Make WordPress Core


Ignore:
Timestamp:
03/30/2016 05:17:00 PM (9 years ago)
Author:
nbachiyski
Message:

Taxonomies: make sure taxonomy functions work correctly with taxonomy names with special characters

The codex says that taxonomy names "should only contain lowercase letters and the underscore character", but that's not enforced. It's too late to enforce it, since some plugins haven't been following it and the official phpdoc doesn't mention this restriction.

Merge of [37133] to the 4.4 branch.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/4.4/src/wp-includes/taxonomy.php

    r36358 r37134  
    677677    $term_ids = array_map('intval', $term_ids );
    678678
    679     $taxonomies = "'" . implode( "', '", $taxonomies ) . "'";
     679    $taxonomies = "'" . implode( "', '", array_map( 'esc_sql', $taxonomies ) ) . "'";
    680680    $term_ids = "'" . implode( "', '", $term_ids ) . "'";
    681681
     
    876876    }
    877877
    878     $term = $wpdb->get_row( $wpdb->prepare( "SELECT t.*, tt.* FROM $wpdb->terms AS t INNER JOIN $wpdb->term_taxonomy AS tt ON t.term_id = tt.term_id WHERE $_field = %s $tax_clause LIMIT 1", $value ) );
     878    $term = $wpdb->get_row( $wpdb->prepare( "SELECT t.*, tt.* FROM $wpdb->terms AS t INNER JOIN $wpdb->term_taxonomy AS tt ON t.term_id = tt.term_id WHERE $_field = %s", $value ) . " $tax_clause LIMIT 1" );
    879879    if ( ! $term )
    880880        return false;
     
    12311231    }
    12321232
    1233     $where = "tt.taxonomy IN ('" . implode("', '", $taxonomies) . "')";
     1233    $where = "tt.taxonomy IN ('" . implode("', '", array_map( 'esc_sql', $taxonomies ) ) . "')";
    12341234
    12351235    $exclude = $args['exclude'];
     
    23602360    $taxonomy_array = $taxonomies;
    23612361    $object_id_array = $object_ids;
    2362     $taxonomies = "'" . implode("', '", $taxonomies) . "'";
     2362    $taxonomies = "'" . implode("', '", array_map( 'esc_sql', $taxonomies ) ) . "'";
    23632363    $object_ids = implode(', ', $object_ids);
    23642364
Note: See TracChangeset for help on using the changeset viewer.