Index: wp-login.php =================================================================== --- wp-login.php (revision 23389) +++ wp-login.php (working copy) @@ -396,7 +396,7 @@ } // 10 days - setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH ); + setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH ); wp_safe_redirect( wp_get_referer() ); exit(); @@ -431,7 +431,7 @@ do_action('lost_password'); login_header(__('Lost Password'), '
', $errors); - $user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : ''; + $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : ''; ?> Index: wp-comments-post.php =================================================================== --- wp-comments-post.php (revision 23389) +++ wp-comments-post.php (working copy) @@ -17,8 +17,10 @@ nocache_headers(); -$comment_post_ID = isset($_POST['comment_post_ID']) ? (int) $_POST['comment_post_ID'] : 0; +$post_data = wp_unslash( $_POST ); +$comment_post_ID = isset($post_data['comment_post_ID']) ? (int) $post_data['comment_post_ID'] : 0; + $post = get_post($comment_post_ID); if ( empty($post->comment_status) ) { @@ -47,10 +49,10 @@ do_action('pre_comment_on_post', $comment_post_ID); } -$comment_author = ( isset($_POST['author']) ) ? trim(strip_tags($_POST['author'])) : null; -$comment_author_email = ( isset($_POST['email']) ) ? trim($_POST['email']) : null; -$comment_author_url = ( isset($_POST['url']) ) ? trim($_POST['url']) : null; -$comment_content = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null; +$comment_author = ( isset( $post_data['author'] ) ) ? trim( strip_tags( $post_data['author'] ) ) : null; +$comment_author_email = ( isset( $post_data['email'] ) ) ? trim( $post_data['email'] ) : null; +$comment_author_url = ( isset( $post_data['url'] ) ) ? trim( $post_data['url'] ) : null; +$comment_content = ( isset( $post_data['comment'] ) ) ? trim( $post_data['comment'] ) : null; // If the user is logged in $user = wp_get_current_user(); @@ -61,7 +63,7 @@ $comment_author_email = $wpdb->escape($user->user_email); $comment_author_url = $wpdb->escape($user->user_url); if ( current_user_can('unfiltered_html') ) { - if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) { + if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $post_data['_wp_unfiltered_html_comment'] ) { kses_remove_filters(); // start with a clean slate kses_init_filters(); // set up the filters } @@ -83,7 +85,7 @@ if ( '' == $comment_content ) wp_die( __('ERROR: please type a comment.') ); -$comment_parent = isset($_POST['comment_parent']) ? absint($_POST['comment_parent']) : 0; +$comment_parent = isset($post_data['comment_parent']) ? absint($post_data['comment_parent']) : 0; $commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type', 'comment_parent', 'user_ID'); @@ -92,7 +94,7 @@ $comment = get_comment($comment_id); do_action('set_comment_cookies', $comment, $user); -$location = empty($_POST['redirect_to']) ? get_comment_link($comment_id) : $_POST['redirect_to'] . '#comment-' . $comment_id; +$location = empty($post_data['redirect_to']) ? get_comment_link($comment_id) : $post_data['redirect_to'] . '#comment-' . $comment_id; $location = apply_filters('comment_post_redirect', $location, $comment); wp_safe_redirect( $location ); Index: wp-includes/default-filters.php =================================================================== --- wp-includes/default-filters.php (revision 23389) +++ wp-includes/default-filters.php (working copy) @@ -14,8 +14,8 @@ // Strip, trim, kses, special chars for string saves foreach ( array( 'pre_term_name', 'pre_comment_author_name', 'pre_link_name', 'pre_link_target', 'pre_link_rel', 'pre_user_display_name', 'pre_user_first_name', 'pre_user_last_name', 'pre_user_nickname' ) as $filter ) { - add_filter( $filter, 'sanitize_text_field' ); - add_filter( $filter, 'wp_filter_kses' ); + add_filter( $filter, 'sanitize_text_field' ); + add_filter( $filter, 'wp_kses_data' ); add_filter( $filter, '_wp_specialchars', 30 ); } @@ -31,22 +31,21 @@ // Kses only for textarea saves foreach ( array( 'pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description' ) as $filter ) { - add_filter( $filter, 'wp_filter_kses' ); + add_filter( $filter, 'wp_kses_data' ); } // Kses only for textarea admin displays if ( is_admin() ) { - foreach ( array( 'term_description', 'link_description', 'link_notes', 'user_description' ) as $filter ) { + foreach ( array( 'term_description', 'link_description', 'link_notes', 'user_description', 'comment_text' ) as $filter ) { add_filter( $filter, 'wp_kses_data' ); } - add_filter( 'comment_text', 'wp_kses_post' ); } // Email saves foreach ( array( 'pre_comment_author_email', 'pre_user_email' ) as $filter ) { add_filter( $filter, 'trim' ); add_filter( $filter, 'sanitize_email' ); - add_filter( $filter, 'wp_filter_kses' ); + add_filter( $filter, 'wp_kses_data' ); } // Email admin display Index: wp-includes/taxonomy.php =================================================================== --- wp-includes/taxonomy.php (revision 23389) +++ wp-includes/taxonomy.php (working copy) @@ -2061,10 +2061,6 @@ $args = sanitize_term($args, $taxonomy, 'db'); extract($args, EXTR_SKIP); - // expected_slashed ($name) - $name = stripslashes($name); - $description = stripslashes($description); - if ( empty($slug) ) $slug = sanitize_title($name); @@ -2360,9 +2356,6 @@ if ( is_wp_error( $term ) ) return $term; - // Escape data pulled from DB. - $term = add_magic_quotes($term); - // Merge old and new args with new args overwriting old ones. $args = array_merge($term, $args); @@ -2371,10 +2364,6 @@ $args = sanitize_term($args, $taxonomy, 'db'); extract($args, EXTR_SKIP); - // expected_slashed ($name) - $name = stripslashes($name); - $description = stripslashes($description); - if ( '' == trim($name) ) return new WP_Error('empty_term_name', __('A name is required for this term')); Index: wp-includes/post.php =================================================================== --- wp-includes/post.php (revision 23389) +++ wp-includes/post.php (working copy) @@ -1742,17 +1742,41 @@ * @link http://codex.wordpress.org/Function_Reference/add_post_meta * * @param int $post_id Post ID. - * @param string $meta_key Metadata name. - * @param mixed $meta_value Metadata value. + * @param string $meta_key Metadata name (expected slashed). + * @param mixed $meta_value Metadata value (expected slashed). * @param bool $unique Optional, default is false. Whether the same key should not be added. * @return bool False for failure. True for success. */ -function add_post_meta($post_id, $meta_key, $meta_value, $unique = false) { +function add_post_meta( $post_id, $meta_key, $meta_value, $unique = false ) { + _deprecated_function( __FUNCTION__, '3.5', 'wp_add_post_meta() (expects unslashed data)' ); + + // expected slashed + $meta_key = stripslashes( $meta_key ); + $meta_value = stripslashes_deep( $meta_value ); + + return wp_add_post_meta( $post_id, $meta_key, $meta_value, $unique ); +} + +/** + * Add meta data field to a post. + * + * Post meta data is called "Custom Fields" on the Administration Screen. + * + * @since 3.6.0 + * @link http://codex.wordpress.org/Function_Reference/wp_add_post_meta + * + * @param int $post_id Post ID. + * @param string $meta_key Metadata name (clean, slashes already stripped). + * @param mixed $meta_value Metadata value (clean, slashes already stripped). + * @param bool $unique Optional, default is false. Whether the same key should not be added. + * @return bool False for failure. True for success. + */ +function wp_add_post_meta( $post_id, $meta_key, $meta_value, $unique = false ) { // make sure meta is added to the post, not a revision - if ( $the_post = wp_is_post_revision($post_id) ) + if ( $the_post = wp_is_post_revision( $post_id ) ) $post_id = $the_post; - return add_metadata('post', $post_id, $meta_key, $meta_value, $unique); + return add_metadata( 'post', $post_id, $meta_key, $meta_value, $unique ); } /** @@ -1809,17 +1833,45 @@ * @link http://codex.wordpress.org/Function_Reference/update_post_meta * * @param int $post_id Post ID. - * @param string $meta_key Metadata key. - * @param mixed $meta_value Metadata value. + * @param string $meta_key Metadata key (expected slashed). + * @param mixed $meta_value Metadata value (expected slashed). * @param mixed $prev_value Optional. Previous value to check before removing. * @return bool False on failure, true if success. */ -function update_post_meta($post_id, $meta_key, $meta_value, $prev_value = '') { +function update_post_meta( $post_id, $meta_key, $meta_value, $prev_value = '' ) { + _deprecated_function( __FUNCTION__, '3.5', 'wp_update_post_meta() (expects unslashed data)' ); + + // expected slashed + $meta_key = stripslashes( $meta_key ); + $meta_value = stripslashes_deep( $meta_value ); + + return wp_update_post_meta( $post_id, $meta_key, $meta_value, $prev_value ); +} + +/** + * Update post meta field based on post ID. + * + * Use the $prev_value parameter to differentiate between meta fields with the + * same key and post ID. + * + * If the meta field for the post does not exist, it will be added. + * + * @since 3.6.0 + * @uses $wpdb + * @link http://codex.wordpress.org/Function_Reference/wp_update_post_meta + * + * @param int $post_id Post ID. + * @param string $meta_key Metadata key (clean, slashes already stripped). + * @param mixed $meta_value Metadata value (clean, slashes already stripped). + * @param mixed $prev_value Optional. Previous value to check before removing. + * @return bool False on failure, true if success. + */ +function wp_update_post_meta( $post_id, $meta_key, $meta_value, $prev_value = '' ) { // make sure meta is added to the post, not a revision - if ( $the_post = wp_is_post_revision($post_id) ) + if ( $the_post = wp_is_post_revision( $post_id ) ) $post_id = $the_post; - return update_metadata('post', $post_id, $meta_key, $meta_value, $prev_value); + return update_metadata( 'post', $post_id, $meta_key, $meta_value, $prev_value ); } /** @@ -2406,8 +2458,8 @@ do_action('wp_trash_post', $post_id); - add_post_meta($post_id,'_wp_trash_meta_status', $post['post_status']); - add_post_meta($post_id,'_wp_trash_meta_time', time()); + wp_add_post_meta($post_id,'_wp_trash_meta_status', $post['post_status']); + wp_add_post_meta($post_id,'_wp_trash_meta_time', time()); $post['post_status'] = 'trash'; wp_insert_post($post); @@ -2483,7 +2535,7 @@ $statuses = array(); foreach ( $comments as $comment ) $statuses[$comment->comment_ID] = $comment->comment_approved; - add_post_meta($post_id, '_wp_trash_meta_comments_status', $statuses); + wp_add_post_meta($post_id, '_wp_trash_meta_comments_status', $statuses); // Set status for all comments to post-trashed $result = $wpdb->update($wpdb->comments, array('comment_approved' => 'post-trashed'), array('comment_post_ID' => $post_id)); @@ -2859,10 +2911,8 @@ $post_name = wp_unique_post_slug($post_name, $post_ID, $post_status, $post_type, $post_parent); - // expected_slashed (everything!) $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'guid' ) ); $data = apply_filters('wp_insert_post_data', $data, $postarr); - $data = stripslashes_deep( $data ); $where = array( 'ID' => $post_ID ); if ( $update ) { @@ -2875,7 +2925,7 @@ } } else { if ( isset($post_mime_type) ) - $data['post_mime_type'] = stripslashes( $post_mime_type ); // This isn't in the update + $data['post_mime_type'] = $post_mime_type; // This isn't in the update // If there is a suggested ID, use it if not already present if ( !empty($import_id) ) { $import_id = (int) $import_id; @@ -2936,7 +2986,7 @@ else return 0; } - update_post_meta($post_ID, '_wp_page_template', $page_template); + wp_update_post_meta($post_ID, '_wp_page_template', $page_template); } wp_transition_post_status($data['post_status'], $previous_status, $post); @@ -2969,15 +3019,11 @@ if ( is_object($postarr) ) { // non-escaped post was passed $postarr = get_object_vars($postarr); - $postarr = add_magic_quotes($postarr); } // First, get all of the original fields $post = get_post($postarr['ID'], ARRAY_A); - // Escape data pulled from DB. - $post = add_magic_quotes($post); - // Passed post category list overwrites existing category list if not empty. if ( isset($postarr['post_category']) && is_array($postarr['post_category']) && 0 != count($postarr['post_category']) ) @@ -3962,7 +4008,6 @@ else $post_name = sanitize_title($post_name); - // expected_slashed ($post_name) $post_name = wp_unique_post_slug($post_name, $post_ID, $post_status, $post_type, $post_parent); if ( empty($post_date) ) @@ -4005,9 +4050,7 @@ if ( ! isset($pinged) ) $pinged = ''; - // expected_slashed (everything!) $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'guid' ) ); - $data = stripslashes_deep( $data ); if ( $update ) { $wpdb->update( $wpdb->posts, $data, array( 'ID' => $post_ID ) ); @@ -4052,7 +4095,7 @@ clean_post_cache( $post_ID ); if ( ! empty( $context ) ) - add_post_meta( $post_ID, '_wp_attachment_context', $context, true ); + wp_add_post_meta( $post_ID, '_wp_attachment_context', $context, true ); if ( $update) { do_action('edit_attachment', $post_ID); @@ -4439,7 +4482,7 @@ // if we haven't added this old slug before, add it now if ( !empty( $post_before->post_name ) && !in_array($post_before->post_name, $old_slugs) ) - add_post_meta($post_id, '_wp_old_slug', $post_before->post_name); + wp_add_post_meta($post_id, '_wp_old_slug', $post_before->post_name); // if the new slug was used previously, delete it from the list if ( in_array($post->post_name, $old_slugs) ) @@ -4861,8 +4904,8 @@ return; if ( get_option('default_pingback_flag') ) - add_post_meta( $post_id, '_pingme', '1' ); - add_post_meta( $post_id, '_encloseme', '1' ); + wp_add_post_meta( $post_id, '_pingme', '1' ); + wp_add_post_meta( $post_id, '_encloseme', '1' ); wp_schedule_single_event(time(), 'do_pings'); } @@ -5088,7 +5131,6 @@ return new WP_Error( 'post_type', __( 'Cannot create a revision of a revision' ) ); $post = _wp_post_revision_fields( $post, $autosave ); - $post = add_magic_quotes($post); //since data is from db $revision_id = wp_insert_post( $post ); if ( is_wp_error($revision_id) ) @@ -5167,8 +5209,6 @@ $update['ID'] = $revision['post_parent']; - $update = add_magic_quotes( $update ); //since data is from db - $post_id = wp_update_post( $update ); if ( is_wp_error( $post_id ) ) return $post_id; @@ -5390,7 +5430,7 @@ $thumbnail_id = absint( $thumbnail_id ); if ( $post && $thumbnail_id && get_post( $thumbnail_id ) ) { if ( $thumbnail_html = wp_get_attachment_image( $thumbnail_id, 'thumbnail' ) ) - return update_post_meta( $post->ID, '_thumbnail_id', $thumbnail_id ); + return wp_update_post_meta( $post->ID, '_thumbnail_id', $thumbnail_id ); else return delete_post_meta( $post->ID, '_thumbnail_id' ); } Index: wp-includes/comment.php =================================================================== --- wp-includes/comment.php (revision 23389) +++ wp-includes/comment.php (working copy) @@ -633,22 +633,22 @@ */ function sanitize_comment_cookies() { if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) { - $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]); - $comment_author = stripslashes($comment_author); + $comment_author = stripslashes($_COOKIE['comment_author_'.COOKIEHASH]); + $comment_author = apply_filters('pre_comment_author_name', $comment_author); $comment_author = esc_attr($comment_author); $_COOKIE['comment_author_'.COOKIEHASH] = $comment_author; } if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) { - $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]); - $comment_author_email = stripslashes($comment_author_email); + $comment_author_email = stripslashes($_COOKIE['comment_author_email_'.COOKIEHASH]); + $comment_author_email = apply_filters('pre_comment_author_email', $comment_author_email); $comment_author_email = esc_attr($comment_author_email); $_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email; } if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) { - $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]); - $comment_author_url = stripslashes($comment_author_url); + $comment_author_url = stripslashes($_COOKIE['comment_author_url_'.COOKIEHASH]); + $comment_author_url = apply_filters('pre_comment_author_url', $comment_author_url); $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url; } } @@ -670,11 +670,10 @@ extract($commentdata, EXTR_SKIP); // Simple duplicate check - // expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content) - $dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_parent = '$comment_parent' AND comment_approved != 'trash' AND ( comment_author = '$comment_author' "; + $dupe = $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_parent = %s AND comment_approved != 'trash' AND ( comment_author = %s ", $comment_post_ID, $comment_parent, $comment_author ); if ( $comment_author_email ) - $dupe .= "OR comment_author_email = '$comment_author_email' "; - $dupe .= ") AND comment_content = '$comment_content' LIMIT 1"; + $dupe .= $wpdb->prepare( "OR comment_author_email = %s ", $comment_author_email ); + $dupe .= $wpdb->prepare( ") AND comment_content = %s LIMIT 1", $comment_content ); if ( $wpdb->get_var($dupe) ) { do_action( 'comment_duplicate_trigger', $commentdata ); if ( defined('DOING_AJAX') ) @@ -1262,7 +1261,7 @@ */ function wp_insert_comment($commentdata) { global $wpdb; - extract(stripslashes_deep($commentdata), EXTR_SKIP); + extract($commentdata, EXTR_SKIP); if ( ! isset($comment_author_IP) ) $comment_author_IP = ''; @@ -1507,7 +1506,7 @@ $commentarr = wp_filter_comment( $commentarr ); // Now extract the merged array. - extract(stripslashes_deep($commentarr), EXTR_SKIP); + extract($commentarr, EXTR_SKIP); $comment_content = apply_filters('comment_save_pre', $comment_content); Index: wp-includes/functions.php =================================================================== --- wp-includes/functions.php (revision 23389) +++ wp-includes/functions.php (working copy) @@ -468,7 +468,7 @@ } if ( in_array( substr( $type, 0, strpos( $type, "/" ) ), $allowed_types ) ) { - add_post_meta( $post_ID, 'enclosure', "$url\n$len\n$mime\n" ); + wp_add_post_meta( $post_ID, 'enclosure', "$url\n$len\n$mime\n" ); } } } Index: wp-includes/user.php =================================================================== --- wp-includes/user.php (revision 23389) +++ wp-includes/user.php (working copy) @@ -1390,7 +1390,6 @@ } $data = compact( 'user_pass', 'user_email', 'user_url', 'user_nicename', 'display_name', 'user_registered' ); - $data = stripslashes_deep( $data ); if ( $update ) { $wpdb->update( $wpdb->users, $data, compact( 'ID' ) ); @@ -1462,9 +1461,6 @@ $user[ $key ] = get_user_meta( $ID, $key, true ); } - // Escape data pulled from DB. - $user = add_magic_quotes( $user ); - // If password is changing, hash it now. if ( ! empty($userdata['user_pass']) ) { $plaintext_pass = $userdata['user_pass']; Index: wp-includes/class-wp-xmlrpc-server.php =================================================================== --- wp-includes/class-wp-xmlrpc-server.php (revision 23389) +++ wp-includes/class-wp-xmlrpc-server.php (working copy) @@ -276,21 +276,21 @@ $post_id = (int) $post_id; foreach ( (array) $fields as $meta ) { + $meta['key'] = stripslashes( $meta['key'] ); + $meta['value'] = stripslashes_deep( $meta['value'] ); if ( isset($meta['id']) ) { $meta['id'] = (int) $meta['id']; $pmeta = get_metadata_by_mid( 'post', $meta['id'] ); if ( isset($meta['key']) ) { - $meta['key'] = stripslashes( $meta['key'] ); if ( $meta['key'] != $pmeta->meta_key ) continue; - $meta['value'] = stripslashes_deep( $meta['value'] ); if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) ) update_metadata_by_mid( 'post', $meta['id'], $meta['value'] ); } elseif ( current_user_can( 'delete_post_meta', $post_id, $pmeta->meta_key ) ) { delete_metadata_by_mid( 'post', $meta['id'] ); } } elseif ( current_user_can( 'add_post_meta', $post_id, stripslashes( $meta['key'] ) ) ) { - add_post_meta( $post_id, $meta['key'], $meta['value'] ); + wp_add_post_meta( $post_id, $meta['key'], $meta['value'] ); } } } @@ -4316,7 +4316,7 @@ } } if (!