Make WordPress Core

Changeset 5906


Ignore:
Timestamp:
08/20/2007 10:50:04 PM (17 years ago)
Author:
ryan
Message:

bookmark sanitizer funcs and default filter cleanup. see #4546

Location:
trunk
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/bookmark.php

    r5726 r5906  
    6161
    6262function get_link_to_edit( $link_id ) {
    63     $link = get_link( $link_id );
    64 
    65     $link->link_url         = clean_url($link->link_url);
    66     $link->link_name        = attribute_escape($link->link_name);
    67     $link->link_image       = attribute_escape($link->link_image);
    68     $link->link_description = attribute_escape($link->link_description);
    69     $link->link_rss         = clean_url($link->link_rss);
    70     $link->link_rel         = attribute_escape($link->link_rel);
    71     $link->link_notes       =  wp_specialchars($link->link_notes);
    72     $link->post_category    = $link->link_category;
    73 
    74     return $link;
     63    return get_link( $link_id, OBJECT, 'edit' );
    7564}
    7665
    7766function wp_insert_link($linkdata) {
    7867    global $wpdb, $current_user;
     68
     69    $defaults = array('link_id' => 0, 'link_name' => '', 'link_url' => '', 'link_rating' => 0 );
     70
     71    $linkdata = wp_parse_args($linkdata, $defaults);
     72    $linkdata = sanitize_bookmark($linkdata, 'db');
    7973
    8074    extract($linkdata, EXTR_SKIP);
     
    8579        $update = true;
    8680
    87     $link_id = (int) $link_id;
     81    if ( trim( $link_name ) == '' )
     82        return 0;
    8883
    89     if( trim( $link_name ) == '' )
     84    if ( trim( $link_url ) == '' )
    9085        return 0;
    91     $link_name = apply_filters('pre_link_name', $link_name);
    92 
    93     if( trim( $link_url ) == '' )
    94         return 0;
    95     $link_url = apply_filters('pre_link_url', $link_url);
    9686
    9787    if ( empty($link_rating) )
    9888        $link_rating = 0;
    99     else
    100         $link_rating = (int) $link_rating;
    10189
    10290    if ( empty($link_image) )
    10391        $link_image = '';
    104     $link_image = apply_filters('pre_link_image', $link_image);
    10592
    10693    if ( empty($link_target) )
    10794        $link_target = '';
    108     $link_target = apply_filters('pre_link_target', $link_target);
    10995
    11096    if ( empty($link_visible) )
    11197        $link_visible = 'Y';
    112     $link_visibile = preg_replace('/[^YNyn]/', '', $link_visible);
    11398
    11499    if ( empty($link_owner) )
    115100        $link_owner = $current_user->id;
    116     else
    117         $link_owner = (int) $link_owner;
    118101
    119102    if ( empty($link_notes) )
    120103        $link_notes = '';
    121     $link_notes = apply_filters('pre_link_notes', $link_notes);
    122104
    123105    if ( empty($link_description) )
    124106        $link_description = '';
    125     $link_description = apply_filters('pre_link_description', $link_description);
    126107
    127108    if ( empty($link_rss) )
    128109        $link_rss = '';
    129     $link_rss = apply_filters('pre_link_rss', $link_rss);
    130110
    131111    if ( empty($link_rel) )
    132112        $link_rel = '';
    133     $link_rel = apply_filters('pre_link_rel', $link_rel);
    134113
    135114    // Make sure we set a valid category
  • trunk/wp-admin/link-manager.php

    r5676 r5906  
    8181$select_cat .= '<option value="all"'  . (($cat_id == 'all') ? " selected='selected'" : '') . '>' . __('All') . "</option>\n";
    8282foreach ((array) $categories as $cat)
    83     $select_cat .= '<option value="' . $cat->term_id . '"' . (($cat->term_id == $cat_id) ? " selected='selected'" : '') . '>' . wp_specialchars(apply_filters('link_category', $cat->name)) . "</option>\n";
     83    $select_cat .= '<option value="' . $cat->term_id . '"' . (($cat->term_id == $cat_id) ? " selected='selected'" : '') . '>' . sanitize_term_field('name', $cat->name, $cat->term_id, 'link_category', 'display') . "</option>\n";
    8484$select_cat .= "</select>\n";
    8585
     
