Make WordPress Core

Changeset 54550


Ignore:
Timestamp:
10/17/2022 05:46:53 PM (18 months ago)
Author:
SergeyBiryukov
Message:

Grouped backports to the 3.9 branch.

  • Posts, Post types: Apply KSES to post-by-email content,
  • General: Validate host on "Are you sure?" screen,
  • Posts, Post types: Remove emails from post-by-email logs,
  • Pings/trackbacks: Apply KSES to all trackbacks,
  • Comments: Apply kses when editing comments,
  • Mail: Reset PHPMailer properties between use,
  • Widgets: Escape RSS error messages for display.

Merges [54521], [54522], [54523], [54525], [54527], [54529], [54541] to the 3.9 branch.
Props voldemortensen, johnbillion, paulkevan, peterwilsoncc, xknown, dd32, audrasjb, martinkrcho, davidbaumwald, tykoted, matveb, talldanwp.

Location:
branches/3.9
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • branches/3.9

  • branches/3.9/src/wp-includes/comment.php

    r27300 r54550  
    18161816        return 0;
    18171817
     1818    $filter_comment = false;
     1819    if ( ! has_filter( 'pre_comment_content', 'wp_filter_kses' ) ) {
     1820        $filter_comment = ! user_can( isset( $comment['user_id'] ) ? $comment['user_id'] : 0, 'unfiltered_html' );
     1821    }
     1822
     1823    if ( $filter_comment ) {
     1824        add_filter( 'pre_comment_content', 'wp_filter_kses' );
     1825    }
     1826
    18181827    // Escape data pulled from DB.
    18191828    $comment = wp_slash($comment);
     
    18251834
    18261835    $commentarr = wp_filter_comment( $commentarr );
     1836
     1837    if ( $filter_comment ) {
     1838        remove_filter( 'pre_comment_content', 'wp_filter_kses' );
     1839    }
    18271840
    18281841    // Now extract the merged array.
  • branches/3.9/src/wp-includes/default-widgets.php

    r33532 r54550  
    10131013    if ( is_wp_error($rss) ) {
    10141014        if ( is_admin() || current_user_can('manage_options') )
    1015             echo '<p>' . sprintf( __('<strong>RSS Error</strong>: %s'), $rss->get_error_message() ) . '</p>';
     1015            echo '<p>' . sprintf( __('<strong>RSS Error</strong>: %s'), esc_html( $rss->get_error_message() ) ) . '</p>';
    10161016        return;
    10171017    }
     
    11251125
    11261126    if ( !empty($error) )
    1127         echo '<p class="widget-error"><strong>' . sprintf( __('RSS Error: %s'), $error) . '</strong></p>';
     1127        echo '<p class="widget-error"><strong>' . sprintf( __('RSS Error: %s'), esc_html( $error ) ) . '</strong></p>';
    11281128
    11291129    if ( $inputs['url'] ) :
  • branches/3.9/src/wp-includes/functions.php

    r46503 r54550  
    23352335    } else {
    23362336        $html = __( 'Are you sure you want to do this?' );
    2337         if ( wp_get_referer() )
    2338             $html .= "</p><p><a href='" . esc_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
     2337        if ( wp_get_referer() ) {
     2338            $wp_http_referer = remove_query_arg( 'updated', wp_get_referer() );
     2339            $wp_http_referer = wp_validate_redirect( esc_url_raw( $wp_http_referer ) );
     2340            $html           .= '</p><p>';
     2341            $html           .= sprintf(
     2342                '<a href="%s">%s</a>',
     2343                esc_url( $wp_http_referer ),
     2344                __( 'Please try again.' )
     2345            );
     2346        }
    23392347    }
    23402348
  • branches/3.9/src/wp-includes/pluggable.php

    r47966 r54550  
    331331    $phpmailer->ClearCustomHeaders();
    332332    $phpmailer->ClearReplyTos();
     333    $phpmailer->Body    = '';
     334    $phpmailer->AltBody = '';
    333335
    334336    // From email and name
  • branches/3.9/src/wp-mail.php

    r39781 r54550  
    6060    wp_die( __('There doesn&#8217;t seem to be any new mail.') );
    6161}
     62
     63// Always run as an unauthenticated user.
     64wp_set_current_user( 0 );
    6265
    6366for ( $i = 1; $i <= $count; $i++ ) {
     
    124127                $author = sanitize_email($author);
    125128                if ( is_email($author) ) {
    126                     echo '<p>' . sprintf(__('Author is %s'), $author) . '</p>';
    127129                    $userdata = get_user_by('email', $author);
    128130                    if ( ! empty( $userdata ) ) {
  • branches/3.9/src/wp-trackback.php

    r25616 r54550  
    1313    wp( array( 'tb' => '1' ) );
    1414}
     15
     16// Always run as an unauthenticated user.
     17wp_set_current_user( 0 );
    1518
    1619/**
Note: See TracChangeset for help on using the changeset viewer.