Make WordPress Core


Ignore:
Timestamp:
01/05/2007 05:45:46 AM (17 years ago)
Author:
markjaquith
Message:

Delay Trackback data escaping until after mb_convert_encoding(). Props to Stefan Esser.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-trackback.php

    r4495 r4676  
    3131}
    3232
    33 $tb_url    = $_POST['url'];
    34 $title     = $_POST['title'];
    35 $excerpt   = $_POST['excerpt'];
    36 $blog_name = $_POST['blog_name'];
    37 $charset   = $_POST['charset'];
     33$tb_url  = $_POST['url'];
     34$charset = $_POST['charset'];
     35
     36// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()
     37$title     = stripslashes($_POST['title']);
     38$excerpt   = stripslashes($_POST['excerpt']);
     39$blog_name = stripslashes($_POST['blog_name']);
    3840
    3941if ($charset)
     
    4749    $blog_name = mb_convert_encoding($blog_name, get_option('blog_charset'), $charset);
    4850}
     51
     52// Now that mb_convert_encoding() has been given a swing, we need to escape these three
     53$title     = $wpdb->escape($title);
     54$excerpt   = $wpdb->escape($excerpt);
     55$blog_name = $wpdb->escape($blog_name);
    4956
    5057if ( is_single() || is_page() )
Note: See TracChangeset for help on using the changeset viewer.