Changeset 4229

Timestamp:

09/25/2006 02:09:08 AM (19 years ago)

Author:

ryan

Message:

Make those chars feel special.

Location:

branches/2.0

Files:

• wp-admin/admin-db.php (modified) (1 diff)
• wp-admin/admin-functions.php (modified) (4 diffs)
• wp-admin/edit-form-advanced.php (modified) (1 diff)
• wp-admin/options-misc.php (modified) (1 diff)
• wp-admin/options-permalink.php (modified) (2 diffs)
• wp-admin/options.php (modified) (2 diffs)
• wp-admin/profile.php (modified) (1 diff)
• wp-admin/user-edit.php (modified) (1 diff)
• wp-includes/default-filters.php (modified) (2 diffs)
• wp-includes/functions.php (modified) (1 diff)

branches/2.0/wp-admin/admin-db.php

@@ -267 +267 @@
 
     $update = false;
+
     if ( !empty($link_id) )
         $update = true;
 
+    if( trim( $link_name ) == '' )
+        return 0;
+    $link_name = apply_filters('pre_link_name', $link_name);
+
+    if( trim( $link_url ) == '' )
+        return 0;
+    $link_url = apply_filters('pre_link_url', $link_url);
+
     if ( empty($link_rating) )
         $link_rating = 0;   
+    else
+        $link_rating = (int) $link_rating;
+
+    if ( empty($link_image) )
+        $link_image = '';
+    $link_image = apply_filters('pre_link_image', $link_image);
 
     if ( empty($link_target) )
         $link_target = '';  
+    $link_target = apply_filters('pre_link_target', $link_target);
 
     if ( empty($link_visible) )
         $link_visible = 'Y';
-        
+    $link_visibile = preg_replace('/[^YNyn]/', '', $link_visible);
+
     if ( empty($link_owner) )
         $link_owner = $current_user->id;
+    else
+        $link_owner = (int) $link_owner;
 
     if ( empty($link_notes) )
         $link_notes = '';
+    $link_notes = apply_filters('pre_link_notes', $link_notes);
+
+    if ( empty($link_description) )
+        $link_description = '';
+    $link_description = apply_filters('pre_link_description', $link_description);
+
+    if ( empty($link_rss) )
+        $link_rss = '';
+    $link_rss = apply_filters('pre_link_rss', $link_rss);
+
+    if ( empty($link_rel) )
+        $link_rel = '';
+    $link_rel = apply_filters('pre_link_rel', $link_rel);
+
+    // Make sure we set a valid category
+    if (0 == count($link_category) || !is_array($link_category)) {
+        $link_category = array(get_option('default_link_category'));
+    }
 
     if ( $update ) {

branches/2.0/wp-admin/admin-functions.php

@@ -266 +266 @@
     $post->post_title = apply_filters('title_edit_pre', $post->post_title);
 
+    $post->post_password = format_to_edit($post->post_password); 
+
     if ($post->post_status == 'static')
         $post->page_template = get_post_meta($id, '_wp_page_template', true);
@@ -332 +334 @@
 
     return $category;
+}
+
+function get_user_to_edit($user_id) {
+    $user = new WP_User($user_id);
+    $user->user_login = wp_specialchars($user->user_login, 1);
+    $user->user_email = wp_specialchars($user->user_email, 1);
+    $user->user_url = wp_specialchars($user->user_url, 1);
+    $user->first_name = wp_specialchars($user->first_name, 1);
+    $user->last_name = wp_specialchars($user->last_name, 1);
+    $user->display_name = wp_specialchars($user->display_name, 1);
+    $user->nickname = wp_specialchars($user->nickname, 1);
+    $user->aim = wp_specialchars($user->aim, 1);
+    $user->yim = wp_specialchars($user->yim, 1);
+    $user->jabber = wp_specialchars($user->jabber, 1);
+    $user->description = wp_specialchars($user->description);
+
+    return $user;
 }
 
