Make WordPress Core


Ignore:
Location:
branches/2.0
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/wp-admin/link-import.php

    r5828 r5841  
    7575     <h2><?php _e('Importing...') ?></h2>
    7676<?php
    77                 $cat_id = $_POST['cat_id'];
    78                 if (($cat_id == '') || ($cat_id == 0)) {
    79                     $cat_id  = 1;
    80                 }
     77                $cat_id = abs( (int) $_POST['cat_id'] );
     78                if ( $cat_id < 1 )
     79                    $cat_id  = 1;
    8180
    8281                $opml_url = $_POST['opml_url'];
  • branches/2.0/wp-admin/options.php

    r5828 r5841  
    152152foreach ( (array) $options as $option) :
    153153    $disabled = '';
     154    $option->option_name = attribute_escape($option->option_name);
    154155    if ( is_serialized($option->option_value) ) {
    155156        if ( is_serialized_string($option->option_value) ) {
    156157            // this is a serialized string, so we should display it
    157             $value = wp_specialchars(maybe_unserialize($option->option_value), 'single');
     158            $value = maybe_unserialize($option->option_value);
    158159            $options_to_update[] = $option->option_name;
    159160            $class = 'all-options';
     
    164165        }
    165166    } else {
    166         $value = wp_specialchars($option->option_value, 'single');
     167        $value = $option->option_value;
    167168        $options_to_update[] = $option->option_name;
    168169        $class = 'all-options';
     
    173174<td>";
    174175
    175     if (stristr($value, "\n")) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>$value</textarea>";
    176     else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "'$disabled />";
    177    
     176    if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . wp_specialchars($value) . "</textarea>";
     177    else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . attribute_escape($value) . "'$disabled />";
     178
    178179    echo "</td>
    179180    <td>$option->option_description</td>
     
    183184  </table>
    184185<?php $options_to_update = implode(',', $options_to_update); ?>
    185 <p class="submit"><input type="hidden" name="page_options" value="<?php echo attribute_escape($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
     186<p class="submit"><input type="hidden" name="page_options" value="<?php echo $options_to_update; ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
    186187  </form>
    187188</div>
  • branches/2.0/wp-includes/functions.php

    r5828 r5841  
    300300/* Options functions */
    301301
     302// expects $setting to already be SQL-escaped
    302303function get_settings($setting) {
    303304    global $wpdb;
     
    377378}
    378379
     380// expects $option_name to NOT be SQL-escaped
    379381function update_option($option_name, $newvalue) {
    380382    global $wpdb;
    381383
     384    $safe_option_name = $wpdb->escape($option_name);
     385
    382386    if ( is_string($newvalue) )
    383387        $newvalue = trim($newvalue);
    384388
    385389    // If the new and old values are the same, no need to update.
    386     $oldvalue = get_option($option_name);
     390    $oldvalue = get_option($safe_option_name);
    387391    if ( $newvalue == $oldvalue ) {
    388392        return false;
     
    417421
    418422// thx Alex Stapleton, http://alex.vort-x.net/blog/
     423// expects $name to NOT be SQL-escaped
    419424function add_option($name, $value = '', $description = '', $autoload = 'yes') {
    420425    global $wpdb;
    421426
     427    $safe_name = $wpdb->escape($name);
     428
    422429    // Make sure the option doesn't already exist
    423     if ( false !== get_option($name) )
     430    if ( false !== get_option($safe_name) )
    424431        return;
    425432
Note: See TracChangeset for help on using the changeset viewer.