$found) - add_post_meta( $post_ID, 'enclosure', $encstring ); + wp_add_post_meta( $post_ID, 'enclosure', $encstring ); } } @@ -5274,7 +5274,6 @@ // retain old cats $cats = wp_get_post_categories($post_ID); $postdata['post_category'] = $cats; - $this->escape($postdata); $result = wp_update_post($postdata); Index: wp-includes/formatting.php =================================================================== --- wp-includes/formatting.php (revision 23389) +++ wp-includes/formatting.php (working copy) @@ -1716,10 +1716,7 @@ * @return string Converted content. */ function wp_rel_nofollow( $text ) { - // This is a pre save filter, so text is already escaped. - $text = stripslashes($text); $text = preg_replace_callback('||i', 'wp_rel_nofollow_callback', $text); - $text = esc_sql($text); return $text; } @@ -3342,3 +3339,37 @@ $urls_to_ping = implode( "\n", $urls_to_ping ); return apply_filters( 'sanitize_trackback_urls', $urls_to_ping, $to_ping ); } + +/** + * Slash a string or array of strings. + * + * This should be used only for GPC data. + * + * @since 3.6.0 + * + * @param string|array $value String or array of strings to slash. + * @return string|array Slashed $value + */ +function wp_slash( $value ) { + if ( is_array( $value ) ) { + array_map( 'wp_slash', $value); + } else { + $value = addslashes( $value ); + } + + return $value; +} + +/** + * Remove slashes a string or array of strings. + * + * This should be used for GPC data before passing it along to core API. + * + * @since 3.6.0 + * + * @param string|array $value String or array of strings to unslash. + * @return string|array Unslashed $value + */ +function wp_unslash( $value ) { + return stripslashes_deep( $value ); +} Index: wp-includes/kses.php =================================================================== --- wp-includes/kses.php (revision 23389) +++ wp-includes/kses.php (working copy) @@ -1326,18 +1326,18 @@ */ function kses_init_filters() { // Normal filtering - add_filter('title_save_pre', 'wp_filter_kses'); + add_filter('title_save_pre', 'wp_kses_data'); // Comment filtering if ( current_user_can( 'unfiltered_html' ) ) - add_filter( 'pre_comment_content', 'wp_filter_post_kses' ); + add_filter( 'pre_comment_content', 'wp_kses_post' ); else - add_filter( 'pre_comment_content', 'wp_filter_kses' ); + add_filter( 'pre_comment_content', 'wp_kses_data' ); // Post filtering - add_filter('content_save_pre', 'wp_filter_post_kses'); - add_filter('excerpt_save_pre', 'wp_filter_post_kses'); - add_filter('content_filtered_save_pre', 'wp_filter_post_kses'); + add_filter('content_save_pre', 'wp_kses_post'); + add_filter('excerpt_save_pre', 'wp_kses_post'); + add_filter('content_filtered_save_pre', 'wp_kses_post'); } /** @@ -1354,16 +1354,16 @@ */ function kses_remove_filters() { // Normal filtering - remove_filter('title_save_pre', 'wp_filter_kses'); + remove_filter('title_save_pre', 'wp_kses_data'); // Comment filtering - remove_filter( 'pre_comment_content', 'wp_filter_post_kses' ); - remove_filter( 'pre_comment_content', 'wp_filter_kses' ); + remove_filter( 'pre_comment_content', 'wp_kses_post' ); + remove_filter( 'pre_comment_content', 'wp_kses_data' ); // Post filtering - remove_filter('content_save_pre', 'wp_filter_post_kses'); - remove_filter('excerpt_save_pre', 'wp_filter_post_kses'); - remove_filter('content_filtered_save_pre', 'wp_filter_post_kses'); + remove_filter('content_save_pre', 'wp_kses_post'); + remove_filter('excerpt_save_pre', 'wp_kses_post'); + remove_filter('content_filtered_save_pre', 'wp_kses_post'); } /** Index: wp-includes/meta.php =================================================================== --- wp-includes/meta.php (revision 23389) +++ wp-includes/meta.php (working copy) @@ -42,9 +42,6 @@ $column = esc_sql($meta_type . '_id'); - // expected_slashed ($meta_key) - $meta_key = stripslashes($meta_key); - $meta_value = stripslashes_deep($meta_value); $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique ); @@ -113,10 +110,7 @@ $column = esc_sql($meta_type . '_id'); $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; - // expected_slashed ($meta_key) - $meta_key = stripslashes($meta_key); $passed_value = $meta_value; - $meta_value = stripslashes_deep($meta_value); $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value ); Index: wp-includes/nav-menu.php =================================================================== --- wp-includes/nav-menu.php (revision 23389) +++ wp-includes/nav-menu.php (working copy) @@ -369,20 +369,20 @@ $menu_item_db_id = (int) $menu_item_db_id; - update_post_meta( $menu_item_db_id, '_menu_item_type', sanitize_key($args['menu-item-type']) ); - update_post_meta( $menu_item_db_id, '_menu_item_menu_item_parent', strval( (int) $args['menu-item-parent-id'] ) ); - update_post_meta( $menu_item_db_id, '_menu_item_object_id', strval( (int) $args['menu-item-object-id'] ) ); - update_post_meta( $menu_item_db_id, '_menu_item_object', sanitize_key($args['menu-item-object']) ); - update_post_meta( $menu_item_db_id, '_menu_item_target', sanitize_key($args['menu-item-target']) ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_type', sanitize_key($args['menu-item-type']) ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_menu_item_parent', strval( (int) $args['menu-item-parent-id'] ) ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_object_id', strval( (int) $args['menu-item-object-id'] ) ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_object', sanitize_key($args['menu-item-object']) ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_target', sanitize_key($args['menu-item-target']) ); $args['menu-item-classes'] = array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-classes'] ) ); $args['menu-item-xfn'] = implode( ' ', array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-xfn'] ) ) ); - update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] ); - update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] ); - update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw($args['menu-item-url']) ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw($args['menu-item-url']) ); if ( 0 == $menu_id ) - update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() ); elseif ( get_post_meta( $menu_item_db_id, '_menu_item_orphaned' ) ) delete_post_meta( $menu_item_db_id, '_menu_item_orphaned' ); Index: wp-mail.php =================================================================== --- wp-mail.php (revision 23389) +++ wp-mail.php (working copy) @@ -202,7 +202,6 @@ $post_category = array(get_option('default_email_category')); $post_data = compact('post_content','post_title','post_date','post_date_gmt','post_author','post_category', 'post_status'); - $post_data = add_magic_quotes($post_data); $post_ID = wp_insert_post($post_data); if ( is_wp_error( $post_ID ) ) Index: wp-trackback.php =================================================================== --- wp-trackback.php (revision 23389) +++ wp-trackback.php (working copy) @@ -45,9 +45,9 @@ $charset = isset($_POST['charset']) ? $_POST['charset'] : ''; // These three are stripslashed here so that they can be properly escaped after mb_convert_encoding() -$title = isset($_POST['title']) ? stripslashes($_POST['title']) : ''; -$excerpt = isset($_POST['excerpt']) ? stripslashes($_POST['excerpt']) : ''; -$blog_name = isset($_POST['blog_name']) ? stripslashes($_POST['blog_name']) : ''; +$title = isset($_POST['title']) ? wp_unslash( $_POST['title'] ) : ''; +$excerpt = isset($_POST['excerpt']) ? wp_unslash( $_POST['excerpt'] ) : ''; +$blog_name = isset($_POST['blog_name']) ? wp_unslash( $_POST['blog_name'] ) : ''; if ($charset) $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) ); @@ -64,11 +64,6 @@ $blog_name = mb_convert_encoding($blog_name, get_option('blog_charset'), $charset); } -// Now that mb_convert_encoding() has been given a swing, we need to escape these three -$title = $wpdb->escape($title); -$excerpt = $wpdb->escape($excerpt); -$blog_name = $wpdb->escape($blog_name); - if ( is_single() || is_page() ) $tb_id = $posts[0]->ID; Index: wp-admin/edit-comments.php =================================================================== --- wp-admin/edit-comments.php (revision 23389) +++ wp-admin/edit-comments.php (working copy) @@ -95,7 +95,7 @@ wp_safe_redirect( $redirect_to ); exit; } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { - wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) ); + wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); exit; } @@ -153,7 +153,7 @@ echo __('Comments'); if ( isset($_REQUEST['s']) && $_REQUEST['s'] ) - printf( '' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( esc_html( stripslashes( $_REQUEST['s'] ) ), 50 ) ) . '' ); ?> + printf( '' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50 ) ) . '' ); ?> name ); if ( !current_user_can( $taxonomy->cap->edit_terms ) ) wp_die( -1 ); - $names = explode(',', $_POST['new'.$taxonomy->name]); - $parent = isset($_POST['new'.$taxonomy->name.'_parent']) ? (int) $_POST['new'.$taxonomy->name.'_parent'] : 0; + $names = explode(',', $post_data['new'.$taxonomy->name]); + $parent = isset($post_data['new'.$taxonomy->name.'_parent']) ? (int) $post_data['new'.$taxonomy->name.'_parent'] : 0; if ( 0 > $parent ) $parent = 0; if ( $taxonomy->name == 'category' ) - $post_category = isset($_POST['post_category']) ? (array) $_POST['post_category'] : array(); + $post_category = isset( $post_data['post_category'] ) ? (array) $post_data['post_category'] : array(); else - $post_category = ( isset($_POST['tax_input']) && isset($_POST['tax_input'][$taxonomy->name]) ) ? (array) $_POST['tax_input'][$taxonomy->name] : array(); + $post_category = ( isset( $post_data['tax_input'] ) && isset( $post_data['tax_input'][$taxonomy->name] ) ) ? (array) $post_data['tax_input'][$taxonomy->name] : array(); $checked_categories = array_map( 'absint', (array) $post_category ); $popular_ids = wp_popular_terms_checklist($taxonomy->name, 0, 10, false); @@ -559,7 +561,7 @@ check_ajax_referer( $action ); if ( !current_user_can( 'manage_categories' ) ) wp_die( -1 ); - $names = explode(',', $_POST['newcat']); + $names = explode( ',', wp_unslash( $_POST['newcat'] ) ); $x = new WP_Ajax_Response(); foreach ( $names as $cat_name ) { $cat_name = trim($cat_name); @@ -572,7 +574,7 @@ continue; else if ( is_array( $cat_id ) ) $cat_id = $cat_id['term_id']; - $cat_name = esc_html(stripslashes($cat_name)); + $cat_name = esc_html( wp_unslash( $cat_name ) ); $x->add( array( 'what' => 'link-category', 'id' => $cat_id, @@ -586,9 +588,11 @@ function wp_ajax_add_tag() { global $wp_list_table; + $post_data = wp_unslash( $_POST ); + check_ajax_referer( 'add-tag', '_wpnonce_add-tag' ); - $post_type = !empty($_POST['post_type']) ? $_POST['post_type'] : 'post'; - $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag'; + $post_type = !empty($post_data['post_type']) ? $post_data['post_type'] : 'post'; + $taxonomy = !empty($post_data['taxonomy']) ? $post_data['taxonomy'] : 'post_tag'; $tax = get_taxonomy($taxonomy); if ( !current_user_can( $tax->cap->edit_terms ) ) @@ -596,7 +600,7 @@ $x = new WP_Ajax_Response(); - $tag = wp_insert_term($_POST['tag-name'], $taxonomy, $_POST ); + $tag = wp_insert_term( $post_data['tag-name'], $taxonomy, $post_data ); if ( !$tag || is_wp_error($tag) || (!$tag = get_term( $tag['term_id'], $taxonomy )) ) { $message = __('An error has occurred. Please reload the page and try again.'); @@ -610,7 +614,7 @@ $x->send(); } - $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $_POST['screen'] ) ); + $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $post_data['screen'] ) ); $level = 0; if ( is_taxonomy_hierarchical($taxonomy) ) { @@ -728,10 +732,10 @@ $user = wp_get_current_user(); if ( $user->exists() ) { $user_ID = $user->ID; - $comment_author = $wpdb->escape($user->display_name); - $comment_author_email = $wpdb->escape($user->user_email); - $comment_author_url = $wpdb->escape($user->user_url); - $comment_content = trim($_POST['content']); + $comment_author = $user->display_name; + $comment_author_email = $user->user_email; + $comment_author_url = $user->user_url; + $comment_content = trim( wp_unslash( $_POST['content'] ) ); if ( current_user_can( 'unfiltered_html' ) ) { if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) { kses_remove_filters(); // start with a clean slate @@ -957,8 +961,8 @@ ) ); } else { // Update? $mid = (int) key( $_POST['meta'] ); - $key = stripslashes( $_POST['meta'][$mid]['key'] ); - $value = stripslashes( $_POST['meta'][$mid]['value'] ); + $key = wp_unslash( $_POST['meta'][$mid]['key'] ); + $value = wp_unslash( $_POST['meta'][$mid]['value'] ); if ( '' == trim($key) ) wp_die( __( 'Please provide a custom field name.' ) ); if ( '' == trim($value) ) @@ -1227,7 +1231,7 @@ $args = array(); if ( isset( $_POST['search'] ) ) - $args['s'] = stripslashes( $_POST['search'] ); + $args['s'] = wp_unslash( $_POST['search'] ); $args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1; require(ABSPATH . WPINC . '/class-wp-editor.php'); @@ -1328,7 +1332,6 @@ $data = &$_POST; $post = get_post( $post_ID, ARRAY_A ); - $post = add_magic_quotes($post); //since it is from db $data['content'] = $post['post_content']; $data['excerpt'] = $post['post_excerpt']; @@ -1376,8 +1379,10 @@ global $wp_list_table; check_ajax_referer( 'taxinlineeditnonce', '_inline_edit' ); + + $post_data = wp_unslash( $_POST ); - $taxonomy = sanitize_key( $_POST['taxonomy'] ); + $taxonomy = sanitize_key( $post_data['taxonomy'] ); $tax = get_taxonomy( $taxonomy ); if ( ! $tax ) wp_die( 0 ); @@ -1387,13 +1392,13 @@ $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) ); - if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) ) + if ( ! isset($post_data['tax_ID']) || ! ( $id = (int) $post_data['tax_ID'] ) ) wp_die( -1 ); $tag = get_term( $id, $taxonomy ); - $_POST['description'] = $tag->description; + $post_data['description'] = $tag->description; - $updated = wp_update_term($id, $taxonomy, $_POST); + $updated = wp_update_term($id, $taxonomy, $post_data ); if ( $updated && !is_wp_error($updated) ) { $tag = get_term( $updated['term_id'], $taxonomy ); if ( !$tag || is_wp_error( $tag ) ) { @@ -1425,7 +1430,7 @@ $post_types = get_post_types( array( 'public' => true ), 'objects' ); unset( $post_types['attachment'] ); - $s = stripslashes( $_POST['ps'] ); + $s = wp_unslash( $_POST['ps'] ); $searchand = $search = ''; $args = array( 'post_type' => array_keys( $post_types ), @@ -1596,7 +1601,7 @@ $post_id = null; } - $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array(); + $post_data = isset( $_REQUEST['post_data'] ) ? wp_unslash( $_REQUEST['post_data'] ) : array(); // If the context is custom header or background, make sure the uploaded file is an image. if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) { @@ -1630,10 +1635,10 @@ if ( isset( $post_data['context'] ) && isset( $post_data['theme'] ) ) { if ( 'custom-background' === $post_data['context'] ) - update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] ); + wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] ); if ( 'custom-header' === $post_data['context'] ) - update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] ); + wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] ); } if ( ! $attachment = wp_prepare_attachment_for_js( $attachment_id ) ) @@ -1778,7 +1783,7 @@ wp_die( 0 ); $new_lock = ( time() - apply_filters( 'wp_check_post_lock_window', AUTOSAVE_INTERVAL * 2 ) + 5 ) . ':' . $active_lock[1]; - update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) ); + wp_update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) ); wp_die( 1 ); } @@ -1873,7 +1878,7 @@ if ( ! current_user_can( 'edit_post', $id ) ) wp_send_json_error(); - $changes = $_REQUEST['changes']; + $changes = wp_unslash( $_REQUEST['changes'] ); $post = get_post( $id, ARRAY_A ); if ( 'attachment' != $post['post_type'] ) @@ -1890,10 +1895,10 @@ if ( isset( $changes['alt'] ) ) { $alt = get_post_meta( $id, '_wp_attachment_image_alt', true ); - $new_alt = stripslashes( $changes['alt'] ); + $new_alt = $changes['alt']; if ( $alt != $new_alt ) { $new_alt = wp_strip_all_tags( $new_alt, true ); - update_post_meta( $id, '_wp_attachment_image_alt', addslashes( $new_alt ) ); + wp_update_post_meta( $id, '_wp_attachment_image_alt', $new_alt ); } } @@ -1915,7 +1920,7 @@ if ( empty( $_REQUEST['attachments'] ) || empty( $_REQUEST['attachments'][ $id ] ) ) wp_send_json_error(); - $attachment_data = $_REQUEST['attachments'][ $id ]; + $attachment_data = wp_unslash( $_REQUEST['attachments'][ $id ] ); check_ajax_referer( 'update-post_' . $id, 'nonce' ); @@ -1959,7 +1964,7 @@ check_ajax_referer( 'update-post_' . $post_id, 'nonce' ); - $attachments = $_REQUEST['attachments']; + $attachments = wp_unslash( $_REQUEST['attachments'] ); if ( ! current_user_can( 'edit_post', $post_id ) ) wp_send_json_error(); @@ -1990,7 +1995,7 @@ function wp_ajax_send_attachment_to_editor() { check_ajax_referer( 'media-send-to-editor', 'nonce' ); - $attachment = stripslashes_deep( $_POST['attachment'] ); + $attachment = wp_unslash( $_POST['attachment'] ); $id = intval( $attachment['id'] ); @@ -2045,7 +2050,7 @@ function wp_ajax_send_link_to_editor() { check_ajax_referer( 'media-send-to-editor', 'nonce' ); - if ( ! $src = stripslashes( $_POST['src'] ) ) + if ( ! $src = wp_unslash( $_POST['src'] ) ) wp_send_json_error(); if ( ! strpos( $src, '://' ) ) @@ -2054,7 +2059,7 @@ if ( ! $src = esc_url_raw( $src ) ) wp_send_json_error(); - if ( ! $title = trim( stripslashes( $_POST['title'] ) ) ) + if ( ! $title = trim( wp_unslash( $_POST['title'] ) ) ) $title = wp_basename( $src ); $html = ''; @@ -2083,7 +2088,7 @@ $screen_id = 'site'; if ( ! empty($_POST['data']) ) { - $data = (array) $_POST['data']; + $data = wp_unslash( (array) $_POST['data'] ); // todo: how much to sanitize and preset and what to leave to be accessed from $data or $_POST..? $user = wp_get_current_user(); $data['user_id'] = $user->exists() ? $user->ID : 0; Index: wp-admin/includes/post.php =================================================================== --- wp-admin/includes/post.php (revision 23389) +++ wp-admin/includes/post.php (working copy) @@ -149,8 +149,9 @@ */ function edit_post( $post_data = null ) { - if ( empty($post_data) ) - $post_data = &$_POST; + if ( empty($post_data) ) { + $post_data = stripslashes_deep( $_POST ); + } // Clear out any data in internal vars. unset( $post_data['filter'] ); @@ -241,7 +242,7 @@ add_meta( $post_ID ); - update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); + wp_update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); wp_update_post( $post_data ); @@ -559,7 +560,7 @@ } // Create the post. - $post_ID = wp_insert_post( $_POST ); + $post_ID = wp_insert_post( stripslashes_deep( $_POST ) ); if ( is_wp_error( $post_ID ) ) return $post_ID; @@ -568,7 +569,7 @@ add_meta( $post_ID ); - add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); + wp_add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); // Now that we have an ID we can fix any attachment anchor hrefs _fix_attachment_links( $post_ID ); @@ -612,9 +613,9 @@ global $wpdb; $post_ID = (int) $post_ID; - $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : ''; - $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : ''; - $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : ''; + $metakeyselect = isset($_POST['metakeyselect']) ? wp_unslash( trim( $_POST['metakeyselect'] ) ) : ''; + $metakeyinput = isset($_POST['metakeyinput']) ? wp_unslash( trim( $_POST['metakeyinput'] ) ) : ''; + $metavalue = isset($_POST['metavalue']) ? wp_unslash( trim( $_POST['metavalue'] ) ) : ''; if ( is_string( $metavalue ) ) $metavalue = trim( $metavalue ); @@ -633,7 +634,7 @@ $metakey = esc_sql( $metakey ); - return add_post_meta( $post_ID, $metakey, $metavalue ); + return wp_add_post_meta( $post_ID, $metakey, $metavalue ); } return false; @@ -706,14 +707,11 @@ * @since 1.2.0 * * @param unknown_type $meta_id - * @param unknown_type $meta_key Expect Slashed - * @param unknown_type $meta_value Expect Slashed + * @param unknown_type $meta_key + * @param unknown_type $meta_value * @return unknown */ function update_meta( $meta_id, $meta_key, $meta_value ) { - $meta_key = stripslashes( $meta_key ); - $meta_value = stripslashes_deep( $meta_value ); - return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key ); } @@ -767,8 +765,6 @@ if ( $replace ) { $post['post_content'] = $content; - // Escape data pulled from DB. - $post = add_magic_quotes($post); return wp_update_post($post); } @@ -1179,7 +1175,7 @@ $now = time(); $lock = "$now:$user_id"; - update_post_meta( $post->ID, '_edit_lock', $lock ); + wp_update_post_meta( $post->ID, '_edit_lock', $lock ); return array( $now, $user_id ); } Index: wp-admin/includes/misc.php =================================================================== --- wp-admin/includes/misc.php (revision 23389) +++ wp-admin/includes/misc.php (working copy) @@ -323,8 +323,8 @@ if ( !$user = wp_get_current_user() ) return; - $option = $_POST['wp_screen_options']['option']; - $value = $_POST['wp_screen_options']['value']; + $option = stripslashes( $_POST['wp_screen_options']['option'] ); + $value = stripslashes_deep( $_POST['wp_screen_options']['value'] ); if ( $option != sanitize_key( $option ) ) return; Index: wp-admin/includes/comment.php =================================================================== --- wp-admin/includes/comment.php (revision 23389) +++ wp-admin/includes/comment.php (working copy) @@ -19,9 +19,6 @@ function comment_exists($comment_author, $comment_date) { global $wpdb; - $comment_author = stripslashes($comment_author); - $comment_date = stripslashes($comment_date); - return $wpdb->get_var( $wpdb->prepare("SELECT comment_post_ID FROM $wpdb->comments WHERE comment_author = %s AND comment_date = %s", $comment_author, $comment_date) ); } @@ -33,38 +30,40 @@ */ function edit_comment() { - if ( ! current_user_can( 'edit_comment', (int) $_POST['comment_ID'] ) ) + $post_data = stripslashes_deep( $_POST ); + + if ( ! current_user_can( 'edit_comment', (int) $post_data['comment_ID'] ) ) wp_die ( __( 'You are not allowed to edit comments on this post.' ) ); - $_POST['comment_author'] = $_POST['newcomment_author']; - $_POST['comment_author_email'] = $_POST['newcomment_author_email']; - $_POST['comment_author_url'] = $_POST['newcomment_author_url']; - $_POST['comment_approved'] = $_POST['comment_status']; - $_POST['comment_content'] = $_POST['content']; - $_POST['comment_ID'] = (int) $_POST['comment_ID']; + $post_data['comment_author'] = $post_data['newcomment_author']; + $post_data['comment_author_email'] = $post_data['newcomment_author_email']; + $post_data['comment_author_url'] = $post_data['newcomment_author_url']; + $post_data['comment_approved'] = $post_data['comment_status']; + $post_data['comment_content'] = $post_data['content']; + $post_data['comment_ID'] = (int) $post_data['comment_ID']; foreach ( array ('aa', 'mm', 'jj', 'hh', 'mn') as $timeunit ) { - if ( !empty( $_POST['hidden_' . $timeunit] ) && $_POST['hidden_' . $timeunit] != $_POST[$timeunit] ) { + if ( !empty( $post_data['hidden_' . $timeunit] ) && $post_data['hidden_' . $timeunit] != $post_data[$timeunit] ) { $_POST['edit_date'] = '1'; break; } } - if ( !empty ( $_POST['edit_date'] ) ) { - $aa = $_POST['aa']; - $mm = $_POST['mm']; - $jj = $_POST['jj']; - $hh = $_POST['hh']; - $mn = $_POST['mn']; - $ss = $_POST['ss']; + if ( !empty ( $post_data['edit_date'] ) ) { + $aa = $post_data['aa']; + $mm = $post_data['mm']; + $jj = $post_data['jj']; + $hh = $post_data['hh']; + $mn = $post_data['mn']; + $ss = $post_data['ss']; $jj = ($jj > 31 ) ? 31 : $jj; $hh = ($hh > 23 ) ? $hh -24 : $hh; $mn = ($mn > 59 ) ? $mn -60 : $mn; $ss = ($ss > 59 ) ? $ss -60 : $ss; - $_POST['comment_date'] = "$aa-$mm-$jj $hh:$mn:$ss"; + $post_data['comment_date'] = "$aa-$mm-$jj $hh:$mn:$ss"; } - wp_update_comment( $_POST ); + wp_update_comment( $post_data ); } /** Index: wp-admin/includes/image-edit.php =================================================================== --- wp-admin/includes/image-edit.php (revision 23389) +++ wp-admin/includes/image-edit.php (working copy) @@ -533,7 +533,7 @@ } } - if ( !wp_update_attachment_metadata($post_id, $meta) || !update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes) ) { + if ( !wp_update_attachment_metadata($post_id, $meta) || !wp_update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes) ) { $msg->error = __('Cannot save image metadata.'); return $msg; } @@ -699,7 +699,7 @@ if ( $success ) { wp_update_attachment_metadata( $post_id, $meta ); - update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes); + wp_update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes); if ( $target == 'thumbnail' || $target == 'all' || $target == 'full' ) { // Check if it's an image edit from attachment edit screen Index: wp-admin/includes/user.php =================================================================== --- wp-admin/includes/user.php (revision 23389) +++ wp-admin/includes/user.php (working copy) @@ -38,18 +38,21 @@ } else { $update = false; } + + // get clean data before we get started. + $post_data = stripslashes_deep( $_POST ); - if ( !$update && isset( $_POST['user_login'] ) ) - $user->user_login = sanitize_user($_POST['user_login'], true); + if ( !