From 108f7c10639918129d291ef09dff8e44f53b1c85 Mon Sep 17 00:00:00 2001 From: westi Date: Fri, 22 May 2009 17:44:26 +0000 Subject: [PATCH] Introduce sanitise_css_classname() and use it to give categories, tags, users etc meaningful classnames where possible. Falls back to the id if not. Fixes #8446. git-svn-id: http://svn.automattic.com/wordpress/trunk@11433 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/comment-template.php | 2 +- wp-includes/formatting.php | 23 +++++++++++++++++++++++ wp-includes/post-template.php | 14 +++++++------- 3 files changed, 31 insertions(+), 8 deletions(-) diff --git a/wp-includes/comment-template.php b/wp-includes/comment-template.php index 92e0cf1888..2e4cdaaf38 100644 --- a/wp-includes/comment-template.php +++ b/wp-includes/comment-template.php @@ -294,7 +294,7 @@ function get_comment_class( $class = '', $comment_id = null, $post_id = null ) { if ( $comment->user_id > 0 && $user = get_userdata($comment->user_id) ) { // For all registered users, 'byuser' $classes[] = 'byuser'; - $classes[] = 'comment-author-' . $comment->user_id; + $classes[] = 'comment-author-' . sanitise_css_classname($user->user_nicename, $comment->user_id); // For comment authors who are the author of the post if ( $post = get_post($post_id) ) { if ( $comment->user_id === $post->post_author ) diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index f69dc4f0c4..409930a071 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -718,6 +718,29 @@ function sanitize_sql_orderby( $orderby ){ return $orderby; } +/** + * Santises a css classname to ensure it only contains valid characters + * + * Strips the classname down to A-Z,a-z,0-9,'-' if this results in an empty + * string then it will return the alternative value supplied. + * + * @param string $classname The classname to be sanitised + * @param string $alternative The value to return if the sanitisation end's up as an empty string. + * @return string The sanitised value + */ +function sanitise_css_classname($classname, $alternative){ + //Strip out any % encoded octets + $sanitised = preg_replace('|%[a-fA-F0-9][a-fA-F0-9]|', '', $classname); + + //Limit to A-Z,a-z,0-9,'-' + $sanitised = preg_replace('/[^A-Za-z0-9-]/', '', $sanitised); + + if ('' == $sanitised) + $sanitised = $alternative; + + return apply_filters('sanitise_css_classname',$sanitised, $classname, $alternative); +} + /** * Converts a number of characters from a string. * diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php index 35c374e9e1..4afad533b5 100644 --- a/wp-includes/post-template.php +++ b/wp-includes/post-template.php @@ -324,16 +324,16 @@ function get_post_class( $class = '', $post_id = null ) { // Categories foreach ( (array) get_the_category($post->ID) as $cat ) { - if ( empty($cat->cat_ID ) ) + if ( empty($cat->slug ) ) continue; - $classes[] = 'category-' . $cat->cat_ID; + $classes[] = 'category-' . sanitise_css_classname($cat->slug, $cat->cat_ID); } // Tags foreach ( (array) get_the_tags($post->ID) as $tag ) { - if ( empty($tag->term_id ) ) + if ( empty($tag->slug ) ) continue; - $classes[] = 'tag-' . $tag->term_id; + $classes[] = 'tag-' . sanitise_css_classname($tag->slug, $tag->term_id); } if ( !empty($class) ) { @@ -407,15 +407,15 @@ function get_body_class( $class = '' ) { if ( is_author() ) { $author = $wp_query->get_queried_object(); $classes[] = 'author'; - $classes[] = 'author-' . $author->user_id; + $classes[] = 'author-' . sanitise_css_classname($author->user_nicename , $author->user_id); } elseif ( is_category() ) { $cat = $wp_query->get_queried_object(); $classes[] = 'category'; - $classes[] = 'category-' . $cat->cat_ID; + $classes[] = 'category-' . sanitise_css_classname($cat->slug, $cat->cat_ID); } elseif ( is_tag() ) { $tags = $wp_query->get_queried_object(); $classes[] = 'tag'; - $classes[] = 'tag-' . $tags->term_id; + $classes[] = 'tag-' . sanitise_css_classname($tags->slug, $tags->term_id); } } elseif ( is_page() ) { $classes[] = 'page';