Make WordPress Core

Changeset 3577


Ignore:
Timestamp:
02/28/2006 09:49:06 AM (17 years ago)
Author:
ryan
Message:

More comment cookie sanitation.

Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-comments-post.php

    r3574 r3577  
    5555    setcookie('comment_author_' . COOKIEHASH, $comment->comment_author, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
    5656    setcookie('comment_author_email_' . COOKIEHASH, $comment->comment_author_email, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
    57     setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->$comment_author_url), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
     57    setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->comment_author_url), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
    5858endif;
    5959
  • trunk/wp-includes/comment-functions.php

    r3566 r3577  
    88    if ( is_single() || is_page() || $withcomments ) :
    99        $req = get_settings('require_name_email');
    10         $comment_author = isset($_COOKIE['comment_author_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_'.COOKIEHASH])) : '';
    11         $comment_author_email = isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_email_'.COOKIEHASH])) : '';
    12         $comment_author_url = isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_url_'.COOKIEHASH])) : '';
     10        $comment_author = '';
     11        if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
     12            $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
     13            $comment_author = stripslashes($comment_author);
     14            $comment_author = wp_specialchars($comment_author, true);
     15        }
     16        $comment_author_email = '';
     17        if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
     18            $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
     19            $comment_author_email = stripslashes($comment_author_email);
     20            $comment_author_email = wp_specialchars($comment_author_email, true);       
     21        }
     22        $comment_author_url = '';
     23        if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
     24            $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
     25            $comment_author_url = stripslashes($comment_author_url);
     26            $comment_author_url = wp_specialchars($comment_author_url, true);       
     27        }
     28
    1329    if ( empty($comment_author) ) {
    1430        $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date");
  • trunk/wp-includes/default-filters.php

    r3561 r3577  
    2525add_filter('pre_comment_author_url', 'clean_url');
    2626
    27 add_filter('pre_comment_content', 'stripslashes', 1);
    2827add_filter('pre_comment_content', 'wp_rel_nofollow', 15);
    2928add_filter('pre_comment_content', 'balanceTags', 30);
    30 add_filter('pre_comment_content', 'addslashes', 50);
    3129
    3230add_filter('pre_comment_author_name', 'wp_filter_kses');
  • trunk/wp-includes/functions-formatting.php

    r3517 r3577  
    580580
    581581function wp_rel_nofollow( $text ) {
     582    global $wpdb;
     583    // This is a pre save filter, so text is already escaped.
     584    $text = stripslashes($text);
    582585    $text = preg_replace('|<a (.+?)>|i', '<a $1 rel="nofollow">', $text);
     586    $text = $wpdb->escape($text);
    583587    return $text;
    584588}
  • trunk/wp-includes/kses.php

    r3574 r3577  
    532532    // Post filtering
    533533    add_filter('content_save_pre', 'wp_filter_post_kses');
    534 
    535     // Strip all html.
    536     add_filter('pre_comment_author_name', 'wp_filter_nohtml_kses');
    537     add_filter('pre_comment_author_url', 'wp_filter_nohtml_kses');
    538     add_filter('pre_comment_author_email', 'wp_filter_nohtml_kses');
    539     add_filter('pre_comment_user_ip', 'wp_filter_nohtml_kses');
    540     add_filter('pre_comment_user_agent', 'wp_filter_nohtml_kses');
    541     add_filter('pre_user_id', 'wp_filter_nohtml_kses');
    542534}
    543535
     
    549541    // Post filtering
    550542    remove_filter('content_save_pre', 'wp_filter_post_kses');
    551 
    552     // Strip all html.
    553     remove_filter('pre_comment_author_name', 'wp_filter_nohtml_kses');
    554     remove_filter('pre_comment_author_url', 'wp_filter_nohtml_kses');
    555     remove_filter('pre_comment_author_email', 'wp_filter_nohtml_kses');
    556     remove_filter('pre_comment_user_ip', 'wp_filter_nohtml_kses');
    557     remove_filter('pre_comment_user_agent', 'wp_filter_nohtml_kses');
    558     remove_filter('pre_user_id', 'wp_filter_nohtml_kses');
    559543}
    560544
Note: See TracChangeset for help on using the changeset viewer.