$update && isset( $post_data['user_login'] ) ) + $user->user_login = sanitize_user($post_data['user_login'], true); $pass1 = $pass2 = ''; - if ( isset( $_POST['pass1'] )) - $pass1 = $_POST['pass1']; - if ( isset( $_POST['pass2'] )) - $pass2 = $_POST['pass2']; + if ( isset( $post_data['pass1'] )) + $pass1 = $post_data['pass1']; + if ( isset( $post_data['pass2'] )) + $pass2 = $post_data['pass2']; - if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) { - $new_role = sanitize_text_field( $_POST['role'] ); + if ( isset( $post_data['role'] ) && current_user_can( 'edit_users' ) ) { + $new_role = sanitize_text_field( $post_data['role'] ); $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false; // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. // Multisite super admins can freely edit their blog roles -- they possess all caps. @@ -62,44 +65,44 @@ wp_die(__('You can’t give users that role.')); } - if ( isset( $_POST['email'] )) - $user->user_email = sanitize_text_field( $_POST['email'] ); - if ( isset( $_POST['url'] ) ) { - if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) { + if ( isset( $post_data['email'] )) + $user->user_email = sanitize_text_field( $post_data['email'] ); + if ( isset( $post_data['url'] ) ) { + if ( empty ( $post_data['url'] ) || $post_data['url'] == 'http://' ) { $user->user_url = ''; } else { - $user->user_url = esc_url_raw( $_POST['url'] ); + $user->user_url = esc_url_raw( $post_data['url'] ); $protocols = implode( '|', array_map( 'preg_quote', wp_allowed_protocols() ) ); $user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url; } } - if ( isset( $_POST['first_name'] ) ) - $user->first_name = sanitize_text_field( $_POST['first_name'] ); - if ( isset( $_POST['last_name'] ) ) - $user->last_name = sanitize_text_field( $_POST['last_name'] ); - if ( isset( $_POST['nickname'] ) ) - $user->nickname = sanitize_text_field( $_POST['nickname'] ); - if ( isset( $_POST['display_name'] ) ) - $user->display_name = sanitize_text_field( $_POST['display_name'] ); + if ( isset( $post_data['first_name'] ) ) + $user->first_name = sanitize_text_field( $post_data['first_name'] ); + if ( isset( $post_data['last_name'] ) ) + $user->last_name = sanitize_text_field( $post_data['last_name'] ); + if ( isset( $post_data['nickname'] ) ) + $user->nickname = sanitize_text_field( $post_data['nickname'] ); + if ( isset( $post_data['display_name'] ) ) + $user->display_name = sanitize_text_field( $post_data['display_name'] ); - if ( isset( $_POST['description'] ) ) - $user->description = trim( $_POST['description'] ); + if ( isset( $post_data['description'] ) ) + $user->description = trim( $post_data['description'] ); foreach ( _wp_get_user_contactmethods( $user ) as $method => $name ) { - if ( isset( $_POST[$method] )) - $user->$method = sanitize_text_field( $_POST[$method] ); + if ( isset( $post_data[$method] )) + $user->$method = sanitize_text_field( $post_data[$method] ); } if ( $update ) { - $user->rich_editing = isset( $_POST['rich_editing'] ) && 'false' == $_POST['rich_editing'] ? 'false' : 'true'; - $user->admin_color = isset( $_POST['admin_color'] ) ? sanitize_text_field( $_POST['admin_color'] ) : 'fresh'; - $user->show_admin_bar_front = isset( $_POST['admin_bar_front'] ) ? 'true' : 'false'; + $user->rich_editing = isset( $post_data['rich_editing'] ) && 'false' == $post_data['rich_editing'] ? 'false' : 'true'; + $user->admin_color = isset( $post_data['admin_color'] ) ? sanitize_text_field( $post_data['admin_color'] ) : 'fresh'; + $user->show_admin_bar_front = isset( $post_data['admin_bar_front'] ) ? 'true' : 'false'; } - $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] ) && 'true' == $_POST['comment_shortcuts'] ? 'true' : ''; + $user->comment_shortcuts = isset( $post_data['comment_shortcuts'] ) && 'true' == $post_data['comment_shortcuts'] ? 'true' : ''; $user->use_ssl = 0; - if ( !empty($_POST['use_ssl']) ) + if ( !empty($post_data['use_ssl']) ) $user->use_ssl = 1; $errors = new WP_Error(); @@ -134,7 +137,7 @@ if ( !empty( $pass1 ) ) $user->user_pass = $pass1; - if ( !$update && isset( $_POST['user_login'] ) && !validate_username( $_POST['user_login'] ) ) + if ( !$update && isset( $post_data['user_login'] ) && !validate_username( $post_data['user_login'] ) ) $errors->add( 'user_login', __( 'ERROR: This username is invalid because it uses illegal characters. Please enter a valid username.' )); if ( !$update && username_exists( $user->user_login ) ) @@ -159,7 +162,7 @@ $user_id = wp_update_user( $user ); } else { $user_id = wp_insert_user( $user ); - wp_new_user_notification( $user_id, isset($_POST['send_password']) ? $pass1 : '' ); + wp_new_user_notification( $user_id, isset($post_data['send_password']) ? $pass1 : '' ); } return $user_id; } Index: wp-admin/includes/media.php =================================================================== --- wp-admin/includes/media.php (revision 23389) +++ wp-admin/includes/media.php (working copy) @@ -444,6 +444,8 @@ } if ( !empty($_POST['attachments']) ) foreach ( $_POST['attachments'] as $attachment_id => $attachment ) { + $attachment = stripslashes_deep( $attachment ); + $post = $_post = get_post($attachment_id, ARRAY_A); $post_type_object = get_post_type_object( $post[ 'post_type' ] ); @@ -468,10 +470,9 @@ if ( isset($attachment['image_alt']) ) { $image_alt = get_post_meta($attachment_id, '_wp_attachment_image_alt', true); - if ( $image_alt != stripslashes($attachment['image_alt']) ) { - $image_alt = wp_strip_all_tags( stripslashes($attachment['image_alt']), true ); - // update_meta expects slashed - update_post_meta( $attachment_id, '_wp_attachment_image_alt', addslashes($image_alt) ); + if ( $image_alt != $attachment['image_alt'] ) { + $image_alt = wp_strip_all_tags( $attachment['image_alt'], true ); + wp_update_post_meta( $attachment_id, '_wp_attachment_image_alt', $image_alt ); } } Index: wp-admin/edit-tags.php =================================================================== --- wp-admin/edit-tags.php (revision 23389) +++ wp-admin/edit-tags.php (working copy) @@ -47,7 +47,9 @@ if ( !current_user_can( $tax->cap->edit_terms ) ) wp_die( __( 'Cheatin’ uh?' ) ); - $ret = wp_insert_term( $_POST['tag-name'], $taxonomy, $_POST ); + $post_data = wp_unslash( $_POST ); + + $ret = wp_insert_term( $post_data['tag-name'], $taxonomy, $post_data ); $location = 'edit-tags.php?taxonomy=' . $taxonomy; if ( 'post' != $post_type ) $location .= '&post_type=' . $post_type; @@ -132,7 +134,10 @@ break; case 'editedtag': - $tag_ID = (int) $_POST['tag_ID']; + + $post_data = wp_unslash( $_POST ); + + $tag_ID = (int) $post_data['tag_ID']; check_admin_referer( 'update-tag_' . $tag_ID ); if ( !current_user_can( $tax->cap->edit_terms ) ) @@ -142,7 +147,7 @@ if ( ! $tag ) wp_die( __( 'You attempted to edit an item that doesn’t exist. Perhaps it was deleted?' ) ); - $ret = wp_update_term( $tag_ID, $taxonomy, $_POST ); + $ret = wp_update_term( $tag_ID, $taxonomy, $post_data ); $location = 'edit-tags.php?taxonomy=' . $taxonomy; if ( 'post' != $post_type ) @@ -164,7 +169,7 @@ default: if ( ! empty($_REQUEST['_wp_http_referer']) ) { - $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ); + $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ); if ( ! empty( $_REQUEST['paged'] ) ) $location = add_query_arg( 'paged', (int) $_REQUEST['paged'] ); @@ -264,8 +269,8 @@