From 0dba5eddcfa2e26c178b1b09a341b566cb44f675 Mon Sep 17 00:00:00 2001
From: westi <westi@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Sat, 20 Jun 2009 17:42:24 +0000
Subject: [PATCH] Introduce _deep_replace() and use it to improve the stripping
 of percent encoded values from urls. Fixes #10226 for trunk.

git-svn-id: http://svn.automattic.com/wordpress/trunk@11615 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/theme-editor.php  |  4 ++--
 wp-includes/formatting.php | 33 +++++++++++++++++++++++++++++++--
 wp-includes/pluggable.php  | 13 ++-----------
 3 files changed, 35 insertions(+), 15 deletions(-)

diff --git a/wp-admin/theme-editor.php b/wp-admin/theme-editor.php
index db79d786ea..15d418359e 100644
--- a/wp-admin/theme-editor.php
+++ b/wp-admin/theme-editor.php
@@ -65,8 +65,8 @@ case 'update':
 	}
 
 	$location = wp_kses_no_null($location);
-	$strip = array('%0d', '%0a');
-	$location = str_replace($strip, '', $location);
+	$strip = array('%0d', '%0a', '%0D', '%0A');
+	$location = _deep_replace($strip, $location);
 	header("Location: $location");
 	exit();
 
diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php
index 26bfc694e0..7c42bbf210 100644
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@@ -2042,8 +2042,8 @@ function clean_url( $url, $protocols = null, $context = 'display' ) {
 
 	if ('' == $url) return $url;
 	$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);
-	$strip = array('%0d', '%0a');
-	$url = str_replace($strip, '', $url);
+	$strip = array('%0d', '%0a', '%0D', '%0A');
+	$url = _deep_replace($strip, $url);
 	$url = str_replace(';//', '://', $url);
 	/* If the URL doesn't appear to contain a scheme, we
 	 * presume it needs http:// appended (unless a relative
@@ -2067,6 +2067,35 @@ function clean_url( $url, $protocols = null, $context = 'display' ) {
 	return apply_filters('clean_url', $url, $original_url, $context);
 }
 
+/**
+ * Perform a deep string replace operation to ensure the values in $search are no longer present
+ * 
+ * Repeats the replacement operation until it no longer replaces anything so as to remove "nested" values
+ * e.g. $subject = '%0%0%0DDD', $search ='%0D', $result ='' rather than the '%0%0DD' that
+ * str_replace would return
+ * 
+ * @since 2.8.1
+ * @access private
+ * 
+ * @param string|array $search
+ * @param string $subject
+ * @return string The processed string
+ */
+function _deep_replace($search, $subject){
+	$found = true;
+	while($found) {
+		$found = false;
+		foreach( (array) $search as $val ) {
+			while(strpos($subject, $val) !== false) {
+				$found = true;
+				$subject = str_replace($val, '', $subject);
+			}
+		}
+	}
+	
+	return $subject;
+}
+
 /**
  * Escapes data for use in a MySQL query
  *
diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index 4132cc90ab..128d2dca75 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -880,17 +880,8 @@ function wp_sanitize_redirect($location) {
 	$location = wp_kses_no_null($location);
 
 	// remove %0d and %0a from location
-	$strip = array('%0d', '%0a');
-	$found = true;
-	while($found) {
-		$found = false;
-		foreach( (array) $strip as $val ) {
-			while(strpos($location, $val) !== false) {
-				$found = true;
-				$location = str_replace($val, '', $location);
-			}
-		}
-	}
+	$strip = array('%0d', '%0a', '%0D', '%0A');
+	$location = _deep_replace($strip, $location);
 	return $location;
 }
 endif;