@@ -448 +467 @@
 function get_link_to_edit($link_id) {
     $link = get_link($link_id);
-    
+
     $link->link_url = wp_specialchars($link->link_url, 1);
     $link->link_name = wp_specialchars($link->link_name, 1);
-    $link->link_description = wp_specialchars($link->link_description);
+    $link->link_image = wp_specialchars($link->link_image, 1);
+    $link->link_description = wp_specialchars($link->link_description, 1);
     $link->link_notes = wp_specialchars($link->link_notes);
-    $link->link_rss = wp_specialchars($link->link_rss);
-    
+    $link->link_rss = wp_specialchars($link->link_rss, 1);
+    $link->link_rel = wp_specialchars($link->link_rel, 1);
+    $link->post_category = $link->link_category;
+
     return $link;
 }
@@ -877 +899 @@
 
     foreach ($keys as $key) {
+        $key = wp_specialchars($key, 1);
         echo "\n\t<option value='$key'>$key</option>";
     }

branches/2.0/wp-admin/edit-form-advanced.php

@@ -40 +40 @@
     $already_pinged = explode("\n", trim($post->pinged));
     foreach ($already_pinged as $pinged_url) {
-        $pings .= "\n\t<li>$pinged_url</li>";
+        $pings .= "\n\t<li>" . wp_specialchars($pinged_url) . "</li>";
     }
     $pings .= '</ul>';

branches/2.0/wp-admin/options-misc.php

@@ -18 +18 @@
 <tr valign="top">
 <th scope="row"><?php _e('Store uploads in this folder'); ?>:</th>
-<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo str_replace(ABSPATH, '', get_settings('upload_path')); ?>" size="40" />
+<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo wp_specialchars(str_replace(ABSPATH, '', get_settings('upload_path')), 1); ?>" size="40" />
 <br />
 <?php _e('Default is <code>wp-content/uploads</code>'); ?>

branches/2.0/wp-admin/options-permalink.php

@@ -149 +149 @@
 <br />
 </p>
-<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo $permalink_structure; ?>" size="50" /></p>
+<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo wp_specialchars($permalink_structure, 1); ?>" size="50" /></p>
 
 <h3><?php _e('Optional'); ?></h3>
@@ -158 +158 @@
 <?php endif; ?>
     <p> 
-  <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code"  value="<?php echo $category_base; ?>" size="30" /> 
+  <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code"  value="<?php echo wp_specialchars($category_base, 1); ?>" size="30" /> 
      </p> 
     <p class="submit"> 

branches/2.0/wp-admin/options.php

@@ -25 +25 @@
     die ( __('Cheatin’ uh?') );
 
+function sanitize_option($option, $value) {
+
+    switch ($option) {
+        case 'admin_email':
+            $value = sanitize_email($value);
+            break;
+
+        case 'default_post_edit_rows':
+        case 'mailserver_port':
+        case 'comment_max_links':
+            $value = abs((int) $value);
+            break;
+
+        case 'posts_per_page':
+        case 'posts_per_rss':
+            $value = (int) $value;
+            if ( empty($value) ) $value = 1;
+            if ( $value < -1 ) $value = abs($value);
+            break;
+
+        case 'default_ping_status':
+        case 'default_comment_status':
+            // Options that if not there have 0 value but need to be something like "closed"
+            if ( $value == '0' || $value == '')
+                $value = 'closed';
+            break;
+
+        case 'blogdescription':
+        case 'blogname':
+            if (current_user_can('unfiltered_html') == false)
+                $value = wp_filter_post_kses( $value );
+            break;
+
+        case 'blog_charset':
+            $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value);
+            break;
+
+        case 'date_format':
+        case 'time_format':
+        case 'mailserver_url':
+        case 'mailserver_login':
+        case 'mailserver_pass':
+        case 'ping_sites':
+        case 'upload_path':
+            $value = strip_tags($value);
+            $value = wp_filter_kses($value);
+            break;
+
+        case 'gmt_offset':
+            $value = preg_replace('/[^0-9:.-]/', '', $value);
+            break;
+
+        case 'siteurl':
+        case 'home':
+            $value = clean_url($value);
+            break;
+    }
+
+    return $value;  
+}
+
 switch($action) {
 