    132132<?php
    133133    foreach ($links as $link) {
    134         $link->link_name = attribute_escape(apply_filters('link_title', $link->link_name));
    135         $link->link_description = wp_specialchars(apply_filters('link_description', $link->link_description));
    136         $link->link_url = clean_url($link->link_url);
     134        $link = sanitize_bookmark($link);
     135        $link->link_name = attribute_escape($link->link_name);
    137136        $link->link_category = wp_get_link_cats($link->link_id);
    138137        $short_url = str_replace('http://', '', $link->link_url);
     
    160159                    $cat_names = array();
    161160                    foreach ($link->link_category as $category) {
    162                         $cat = get_term($category, 'link_category');
    163                         $cat_name = wp_specialchars(apply_filters('link_category', $cat->name));
     161                        $cat = get_term($category, 'link_category', OBJECT, 'display');
     162                        $cat_name = $cat->name;
    164163                        if ( $cat_id != $category )
    165164                            $cat_name = "<a href='link-manager.php?cat_id=$category'>$cat_name</a>";
  • trunk/wp-includes/bookmark.php

    r5897 r5906  
    11<?php
    22
    3 function get_bookmark($bookmark_id, $output = OBJECT) {
     3function get_bookmark($bookmark_id, $output = OBJECT, $filter = 'raw') {
    44    global $wpdb;
    55
     
    88    $link->link_category = wp_get_link_cats($bookmark_id);
    99
     10    $link = sanitize_bookmark($link, $filter);
     11   
    1012    if ( $output == OBJECT ) {
    1113        return $link;
     
    1719        return $link;
    1820    }
     21}
     22
     23function get_bookmark_field( $field, $bookmark, $context = 'display' ) {
     24    $bookmark = (int) $bookmark;
     25    $bookmark = get_bookmark( $bookmark );
     26
     27    if ( is_wp_error($bookmark) )
     28        return $bookmark;
     29
     30    if ( !is_object($bookmark) )
     31        return '';
     32
     33    if ( !isset($bookmark->$field) )
     34        return '';
     35
     36    return sanitize_bookmark_field($field, $bookmark->$field, $bookmark->link_id, $context);
    1937}
    2038
     
    143161}
    144162
     163function sanitize_bookmark($bookmark, $context = 'display') {
     164    $fields = array('link_id', 'link_url', 'link_name', 'link_image', 'link_target', 'link_category',
     165        'link_description', 'link_visible', 'link_owner', 'link_rating', 'link_updated',
     166        'link_rel', 'link_notes', 'link_rss', );
     167
     168    $do_object = false;
     169    if ( is_object($bookmark) )
     170        $do_object = true;
     171
     172    foreach ( $fields as $field ) {
     173        if ( $do_object )
     174            $bookmark->$field = sanitize_bookmark_field($field, $bookmark->$field, $bookmark->link_id, $context);
     175        else
     176            $bookmark[$field] = sanitize_bookmark_field($field, $bookmark[$field], $bookmark['link_id'], $context);
     177    }
     178
     179    return $bookmark;
     180}
     181
     182function sanitize_bookmark_field($field, $value, $bookmark_id, $context) {
     183    $int_fields = array('link_id', 'link_rating');
     184    if ( in_array($field, $int_fields) )
     185        $value = (int) $value;
     186
     187    $yesno = array('link_visible');
     188    if ( in_array($field, $yesno) )
     189        $value = preg_replace('/[^YNyn]/', '', $value);
     190
     191    if ( 'link_target' == $field ) {
     192        $targets = array('_top', '_blank');
     193        if ( ! in_array($value, $targets) )
     194            $value = '';       
     195    }
     196
     197    if ( 'raw' == $context )
     198        return $value;
     199
     200    if ( 'edit' == $context ) {
     201        $format_to_edit = array('link_notes');
     202        $value = apply_filters("edit_$field", $value, $bookmark_id);
     203
     204        if ( in_array($field, $format_to_edit) ) {
     205            $value = format_to_edit($value);
     206        } else {
     207            $value = attribute_escape($value);
     208        }
     209    } else if ( 'db' == $context ) {
     210        $value = apply_filters("pre_$field", $value);
     211    } else {
     212        // Use display filters by default.
     213        $value = apply_filters($field, $value, $bookmark_id, $context);
     214    }
     215
     216    if ( 'attribute' == $context )
     217        $value = attribute_escape($value);
     218    else if ( 'js' == $context )
     219        $value = js_escape($value);
     220
     221    return $value;
     222}
     223
    145224function delete_get_bookmark_cache() {
    146225    wp_cache_delete( 'get_bookmarks', 'bookmark' );
  • trunk/wp-includes/default-filters.php

