WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/13/2006 12:24:51 AM (15 years ago)
Author:
markjaquith
Message:

Prevent users from entering strings that will be interpreted as serialized arrays/objects on the way out. fixes #2591

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/wp-admin/options.php

    r4335 r4384  
    149149<?php
    150150$options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name");
    151 foreach ( (array) $options as $option )
    152     $options_to_update[] = $option->option_name;
    153 $options_to_update = implode(',', $options_to_update);
    154 ?>
    155151
    156 <input type="hidden" name="page_options" value="<?php echo $options_to_update; ?>" />
    157 
    158 <?php
    159152foreach ( (array) $options as $option) :
    160     $value = wp_specialchars($option->option_value);
     153    $disabled = '';
     154    if ( is_serialized($option->option_value) ) {
     155        if ( is_serialized_string($option->option_value) ) {
     156            // this is a serialized string, so we should display it
     157            $value = wp_specialchars(maybe_unserialize($option->option_value), 'single');
     158            $options_to_update[] = $option->option_name;
     159            $class = 'all-options';
     160        } else {
     161            $value = 'SERIALIZED DATA';
     162            $disabled = ' disabled="disabled"';
     163            $class = 'all-options disabled';
     164        }
     165    } else {
     166        $value = wp_specialchars($option->option_value, 'single');
     167        $options_to_update[] = $option->option_name;
     168        $class = 'all-options';
     169    }
    161170    echo "
    162171<tr>
     
    164173<td>";
    165174
    166     if (stristr($value, "\n")) echo "<textarea class='all-options' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>$value</textarea>";
    167     else echo "<input class='all-options' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "' />";
     175    if (stristr($value, "\n")) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>$value</textarea>";
     176    else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "'$disabled />";
    168177   
    169178    echo "</td>
     
    173182?>
    174183  </table>
    175 <p class="submit"><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
     184<?php $options_to_update = implode(',', $options_to_update); ?>
     185<p class="submit"><input type="hidden" name="page_options" value="<?php echo wp_specialchars($options_to_update, true); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
    176186  </form>
    177187</div>
Note: See TracChangeset for help on using the changeset viewer.