WordPress.org

Make WordPress Core


Ignore:
Timestamp:
05/05/2015 11:13:51 AM (6 years ago)
Author:
boonebgorges
Message:

Improve sanitization of 'name' param in get_terms().

Values of 'name' that contain db-encoded character on insert - like an
ampersand, which is HTML-encoded in the database - will only match if they go
through the same sanitize_term_field() routine.

Fixes #32248.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/taxonomy.php

    r32351 r32353  
    18581858
    18591859    if ( ! empty( $args['name'] ) ) {
    1860         if ( is_array( $args['name'] ) ) {
    1861             $name = array_map( 'sanitize_text_field', $args['name'] );
    1862             $where .= " AND t.name IN ('" . implode( "', '", array_map( 'esc_sql', $name ) ) . "')";
    1863         } else {
    1864             $name = sanitize_text_field( $args['name'] );
    1865             $where .= $wpdb->prepare( " AND t.name = %s", $name );
    1866         }
     1860        $names = (array) $args['name'];
     1861        foreach ( $names as &$_name ) {
     1862            $_name = sanitize_term_field( 'name', $_name, 0, reset( $taxonomies ), 'db' );
     1863        }
     1864
     1865        $where .= " AND t.name IN ('" . implode( "', '", array_map( 'esc_sql', $names ) ) . "')";
    18671866    }
    18681867
Note: See TracChangeset for help on using the changeset viewer.