    r5797 r5906  
    11<?php
    22
    3 // Some default filters
    4 add_filter('bloginfo','wp_specialchars');
    5 add_filter('term_description', 'wptexturize');
    6 add_filter('category_description', 'wptexturize');
    7 add_filter('list_cats', 'wptexturize');
    8 add_filter('comment_author', 'wptexturize');
    9 add_filter('comment_text', 'wptexturize');
    10 add_filter('single_post_title', 'wptexturize');
    11 add_filter('the_title', 'wptexturize');
    12 add_filter('the_content', 'wptexturize');
    13 add_filter('the_excerpt', 'wptexturize');
    14 add_filter('bloginfo', 'wptexturize');
    15 add_filter('pre_kses', 'wp_pre_kses_less_than');
     3// Strip, trim, kses, special chars for string saves
     4$filters = array('pre_term_name', 'pre_comment_author_name', 'pre_link_name', 'pre_link_target',
     5    'pre_link_rel', 'pre_user_display_name', 'pre_user_first_name', 'pre_user_last_name',
     6    'pre_user_nickname');
     7foreach ( $filters as $filter ) {
     8    add_filter($filter, 'strip_tags');
     9    add_filter($filter, 'trim');
     10    add_filter($filter, 'wp_filter_kses');
     11    add_filter($filter, 'wp_specialchars', 30);
     12}
    1613
    17 // Comments, trackbacks, pingbacks
    18 add_filter('pre_comment_author_name', 'strip_tags');
    19 add_filter('pre_comment_author_name', 'trim');
    20 add_filter('pre_comment_author_name', 'wp_specialchars', 30);
     14// Kses only for textarea saves
     15$filters = array('pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description');
     16foreach ( $filters as $filter ) {
     17    add_filter($filter, 'wp_filter_kses');
     18}
    2119
    22 add_filter('pre_comment_author_email', 'trim');
    23 add_filter('pre_comment_author_email', 'sanitize_email');
     20// Email
     21$filters = array('pre_comment_author_email', 'pre_user_email');
     22foreach ( $filters as $filter ) {
     23    add_filter($filter, 'trim');
     24    add_filter($filter, 'sanitize_email');
     25    add_filter($filter, 'wp_filter_kses');
     26}
    2427
    25 add_filter('pre_comment_author_url', 'strip_tags');
    26 add_filter('pre_comment_author_url', 'trim');
    27 add_filter('pre_comment_author_url', 'clean_url');
    28 
    29 add_filter('pre_comment_content', 'wp_rel_nofollow', 15);
    30 add_filter('pre_comment_content', 'balanceTags', 30);
    31 
    32 add_filter('pre_comment_author_name', 'wp_filter_kses');
    33 add_filter('pre_comment_author_email', 'wp_filter_kses');
    34 add_filter('pre_comment_author_url', 'wp_filter_kses');
    35 
    36 add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');
    37 
    38 // Default filters for these functions
    39 add_filter('comment_author', 'wptexturize');
    40 add_filter('comment_author', 'convert_chars');
    41 add_filter('comment_author', 'wp_specialchars');
    42 
    43 add_filter('comment_email', 'antispambot');
    44 
    45 add_filter('comment_flood_filter', 'wp_throttle_comment_flood', 10, 3);
    46 
    47 add_filter('comment_url', 'clean_url');
    48 
    49 add_filter('comment_text', 'convert_chars');
    50 add_filter('comment_text', 'make_clickable', 9);
    51 add_filter('comment_text', 'force_balance_tags', 25);
    52 add_filter('comment_text', 'wpautop', 30);
    53 add_filter('comment_text', 'convert_smilies', 20);
    54 
    55 add_filter('comment_excerpt', 'convert_chars');
    56 
    57 // Terms
    58 add_filter('pre_term_name', 'strip_tags');
    59 add_filter('pre_term_name', 'trim');
    60 add_filter('pre_term_name', 'wp_filter_kses');
    61 add_filter('pre_term_name', 'wp_specialchars', 30);
    62 add_filter('pre_term_description', 'wp_filter_kses');
    63 
    64 // Categories
    65 add_filter('pre_category_name', 'strip_tags');
    66 add_filter('pre_category_name', 'trim');
    67 add_filter('pre_category_name', 'wp_filter_kses');
    68 add_filter('pre_category_name', 'wp_specialchars', 30);
    69 add_filter('pre_category_description', 'wp_filter_kses');
    70 
    71 //Links
    72 add_filter('pre_link_name', 'strip_tags');
    73 add_filter('pre_link_name', 'trim');
