Changeset 5915

Timestamp:

08/22/2007 06:00:48 PM (18 years ago)

Author:

ryan

Message:

Sanitize a few options

Location:

branches/2.2

Files:

• wp-admin/options.php (modified) (1 diff)
• wp-includes/formatting.php (modified) (1 diff)

branches/2.2/wp-admin/options.php

@@ -10 +10 @@
 if ( !current_user_can('manage_options') )
     wp_die(__('Cheatin’ uh?'));
-
-function sanitize_option($option, $value) { // Remember to call stripslashes!
-
-    switch ($option) {
-        case 'admin_email':
-            $value = stripslashes($value);
-            $value = sanitize_email($value);
-            break;
-
-        case 'default_post_edit_rows':
-        case 'mailserver_port':
-        case 'comment_max_links':
-            $value = stripslashes($value);
-            $value = abs((int) $value);
-            break;
-
-        case 'posts_per_page':
-        case 'posts_per_rss':
-            $value = stripslashes($value);
-            $value = (int) $value;
-            if ( empty($value) ) $value = 1;
-            if ( $value < -1 ) $value = abs($value);
-            break;
-
-        case 'default_ping_status':
-        case 'default_comment_status':
-            $value = stripslashes($value);
-            // Options that if not there have 0 value but need to be something like "closed"
-            if ( $value == '0' || $value == '')
-                $value = 'closed';
-            break;
-
-        case 'blogdescription':
-        case 'blogname':
-            if (current_user_can('unfiltered_html') == false)
-                $value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
-            $value = stripslashes($value);
-            break;
-
-        case 'blog_charset':
-            $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes
-            break;
-
-        case 'date_format':
-        case 'time_format':
-        case 'mailserver_url':
-        case 'mailserver_login':
-        case 'mailserver_pass':
-        case 'ping_sites':
-        case 'upload_path':
-            $value = strip_tags($value);
-            $value = wp_filter_kses($value); // calls stripslashes then addslashes
-            $value = stripslashes($value);
-            break;
-
-        case 'gmt_offset':
-            $value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes
-            break;
-
-        case 'siteurl':
-        case 'home':
-            $value = stripslashes($value);
-            $value = clean_url($value);
-            break;
-        default :
-            $value = stripslashes($value);
-            break;
-    }
-
-    return $value;
-}
 
 switch($action) {

branches/2.2/wp-includes/formatting.php

@@ -1119 +1119 @@
 }
 
+function sanitize_option($option, $value) { // Remember to call stripslashes!
+
+    switch ($option) {
+        case 'admin_email':
+            $value = sanitize_email($value);
+            break;
+
+        case 'default_post_edit_rows':
+        case 'mailserver_port':
+        case 'comment_max_links':
+        case 'page_on_front':
+        case 'rss_excerpt_length':
+        case 'default_category':
+        case 'default_email_category':
+        case 'default_link_category':
+            $value = abs((int) $value);
+            break;
+
+        case 'posts_per_page':
+        case 'posts_per_rss':
+            $value = (int) $value;
+            if ( empty($value) ) $value = 1;
+            if ( $value < -1 ) $value = abs($value);
+            break;
+
+        case 'default_ping_status':
+        case 'default_comment_status':
+            // Options that if not there have 0 value but need to be something like "closed"
+            if ( $value == '0' || $value == '')
+                $value = 'closed';
+            break;
+
+        case 'blogdescription':
+        case 'blogname':
+            $value = addslashes($value);
+            $value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
+            $value = stripslashes($value);
+            $value = wp_specialchars( $value );
+            break;
+
+        case 'blog_charset':
+            $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes
+            break;
+
+        case 'date_format':
+        case 'time_format':
+        case 'mailserver_url':
+        case 'mailserver_login':
+        case 'mailserver_pass':
+        case 'ping_sites':
+        case 'upload_path':
+            $value = strip_tags($value);
+            $value = addslashes($value);
+            $value = wp_filter_kses($value); // calls stripslashes then addslashes
+            $value = stripslashes($value);
+            break;
+
+        case 'gmt_offset':
+            $value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes
+            break;
+
+        case 'siteurl':
+        case 'home':
+            $value = stripslashes($value);
+            $value = clean_url($value);
+            break;
+        default :
+            break;
+    }
+
+    return $value;
+}
+
 function wp_parse_str( $string, &$array ) {
     parse_str( $string, $array );