Make WordPress Core

Changeset 4112


Ignore:
Timestamp:
08/24/2006 10:33:16 PM (18 years ago)
Author:
ryan
Message:

Make those chars feel special.

Location:
trunk
Files:
13 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-db.php

    r4041 r4112  
    294294
    295295    $update = false;
     296
    296297    if ( !empty($link_id) )
    297298        $update = true;
    298299
     300    if( trim( $link_name ) == '' )
     301        return 0;
     302    $link_name = apply_filters('pre_link_name', $link_name);
     303
     304    if( trim( $link_url ) == '' )
     305        return 0;
     306    $link_url = apply_filters('pre_link_url', $link_url);
     307
    299308    if ( empty($link_rating) )
    300309        $link_rating = 0;
     310    else
     311        $link_rating = (int) $link_rating;
     312
     313    if ( empty($link_image) )
     314        $link_image = '';
     315    $link_image = apply_filters('pre_link_image', $link_image);
    301316
    302317    if ( empty($link_target) )
    303318        $link_target = '';
     319    $link_target = apply_filters('pre_link_target', $link_target);
    304320
    305321    if ( empty($link_visible) )
    306322        $link_visible = 'Y';
     323    $link_visibile = preg_replace('/[^YNyn]/', '', $link_visible);
    307324
    308325    if ( empty($link_owner) )
    309326        $link_owner = $current_user->id;
     327    else
     328        $link_owner = (int) $link_owner;
    310329
    311330    if ( empty($link_notes) )
    312331        $link_notes = '';
     332    $link_notes = apply_filters('pre_link_notes', $link_notes);
     333
     334    if ( empty($link_description) )
     335        $link_description = '';
     336    $link_description = apply_filters('pre_link_description', $link_description);
     337
     338    if ( empty($link_rss) )
     339        $link_rss = '';
     340    $link_rss = apply_filters('pre_link_rss', $link_rss);
     341
     342    if ( empty($link_rel) )
     343        $link_rel = '';
     344    $link_rel = apply_filters('pre_link_rel', $link_rel);
    313345
    314346    // Make sure we set a valid category
  • trunk/wp-admin/admin-functions.php

    r4100 r4112  
    302302    $post->post_title = apply_filters('title_edit_pre', $post->post_title);
    303303
     304    $post->post_password = format_to_edit($post->post_password);
     305
    304306    if ($post->post_type == 'page')
    305307        $post->page_template = get_post_meta($id, '_wp_page_template', true);
     
    381383}
    382384
     385
     386function get_user_to_edit($user_id) {
     387    $user = new WP_User($user_id);
     388    $user->user_login = wp_specialchars($user->user_login, 1);
     389    $user->user_email = wp_specialchars($user->user_email, 1);
     390    $user->user_url = wp_specialchars($user->user_url, 1);
     391    $user->first_name = wp_specialchars($user->first_name, 1);
     392    $user->last_name = wp_specialchars($user->last_name, 1);
     393    $user->display_name = wp_specialchars($user->display_name, 1);
     394    $user->nickname = wp_specialchars($user->nickname, 1);
     395    $user->aim = wp_specialchars($user->aim, 1);
     396    $user->yim = wp_specialchars($user->yim, 1);
     397    $user->jabber = wp_specialchars($user->jabber, 1);
     398    $user->description = wp_specialchars($user->description);
     399
     400    return $user;
     401}
    383402
    384403// Creates a new user from the "Users" form using $_POST information.
     
    510529    $link->link_url = wp_specialchars($link->link_url, 1);
    511530    $link->link_name = wp_specialchars($link->link_name, 1);
    512     $link->link_description = wp_specialchars($link->link_description);
     531    $link->link_image = wp_specialchars($link->link_image, 1);
     532    $link->link_description = wp_specialchars($link->link_description, 1);
    513533    $link->link_notes = wp_specialchars($link->link_notes);
    514     $link->link_rss = wp_specialchars($link->link_rss);
     534    $link->link_rss = wp_specialchars($link->link_rss, 1);
     535    $link->link_rel = wp_specialchars($link->link_rel, 1);
    515536    $link->post_category = $link->link_category;
    516537
     
    960981        if ('_' == $entry['meta_key'] { 0 })
    961982            $style .= ' hidden';
    962         $key_js = addslashes(wp_specialchars( $entry['meta_key'], 'double' ));
     983        $key_js = js_escape($entry['meta_key']);
    963984        $entry['meta_key'] = wp_specialchars( $entry['meta_key'], true );
    964985        $entry['meta_value'] = wp_specialchars( $entry['meta_value'], true );
     
