Make WordPress Core


Ignore:
Timestamp:
02/08/2015 01:58:51 AM (10 years ago)
Author:
boonebgorges
Message:

Late escaping in get_terms() and WP_Tax_Query.

Props vortfu, dd32.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/taxonomy.php

    r31365 r31367  
    12331233                     * context is 'db'.
    12341234                     */
    1235                     $term = "'" . sanitize_term_field( $query['field'], $term, 0, $query['taxonomy'], 'db' ) . "'";
     1235                    $term = "'" . esc_sql( sanitize_term_field( $query['field'], $term, 0, $query['taxonomy'], 'db' ) ) . "'";
    12361236                }
    12371237
     
    18431843        if ( is_array( $args['name'] ) ) {
    18441844            $name = array_map( 'sanitize_text_field', $args['name'] );
    1845             $where .= " AND t.name IN ('" . implode( "', '", $name ) . "')";
     1845            $where .= " AND t.name IN ('" . implode( "', '", array_map( 'esc_sql', $name ) ) . "')";
    18461846        } else {
    18471847            $name = sanitize_text_field( $args['name'] );
Note: See TracChangeset for help on using the changeset viewer.