    74 add_filter('pre_link_name', 'wp_filter_kses');
    75 add_filter('pre_link_name', 'wp_specialchars', 30);
    76 add_filter('pre_link_description', 'wp_filter_kses');
    77 add_filter('pre_link_notes', 'wp_filter_kses');
    78 add_filter('pre_link_url', 'strip_tags');
    79 add_filter('pre_link_url', 'trim');
    80 add_filter('pre_link_url', 'clean_url');
    81 add_filter('pre_link_image', 'strip_tags');
    82 add_filter('pre_link_image', 'trim');
    83 add_filter('pre_link_image', 'clean_url');
    84 add_filter('pre_link_rss', 'strip_tags');
    85 add_filter('pre_link_rss', 'trim');
    86 add_filter('pre_link_rss', 'clean_url');
    87 add_filter('pre_link_target', 'strip_tags');
    88 add_filter('pre_link_target', 'trim');
    89 add_filter('pre_link_target', 'wp_filter_kses');
    90 add_filter('pre_link_target', 'wp_specialchars', 30);
    91 add_filter('pre_link_rel', 'strip_tags');
    92 add_filter('pre_link_rel', 'trim');
    93 add_filter('pre_link_rel', 'wp_filter_kses');
    94 add_filter('pre_link_rel', 'wp_specialchars', 30);
    95 
    96 // Users
    97 add_filter('pre_user_display_name', 'strip_tags');
    98 add_filter('pre_user_display_name', 'trim');
    99 add_filter('pre_user_display_name', 'wp_filter_kses');
    100 add_filter('pre_user_display_name', 'wp_specialchars', 30);
    101 add_filter('pre_user_first_name', 'strip_tags');
    102 add_filter('pre_user_first_name', 'trim');
    103 add_filter('pre_user_first_name', 'wp_filter_kses');
    104 add_filter('pre_user_first_name', 'wp_specialchars', 30);
    105 add_filter('pre_user_last_name', 'strip_tags');
    106 add_filter('pre_user_last_name', 'trim');
    107 add_filter('pre_user_last_name', 'wp_filter_kses');
    108 add_filter('pre_user_last_name', 'wp_specialchars', 30);
    109 add_filter('pre_user_nickname', 'strip_tags');
    110 add_filter('pre_user_nickname', 'trim');
    111 add_filter('pre_user_nickname', 'wp_filter_kses');
    112 add_filter('pre_user_nickname', 'wp_specialchars', 30);
    113 add_filter('pre_user_description', 'trim');
    114 add_filter('pre_user_description', 'wp_filter_kses');
    115 add_filter('pre_user_url', 'strip_tags');
    116 add_filter('pre_user_url', 'trim');
    117 add_filter('pre_user_url', 'clean_url');
    118 add_filter('pre_user_email', 'trim');
    119 add_filter('pre_user_email', 'sanitize_email');
     28// URL
     29$filters = array('pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
     30    'pre_link_rss', 'comment_url');
     31foreach ( $filters as $filter ) {
     32    add_filter($filter, 'strip_tags');
     33    add_filter($filter, 'trim');
     34    add_filter($filter, 'clean_url');
     35    add_filter($filter, 'wp_filter_kses');
     36}
    12037
    12138// Places to balance tags on input
    122 add_filter('content_save_pre', 'balanceTags', 50);
    123 add_filter('excerpt_save_pre', 'balanceTags', 50);
    124 add_filter('comment_save_pre', 'balanceTags', 50);
     39$filters = array('content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content');
     40foreach ( $filters as $filter ) {
     41    add_filter( $filter, 'balanceTags', 50);
     42}
    12543
    126 // Misc. title, content, and excerpt filters
     44// Format strings for display.
     45$filters = array('comment_author', 'term_name', 'term_description', 'link_name', 'link_description',
     46    'link_notes', 'bloginfo');
     47foreach ( $filters as $filter ) {
     48    add_filter($filter, 'wptexturize');
     49    add_filter($filter, 'convert_chars');
     50    add_filter($filter, 'wp_specialchars');
     51}
     52
     53// Display filters
     54add_filter('the_title', 'wptexturize');
    12755add_filter('the_title', 'convert_chars');
    12856add_filter('the_title', 'trim');
    12957
     58add_filter('the_content', 'wptexturize');
    13059add_filter('the_content', 'convert_smilies');
    13160add_filter('the_content', 'convert_chars');
    13261add_filter('the_content', 'wpautop');
    13362
     63add_filter('the_excerpt', 'wptexturize');
    13464add_filter('the_excerpt', 'convert_smilies');
    13565add_filter('the_excerpt', 'convert_chars');
     