    10121033
    10131034    foreach ($keys as $key) {
     1035        $key = wp_specialchars($key, 1);
    10141036        echo "\n\t<option value='$key'>$key</option>";
    10151037    }
  • trunk/wp-admin/edit-form-advanced.php

    r4094 r4112  
    4040    $already_pinged = explode("\n", trim($post->pinged));
    4141    foreach ($already_pinged as $pinged_url) {
    42         $pings .= "\n\t<li>$pinged_url</li>";
     42        $pings .= "\n\t<li>" . wp_specialchars($pinged_url) . "</li>";
    4343    }
    4444    $pings .= '</ul>';
  • trunk/wp-admin/options-misc.php

    r3759 r4112  
    1818<tr valign="top">
    1919<th scope="row"><?php _e('Store uploads in this folder'); ?>:</th>
    20 <td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo str_replace(ABSPATH, '', get_settings('upload_path')); ?>" size="40" />
     20<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo wp_specialchars(str_replace(ABSPATH, '', get_settings('upload_path')), 1); ?>" size="40" />
    2121<br />
    2222<?php _e('Default is <code>wp-content/uploads</code>'); ?>
  • trunk/wp-admin/options-permalink.php

    r3759 r4112  
    149149<br />
    150150</p>
    151 <p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo $permalink_structure; ?>" size="50" /></p>
     151<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo wp_specialchars($permalink_structure, 1); ?>" size="50" /></p>
    152152
    153153<h3><?php _e('Optional'); ?></h3>
     
    158158<?php endif; ?>
    159159    <p>
    160   <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code"  value="<?php echo $category_base; ?>" size="30" />
     160  <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code"  value="<?php echo wp_specialchars($category_base, 1); ?>" size="30" />
    161161     </p>
    162162    <p class="submit">
  • trunk/wp-admin/options.php

    r4006 r4112  
    1010if ( !current_user_can('manage_options') )
    1111    wp_die(__('Cheatin&#8217; uh?'));
     12
     13function sanitize_option($option, $value) {
     14
     15    switch ($option) {
     16        case 'admin_email':
     17            $value = sanitize_email($value);
     18            break;
     19
     20        case 'default_post_edit_rows':
     21        case 'mailserver_port':
     22        case 'comment_max_links':
     23            $value = abs((int) $value);
     24            break;
     25
     26        case 'posts_per_page':
     27        case 'posts_per_rss':
     28            $value = (int) $value;
     29            if ( empty($value) ) $value = 1;
     30            if ( $value < -1 ) $value = abs($value);
     31            break;
     32
     33        case 'default_ping_status':
     34        case 'default_comment_status':
     35            // Options that if not there have 0 value but need to be something like "closed"
     36            if ( $value == '0' || $value == '')
     37                $value = 'closed';
     38            break;
     39
     40        case 'blogdescription':
     41        case 'blogname':
     42            if (current_user_can('unfiltered_html') == false)
     43                $value = wp_filter_post_kses( $value );
     44            break;
     45
     46        case 'blog_charset':
     47            $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value);
     48            break;
     49
     50        case 'date_format':
     51        case 'time_format':
     52        case 'mailserver_url':
     53        case 'mailserver_login':
     54        case 'mailserver_pass':
     55        case 'ping_sites':
     56        case 'upload_path':
     57            $value = strip_tags($value);
     58            $value = wp_filter_kses($value);
     59            break;
     60
     61        case 'gmt_offset':
     62            $value = preg_replace('/[^0-9:.-]/', '', $value);
     63            break;
     64
     65        case 'siteurl':
     66        case 'home':
     67            $value = clean_url($value);
     68            break;
     69    }
     70
     71    return $value; 
     72}
    1273
    1374switch($action) {
     
    3091    $old_home = get_settings('home');
    3192
    32     // HACK
    33     // Options that if not there have 0 value but need to be something like "closed"
    34     $nonbools = array('default_ping_status', 'default_comment_status');
    3593    if ($options) {
    3694        foreach ($options as $option) {
    3795            $option = trim($option);
    3896            $value = trim(stripslashes($_POST[$option]));
    39                 if( in_array($option, $nonbools) && ( $value == '0' || $value == '') )
    40                 $value = 'closed';
    41 
    42             if( $option == 'blogdescription' || $option == 'blogname' )
    43                 if (current_user_can('unfiltered_html') == false)
    44                     $value = wp_filter_post_kses( $value );
     97            $value = sanitize_option($option, $value);
    4598
    4699            if (update_option($option, $value) ) {
  • trunk/wp-admin/profile.php

    r4079 r4112  
    99    $parent_file = 'profile.php';
    1010include_once('admin-header.php');
    11 $profileuser = new WP_User($user_ID);
     11$profileuser = get_user_to_edit($user_ID);
    1212
    1313$bookmarklet_height= 440;
  • trunk/wp-admin/user-edit.php

    r3946 r4112  
    4141include ('admin-header.php');
    4242
    43 $profileuser = new WP_User($user_id);
     43$profileuser = get_user_to_edit($user_id);
    4444
    4545if ( !current_user_can('edit_user', $user_id) )
  • trunk/wp-admin/users.php

    r4000 r4112  
    9898
    9999    function get_results() {
    100         return $this->results;
     100        return (array) $this->results;
    101101    }
    102102
     
