    4646
    4747// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()
    48 $title     = isset($_POST['title'])     ? stripslashes($_POST['title'])      : '';
    49 $excerpt   = isset($_POST['excerpt'])   ? stripslashes($_POST['excerpt'])    : '';
    50 $blog_name = isset($_POST['blog_name']) ? stripslashes($_POST['blog_name'])  : '';
     48$title     = isset($_POST['title'])     ? wp_unslash($_POST['title'])      : '';
     49$excerpt   = isset($_POST['excerpt'])   ? wp_unslash($_POST['excerpt'])    : '';
     50$blog_name = isset($_POST['blog_name']) ? wp_unslash($_POST['blog_name'])  : '';
    5151
    5252if ($charset)
     
    6666
    6767// Now that mb_convert_encoding() has been given a swing, we need to escape these three
    68 $title     = $wpdb->escape($title);
    69 $excerpt   = $wpdb->escape($excerpt);
    70 $blog_name = $wpdb->escape($blog_name);
     68$title     = wp_slash($title);
     69$excerpt   = wp_slash($excerpt);
     70$blog_name = wp_slash($blog_name);
    7171
    7272if ( is_single() || is_page() )
Note: See TracChangeset for help on using the changeset viewer.