- Timestamp:
- 12/18/2018 09:31:14 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk
- Property svn:mergeinfo changed
/branches/5.0 merged: 44047
- Property svn:mergeinfo changed
-
trunk/src/wp-admin/includes/ajax-actions.php
r44153 r44295 2263 2263 } 2264 2264 2265 $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array(); 2265 $post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array(); 2266 2267 if ( is_wp_error( $post_data ) ) { 2268 wp_die( $post_data->get_error_message() ); 2269 } 2266 2270 2267 2271 // If the context is custom header or background, make sure the uploaded file is an image. -
trunk/src/wp-admin/includes/post.php
r44280 r44295 197 197 198 198 /** 199 * Returns only allowed post data fields 200 * 201 * @since 4.9.9 202 * 203 * @param array $post_data Array of post data. Defaults to the contents of $_POST. 204 * @return object|bool WP_Error on failure, true on success. 205 */ 206 function _wp_get_allowed_postdata( $post_data = null ) { 207 if ( empty( $post_data ) ) { 208 $post_data = $_POST; 209 } 210 211 // Pass through errors 212 if ( is_wp_error( $post_data ) ) { 213 return $post_data; 214 } 215 216 return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) ); 217 } 218 219 /** 199 220 * Update an existing post with values provided in $_POST. 200 221 * … … 274 295 wp_die( $post_data->get_error_message() ); 275 296 } 297 $translated = _wp_get_allowed_postdata( $post_data ); 276 298 277 299 // Post Formats … … 363 385 364 386 /** This filter is documented in wp-admin/includes/media.php */ 365 $ post_data = apply_filters( 'attachment_fields_to_save', $post_data, $attachment_data );387 $translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data ); 366 388 } 367 389 … … 372 394 373 395 if ( $tax_object && isset( $tax_object->meta_box_sanitize_cb ) ) { 374 $ post_data['tax_input'][ $taxonomy ] = call_user_func_array( $tax_object->meta_box_sanitize_cb, array( $taxonomy, $terms ) );396 $translated['tax_input'][ $taxonomy ] = call_user_func_array( $tax_object->meta_box_sanitize_cb, array( $taxonomy, $terms ) ); 375 397 } 376 398 } … … 381 403 update_post_meta( $post_ID, '_edit_last', get_current_user_id() ); 382 404 383 $success = wp_update_post( $ post_data);405 $success = wp_update_post( $translated ); 384 406 // If the save failed, see if we can sanity check the main fields and try again 385 407 if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) { … … 387 409 388 410 foreach ( $fields as $field ) { 389 if ( isset( $ post_data[ $field ] ) ) {390 $ post_data[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $post_data[ $field ] );391 } 392 } 393 394 wp_update_post( $ post_data);411 if ( isset( $translated[ $field ] ) ) { 412 $translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] ); 413 } 414 } 415 416 wp_update_post( $translated ); 395 417 } 396 418 … … 570 592 } 571 593 594 $post_data['post_ID'] = $post_ID; 572 595 $post_data['post_type'] = $post->post_type; 573 596 $post_data['post_mime_type'] = $post->post_mime_type; 574 $post_data['guid'] = $post->guid;575 597 576 598 foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) { … … 579 601 } 580 602 } 581 582 $post_data['ID'] = $post_ID;583 $post_data['post_ID'] = $post_ID;584 603 585 604 $post_data = _wp_translate_postdata( true, $post_data ); … … 588 607 continue; 589 608 } 590 591 if ( isset( $post_data['post_format'] ) ) { 592 set_post_format( $post_ID, $post_data['post_format'] ); 609 $post_data = _wp_get_allowed_postdata( $post_data ); 610 611 if ( isset( $shared_post_data['post_format'] ) ) { 612 set_post_format( $post_ID, $shared_post_data['post_format'] ); 593 613 unset( $post_data['tax_input']['post_format'] ); 594 614 } … … 807 827 return $translated; 808 828 } 829 $translated = _wp_get_allowed_postdata( $translated ); 809 830 810 831 // Create the post. 811 $post_ID = wp_insert_post( $ _POST);832 $post_ID = wp_insert_post( $translated ); 812 833 if ( is_wp_error( $post_ID ) ) { 813 834 return $post_ID; … … 1769 1790 return $post_data; 1770 1791 } 1792 $post_data = _wp_get_allowed_postdata( $post_data ); 1771 1793 1772 1794 $post_author = get_current_user_id(); -
trunk/src/wp-admin/post.php
r44260 r44295 201 201 // Update the thumbnail filename 202 202 $newmeta = wp_get_attachment_metadata( $post_id, true ); 203 $newmeta['thumb'] = $_POST['thumb'];203 $newmeta['thumb'] = wp_basename( $_POST['thumb'] ); 204 204 205 205 wp_update_attachment_metadata( $post_id, $newmeta );
Note: See TracChangeset
for help on using the changeset viewer.