Introduce sanitise_css_classname() and use it to give categories, tags, users etc meaningful classnames where possible. Falls back to the id if not. Fixes #8446.

git-svn-id: http://svn.automattic.com/wordpress/trunk@11433 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-19 19:42:36 +02:00 · 2009-05-22 17:44:26 +00:00 · 2009-05-22 17:44:26 +00:00 · 108f7c1063
commit 108f7c1063
parent aaa2d89183
3 changed files with 31 additions and 8 deletions
--- a/wp-includes/comment-template.php
+++ b/wp-includes/comment-template.php
@ -294,7 +294,7 @@ function get_comment_class( $class = '', $comment_id = null, $post_id = null ) {
 	if ( $comment->user_id > 0 && $user = get_userdata($comment->user_id) ) {
 		// For all registered users, 'byuser'
 		$classes[] = 'byuser';
-		$classes[] = 'comment-author-' . $comment->user_id;
+		$classes[] = 'comment-author-' . sanitise_css_classname($user->user_nicename, $comment->user_id);
 		// For comment authors who are the author of the post
 		if ( $post = get_post($post_id) ) {
 			if ( $comment->user_id === $post->post_author )
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@ -718,6 +718,29 @@ function sanitize_sql_orderby( $orderby ){
 	return $orderby;
 }

+/**
+ * Santises a css classname to ensure it only contains valid characters
+ * 
+ * Strips the classname down to A-Z,a-z,0-9,'-' if this results in an empty
+ * string then it will return the alternative value supplied.
+ *  
+ * @param string $classname The classname to be sanitised
+ * @param string $alternative The value to return if the sanitisation end's up as an empty string.
+ * @return string The sanitised value
+ */
+function sanitise_css_classname($classname, $alternative){
+	//Strip out any % encoded octets
+	$sanitised = preg_replace('|%[a-fA-F0-9][a-fA-F0-9]|', '', $classname);
+	
+	//Limit to A-Z,a-z,0-9,'-'
+	$sanitised = preg_replace('/[^A-Za-z0-9-]/', '', $sanitised);
+	
+	if ('' == $sanitised)
+		$sanitised = $alternative;
+	
+	return apply_filters('sanitise_css_classname',$sanitised, $classname, $alternative);	
+}
+
 /**
 * Converts a number of characters from a string.
 *
--- a/wp-includes/post-template.php
+++ b/wp-includes/post-template.php
@ -324,16 +324,16 @@ function get_post_class( $class = '', $post_id = null ) {

 	// Categories
 	foreach ( (array) get_the_category($post->ID) as $cat ) {
-		if ( empty($cat->cat_ID ) )
+		if ( empty($cat->slug ) )
 			continue;
-		$classes[] = 'category-' . $cat->cat_ID;
+		$classes[] = 'category-' . sanitise_css_classname($cat->slug, $cat->cat_ID);
 	}

 	// Tags
 	foreach ( (array) get_the_tags($post->ID) as $tag ) {
-		if ( empty($tag->term_id ) )
+		if ( empty($tag->slug ) )
 			continue;
-		$classes[] = 'tag-' . $tag->term_id;
+		$classes[] = 'tag-' . sanitise_css_classname($tag->slug, $tag->term_id);
 	}

 	if ( !empty($class) ) {
@ -407,15 +407,15 @@ function get_body_class( $class = '' ) {
 		if ( is_author() ) {
 			$author = $wp_query->get_queried_object();
 			$classes[] = 'author';
-			$classes[] = 'author-' . $author->user_id;
+			$classes[] = 'author-' . sanitise_css_classname($author->user_nicename , $author->user_id);
 		} elseif ( is_category() ) {
 			$cat = $wp_query->get_queried_object();
 			$classes[] = 'category';
-			$classes[] = 'category-' . $cat->cat_ID;
+			$classes[] = 'category-' . sanitise_css_classname($cat->slug, $cat->cat_ID);
 		} elseif ( is_tag() ) {
 			$tags = $wp_query->get_queried_object();
 			$classes[] = 'tag';
-			$classes[] = 'tag-' . $tags->term_id;
+			$classes[] = 'tag-' . sanitise_css_classname($tags->slug, $tags->term_id);
 		}
 	} elseif ( is_page() ) {
 		$classes[] = 'page';