    13767add_filter('get_the_excerpt', 'wp_trim_excerpt');
    13868
    139 add_filter('sanitize_title', 'sanitize_title_with_dashes');
     69add_filter('comment_text', 'wptexturize');
     70add_filter('comment_text', 'convert_chars');
     71add_filter('comment_text', 'make_clickable', 9);
     72add_filter('comment_text', 'force_balance_tags', 25);
     73add_filter('comment_text', 'convert_smilies', 20);
     74add_filter('comment_text', 'wpautop', 30);
     75
     76add_filter('comment_excerpt', 'convert_chars');
     77
     78add_filter('list_cats', 'wptexturize');
     79add_filter('single_post_title', 'wptexturize');
    14080
    14181// RSS filters
     
    14787add_filter('the_excerpt_rss', 'ent2ncr', 8);
    14888add_filter('comment_author_rss', 'ent2ncr', 8);
     89add_filter('comment_text_rss', 'ent2ncr', 8);
    14990add_filter('comment_text_rss', 'wp_specialchars');
    150 add_filter('comment_text_rss', 'ent2ncr', 8);
    15191add_filter('bloginfo_rss', 'ent2ncr', 8);
    15292add_filter('the_author', 'ent2ncr', 8);
     
    15999add_filter('mce_plugins', '_mce_load_rtl_plugin');
    160100add_filter('mce_buttons', '_mce_add_direction_buttons');
    161 
    162 // Redirect Old Slugs
    163 add_action('template_redirect', 'wp_old_slug_redirect');
    164 add_action('edit_post', 'wp_check_for_changed_slugs');
    165 add_action('edit_form_advanced', 'wp_remember_old_slug');
     101add_filter('pre_kses', 'wp_pre_kses_less_than');
     102add_filter('sanitize_title', 'sanitize_title_with_dashes');
     103add_filter('comment_flood_filter', 'wp_throttle_comment_flood', 10, 3);
     104add_filter('pre_comment_content', 'wp_rel_nofollow', 15);
     105add_filter('comment_email', 'antispambot');
    166106
    167107// Actions
     
    190130add_action('save_post', '_save_post_hook', 5, 2);
    191131add_action('transition_post_status', '_transition_post_status', 5, 3);
     132add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');
     133// Redirect Old Slugs
     134add_action('template_redirect', 'wp_old_slug_redirect');
     135add_action('edit_post', 'wp_check_for_changed_slugs');
     136add_action('edit_form_advanced', 'wp_remember_old_slug');
    192137
    193138?>
  • trunk/wp-includes/post.php

    r5855 r5906  
    478478    } else {
    479479        // Use display filters by default.
    480         $value = apply_filters("post_$field", $value, $post_id, $context);
     480        if ( $prefixed )
     481            $value = apply_filters($field, $value, $post_id, $context);
     482        else
     483            $value = apply_filters("post_$field", $value, $post_id, $context);
    481484    }
    482485
  • trunk/wp-includes/taxonomy.php

    r5896 r5906  
    230230 *      might be inaccurate or wrong.
    231231 */
    232 function &get_term(&$term, $taxonomy, $output = OBJECT) {
     232function &get_term(&$term, $taxonomy, $output = OBJECT, $filter = 'raw') {
    233233    global $wpdb;
    234234
     
    252252    $_term = apply_filters('get_term', $_term, $taxonomy);
    253253    $_term = apply_filters("get_$taxonomy", $_term, $taxonomy);
     254    $_term = sanitize_term($_term, $taxonomy, $filter);
    254255
    255256    if ( $output == OBJECT ) {
     
    560561
    561562function sanitize_term($term, $taxonomy, $context = 'display') {
    562     $fields = array('term_id', 'name', 'description', 'slug', 'count', 'term_group');
     563    $fields = array('term_id', 'name', 'description', 'slug', 'count', 'parent', 'term_group');
    563564
    564565    $do_object = false;
Note: See TracChangeset for help on using the changeset viewer.