Changeset 44076
- Timestamp:
- 12/13/2018 02:04:05 AM (6 years ago)
- Location:
- branches/3.7
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/3.7
- Property svn:mergeinfo changed
/branches/5.0 merged: 44047
- Property svn:mergeinfo changed
-
branches/3.7/src
- Property svn:mergeinfo changed
/branches/5.0/src merged: 44047
- Property svn:mergeinfo changed
-
branches/3.7/src/wp-admin/includes/ajax-actions.php
r37808 r44076 1660 1660 } 1661 1661 1662 $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array(); 1662 $post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array(); 1663 1664 if ( is_wp_error( $post_data ) ) { 1665 wp_die( $post_data->get_error_message() ); 1666 } 1663 1667 1664 1668 // If the context is custom header or background, make sure the uploaded file is an image. -
branches/3.7/src/wp-admin/includes/post.php
r37823 r44076 166 166 167 167 /** 168 * Returns only allowed post data fields 169 * 170 * @since 4.9.9 171 * 172 * @param array $post_data Array of post data. Defaults to the contents of $_POST. 173 * @return object|bool WP_Error on failure, true on success. 174 */ 175 function _wp_get_allowed_postdata( $post_data = null ) { 176 if ( empty( $post_data ) ) { 177 $post_data = $_POST; 178 } 179 180 // Pass through errors 181 if ( is_wp_error( $post_data ) ) { 182 return $post_data; 183 } 184 185 return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) ); 186 } 187 188 /** 168 189 * Update an existing post with values provided in $_POST. 169 190 * … … 231 252 if ( is_wp_error($post_data) ) 232 253 wp_die( $post_data->get_error_message() ); 254 $translated = _wp_get_allowed_postdata( $post_data ); 233 255 234 256 if ( ( empty( $post_data['action'] ) || 'autosave' != $post_data['action'] ) && 'auto-draft' == $post_data['post_status'] ) { … … 297 319 $attachment_data = isset( $post_data['attachments'][ $post_ID ] ) ? $post_data['attachments'][ $post_ID ] : array(); 298 320 /** This filter is documented in wp-admin/includes/media.php */ 299 $ post_data = apply_filters( 'attachment_fields_to_save', $post_data, $attachment_data );321 $translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data ); 300 322 } 301 323 … … 304 326 update_post_meta( $post_ID, '_edit_last', get_current_user_id() ); 305 327 306 $success = wp_update_post( $ post_data);328 $success = wp_update_post( $translated ); 307 329 // If the save failed, see if we can sanity check the main fields and try again 308 330 if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) { … … 310 332 311 333 foreach( $fields as $field ) { 312 if ( isset( $ post_data[ $field ] ) ) {313 $ post_data[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $post_data[ $field ] );334 if ( isset( $translated[ $field ] ) ) { 335 $translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] ); 314 336 } 315 337 } 316 338 317 wp_update_post( $ post_data);339 wp_update_post( $translated ); 318 340 } 319 341 … … 473 495 } 474 496 497 $post_data['post_ID'] = $post_ID; 475 498 $post_data['post_type'] = $post->post_type; 476 499 $post_data['post_mime_type'] = $post->post_mime_type; 477 $post_data['guid'] = $post->guid;478 500 479 501 foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) { … … 483 505 } 484 506 485 $post_data['ID'] = $post_ID;486 $post_data['post_ID'] = $post_ID;487 488 507 $post_data = _wp_translate_postdata( true, $post_data ); 489 508 if ( is_wp_error( $post_data ) ) { … … 491 510 continue; 492 511 } 512 $post_data = _wp_get_allowed_postdata( $post_data ); 493 513 494 514 $updated[] = wp_update_post( $post_data ); … … 501 521 } 502 522 503 if ( isset( $ post_data['post_format'] ) )504 set_post_format( $post_ID, $ post_data['post_format'] );523 if ( isset( $shared_post_data['post_format'] ) ) 524 set_post_format( $post_ID, $shared_post_data['post_format'] ); 505 525 } 506 526 … … 654 674 if ( is_wp_error($translated) ) 655 675 return $translated; 676 $translated = _wp_get_allowed_postdata( $translated ); 656 677 657 678 // Create the post. 658 $post_ID = wp_insert_post( $ _POST);679 $post_ID = wp_insert_post( $translated ); 659 680 if ( is_wp_error( $post_ID ) ) 660 681 return $post_ID; … … 1407 1428 if ( is_wp_error( $translated ) ) 1408 1429 return $translated; 1430 $translated = _wp_get_allowed_postdata( $translated ); 1409 1431 1410 1432 $post_author = get_current_user_id(); … … 1412 1434 // Store one autosave per author. If there is already an autosave, overwrite it. 1413 1435 if ( $old_autosave = wp_get_post_autosave( $post_id, $post_author ) ) { 1414 $new_autosave = _wp_post_revision_fields( $ _POST, true );1436 $new_autosave = _wp_post_revision_fields( $translated, true ); 1415 1437 $new_autosave['ID'] = $old_autosave->ID; 1416 1438 $new_autosave['post_author'] = $post_author; … … 1435 1457 1436 1458 // _wp_put_post_revision() expects unescaped. 1437 $post_data = wp_unslash( $ _POST);1459 $post_data = wp_unslash( $translated ); 1438 1460 1439 1461 // Otherwise create the new autosave as a special post revision -
branches/3.7/src/wp-admin/post.php
r44075 r44076 216 216 // Update the thumbnail filename 217 217 $newmeta = wp_get_attachment_metadata( $post_id, true ); 218 $newmeta['thumb'] = $_POST['thumb'];218 $newmeta['thumb'] = wp_basename( $_POST['thumb'] ); 219 219 220 220 wp_update_attachment_metadata( $post_id, $newmeta );
Note: See TracChangeset
for help on using the changeset viewer.