@@ -44 +105 @@
     $old_home = get_settings('home');
 
-    // HACK
-    // Options that if not there have 0 value but need to be something like "closed"
-    $nonbools = array('default_ping_status', 'default_comment_status');
     if ($options) {
         foreach ($options as $option) {
             $option = trim($option);
             $value = trim(stripslashes($_POST[$option]));
-                if( in_array($option, $nonbools) && ( $value == '0' || $value == '') )
-                $value = 'closed';
-            
-            if( $option == 'blogdescription' || $option == 'blogname' )
-                if (current_user_can('unfiltered_html') == false)
-                    $value = wp_filter_post_kses( $value );
+            $value = sanitize_option($option, $value);
             
             if (update_option($option, $value) ) {

branches/2.0/wp-admin/profile.php

@@ -6 +6 @@
 $parent_file = 'profile.php';
 include_once('admin-header.php');
-$profileuser = new WP_User($user_ID);
+$profileuser = get_user_to_edit($user_ID);
 
 $bookmarklet_height= 440;

branches/2.0/wp-admin/user-edit.php

@@ -50 +50 @@
 include ('admin-header.php');
 
-$profileuser = new WP_User($user_id);
+$profileuser = get_user_to_edit($user_id);
 
 if (!current_user_can('edit_users')) $errors['head'] = __('You do not have permission to edit this user.');

branches/2.0/wp-includes/default-filters.php

@@ -58 +58 @@
 add_filter('pre_category_description', 'wp_filter_kses');
 
+//Links
+add_filter('pre_link_name', 'strip_tags');
+add_filter('pre_link_name', 'trim');
+add_filter('pre_link_name', 'wp_filter_kses');
+add_filter('pre_link_name', 'wp_specialchars', 30);
+add_filter('pre_link_description', 'wp_filter_kses');
+add_filter('pre_link_notes', 'wp_filter_kses');
+add_filter('pre_link_url', 'strip_tags');
+add_filter('pre_link_url', 'trim');
+add_filter('pre_link_url', 'clean_url');
+add_filter('pre_link_image', 'strip_tags');
+add_filter('pre_link_image', 'trim');
+add_filter('pre_link_image', 'clean_url');
+add_filter('pre_link_rss', 'strip_tags');
+add_filter('pre_link_rss', 'trim');
+add_filter('pre_link_rss', 'clean_url');
+add_filter('pre_link_target', 'strip_tags');
+add_filter('pre_link_target', 'trim');
+add_filter('pre_link_target', 'wp_filter_kses');
+add_filter('pre_link_target', 'wp_specialchars', 30);
+add_filter('pre_link_rel', 'strip_tags');
+add_filter('pre_link_rel', 'trim');
+add_filter('pre_link_rel', 'wp_filter_kses');
+add_filter('pre_link_rel', 'wp_specialchars', 30);
+
 // Users
 add_filter('pre_user_display_name', 'strip_tags');
@@ -116 +141 @@
 add_filter('the_author', 'ent2ncr', 8);
 
+<<<<<<< .working
+=======
+// Misc filters
+add_filter('option_ping_sites', 'privacy_ping_filter');
+add_filter('option_blog_charset', 'wp_specialchars');
+
+>>>>>>> .merge-right.r4112
 // Actions
 add_action('publish_post', 'generic_ping');

branches/2.0/wp-includes/functions.php

@@ -322 +322 @@
 
 function form_option($option) {
-    echo htmlspecialchars( get_option($option), ENT_QUOTES );
+    echo wp_specialchars( get_option($option), 1 );
 }