    336336
    337337    <?php if ( $wp_user_search->is_search() ) : ?>
    338         <h2><?php printf(__('Users Matching "%s" by Role'), $wp_user_search->search_term); ?></h2>
     338        <h2><?php printf(__('Users Matching "%s" by Role'), wp_specialchars($wp_user_search->search_term)); ?></h2>
    339339    <?php else : ?>
    340340        <h2><?php _e('User List by Role'); ?></h2>
     
    342342
    343343    <form action="" method="get" name="search" id="search">
    344         <p><input type="text" name="usersearch" id="usersearch" value="<?php echo wp_specialchars($wp_user_search->search_term); ?>" /> <input type="submit" value="<?php _e('Search for users &raquo;'); ?>" /></p>
     344        <p><input type="text" name="usersearch" id="usersearch" value="<?php echo wp_specialchars($wp_user_search->search_term, 1); ?>" /> <input type="submit" value="<?php _e('Search for users &raquo;'); ?>" /></p>
    345345    </form>
    346346
  • trunk/wp-includes/default-filters.php

    r4046 r4112  
    5555add_filter('pre_category_name', 'wp_specialchars', 30);
    5656add_filter('pre_category_description', 'wp_filter_kses');
     57
     58//Links
     59add_filter('pre_link_name', 'strip_tags');
     60add_filter('pre_link_name', 'trim');
     61add_filter('pre_link_name', 'wp_filter_kses');
     62add_filter('pre_link_name', 'wp_specialchars', 30);
     63add_filter('pre_link_description', 'wp_filter_kses');
     64add_filter('pre_link_notes', 'wp_filter_kses');
     65add_filter('pre_link_url', 'strip_tags');
     66add_filter('pre_link_url', 'trim');
     67add_filter('pre_link_url', 'clean_url');
     68add_filter('pre_link_image', 'strip_tags');
     69add_filter('pre_link_image', 'trim');
     70add_filter('pre_link_image', 'clean_url');
     71add_filter('pre_link_rss', 'strip_tags');
     72add_filter('pre_link_rss', 'trim');
     73add_filter('pre_link_rss', 'clean_url');
     74add_filter('pre_link_target', 'strip_tags');
     75add_filter('pre_link_target', 'trim');
     76add_filter('pre_link_target', 'wp_filter_kses');
     77add_filter('pre_link_target', 'wp_specialchars', 30);
     78add_filter('pre_link_rel', 'strip_tags');
     79add_filter('pre_link_rel', 'trim');
     80add_filter('pre_link_rel', 'wp_filter_kses');
     81add_filter('pre_link_rel', 'wp_specialchars', 30);
    5782
    5883// Users
     
    116141// Misc filters
    117142add_filter('option_ping_sites', 'privacy_ping_filter');
     143add_filter('option_blog_charset', 'wp_specialchars');
    118144
    119145// Actions
  • trunk/wp-includes/functions.php

    r4109 r4112  
    200200
    201201function form_option($option) {
    202     echo htmlspecialchars( get_option($option), ENT_QUOTES );
     202    echo wp_specialchars( get_option($option), 1 );
    203203}
    204204
  • trunk/wp-includes/link-template.php

    r3862 r4112  
    477477   
    478478    if (isset($max_num_pages)) return $max_num_pages;
    479    
     479    $posts_per = (int) get_option('posts_per_page');
     480    if ( empty($posts_per) ) $posts_per = 1;
     481
    480482    if ( 'posts' == get_query_var('what_to_show') ) {
    481483        preg_match('#FROM\s(.*)\sORDER BY#siU', $wp_query->request, $matches);
    482484        $fromwhere = $matches[1];
    483485        $numposts = $wpdb->get_var("SELECT COUNT(DISTINCT ID) FROM $fromwhere");
    484         $max_num_pages = ceil($numposts / get_option('posts_per_page'));
     486        $max_num_pages = ceil($numposts / $posts_per);
    485487    } else {
    486488        preg_match('#FROM\s(.*)\sORDER BY#siU', $wp_query->request, $matches);
    487489        $fromwhere = preg_replace('/( AND )?post_date >= (\'|\")(.*?)(\'|\")( AND post_date <= (\'\")(.*?)(\'\"))?/siU', '', $matches[1]);
    488490        $num_days = $wpdb->query("SELECT DISTINCT post_date FROM $fromwhere GROUP BY year(post_date), month(post_date), dayofmonth(post_date)");
    489         $max_num_pages = ceil($num_days / get_option('posts_per_page'));
     491        $max_num_pages = ceil($num_days / $posts_per);
    490492    }
    491493
  • trunk/wp-includes/query.php

    r4096 r4112  
    552552            $q['what_to_show'] = 'posts';
    553553        }
     554        $q['posts_per_page'] = (int) $q['posts_per_page'];
     555        if ( $q['posts_per_page'] < -1 )
     556            $q['posts_per_page'] = abs($q['posts_per_page']);
     557        else if ( $q['posts_per_page'] == 0 )
     558            $q['posts_per_page'] = 1;
    554559
    555560        if ( $this->is_home && (empty($this->query) || $q['preview'] == 'true') && ( 'page' == get_option('show_on_front') ) && get_option('page_on_front') ) {
Note: See TracChangeset for help on using the changeset viewer.