From 15a06a35ab053cf9e161d9539e31f6fe17f7b5ed Mon Sep 17 00:00:00 2001 From: Ryan Boren Date: Sun, 3 Mar 2013 16:30:38 +0000 Subject: [PATCH] Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes(). see #WP21767 git-svn-id: http://core.svn.wordpress.org/trunk@23591 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/user-new.php | 4 ++-- wp-admin/users.php | 8 ++++---- wp-includes/class-wp-customize-manager.php | 2 +- wp-includes/class-wp-customize-setting.php | 2 +- wp-includes/class-wp-xmlrpc-server.php | 14 +++++++------- wp-includes/comment.php | 10 +++++----- wp-includes/cron.php | 2 +- wp-includes/feed.php | 2 +- wp-includes/formatting.php | 4 ++-- wp-includes/meta.php | 12 ++++++------ wp-includes/ms-files.php | 2 +- 11 files changed, 31 insertions(+), 31 deletions(-) diff --git a/wp-admin/user-new.php b/wp-admin/user-new.php index c834273550..2934cb63de 100644 --- a/wp-admin/user-new.php +++ b/wp-admin/user-new.php @@ -116,7 +116,7 @@ Please click the following link to confirm the invite: if ( is_wp_error( $user_details[ 'errors' ] ) && !empty( $user_details[ 'errors' ]->errors ) ) { $add_user_errors = $user_details[ 'errors' ]; } else { - $new_user_login = apply_filters('pre_user_login', sanitize_user(stripslashes($_REQUEST['user_login']), true)); + $new_user_login = apply_filters('pre_user_login', sanitize_user(wp_unslash($_REQUEST['user_login']), true)); if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email } @@ -309,7 +309,7 @@ foreach ( array( 'user_login' => 'login', 'first_name' => 'firstname', 'last_nam $var = "new_user_$var"; if( isset( $_POST['createuser'] ) ) { if ( ! isset($$var) ) - $$var = isset( $_POST[$post_field] ) ? stripslashes( $_POST[$post_field] ) : ''; + $$var = isset( $_POST[$post_field] ) ? wp_unslash( $_POST[$post_field] ) : ''; } else { $$var = false; } diff --git a/wp-admin/users.php b/wp-admin/users.php index d6fef420c8..e807487a57 100644 --- a/wp-admin/users.php +++ b/wp-admin/users.php @@ -64,9 +64,9 @@ get_current_screen()->set_help_sidebar( ); if ( empty($_REQUEST) ) { - $referer = ''; + $referer = ''; } elseif ( isset($_REQUEST['wp_http_referer']) ) { - $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), stripslashes($_REQUEST['wp_http_referer'])); + $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), wp_unslash( $_REQUEST['wp_http_referer'] ) ); $referer = ''; } else { $redirect = 'users.php'; @@ -357,7 +357,7 @@ break; default: if ( !empty($_GET['_wp_http_referer']) ) { - wp_redirect(remove_query_arg(array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']))); + wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); exit; } @@ -381,7 +381,7 @@ default: case 'add': if ( isset( $_GET['id'] ) && ( $user_id = $_GET['id'] ) && current_user_can( 'edit_user', $user_id ) ) { $messages[] = '

' . sprintf( __( 'New user created. Edit user' ), - esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), + esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), self_admin_url( 'user-edit.php?user_id=' . $user_id ) ) ) ) . '

'; } else { $messages[] = '

' . __( 'New user created.' ) . '

'; diff --git a/wp-includes/class-wp-customize-manager.php b/wp-includes/class-wp-customize-manager.php index 4be338969a..1e41e8fafc 100644 --- a/wp-includes/class-wp-customize-manager.php +++ b/wp-includes/class-wp-customize-manager.php @@ -310,7 +310,7 @@ final class WP_Customize_Manager { public function post_value( $setting ) { if ( ! isset( $this->_post_values ) ) { if ( isset( $_POST['customized'] ) ) - $this->_post_values = json_decode( stripslashes( $_POST['customized'] ), true ); + $this->_post_values = json_decode( wp_unslash( $_POST['customized'] ), true ); else $this->_post_values = false; } diff --git a/wp-includes/class-wp-customize-setting.php b/wp-includes/class-wp-customize-setting.php index dd49f79f26..c8542efefa 100644 --- a/wp-includes/class-wp-customize-setting.php +++ b/wp-includes/class-wp-customize-setting.php @@ -144,7 +144,7 @@ class WP_Customize_Setting { * @return mixed Null if an input isn't valid, otherwise the sanitized value. */ public function sanitize( $value ) { - $value = stripslashes_deep( $value ); + $value = wp_unslash( $value ); return apply_filters( "customize_sanitize_{$this->id}", $value, $this ); } diff --git a/wp-includes/class-wp-xmlrpc-server.php b/wp-includes/class-wp-xmlrpc-server.php index c55fbeebdc..e17a3b58d7 100644 --- a/wp-includes/class-wp-xmlrpc-server.php +++ b/wp-includes/class-wp-xmlrpc-server.php @@ -280,16 +280,16 @@ class wp_xmlrpc_server extends IXR_Server { $meta['id'] = (int) $meta['id']; $pmeta = get_metadata_by_mid( 'post', $meta['id'] ); if ( isset($meta['key']) ) { - $meta['key'] = stripslashes( $meta['key'] ); + $meta['key'] = wp_unslash( $meta['key'] ); if ( $meta['key'] != $pmeta->meta_key ) continue; - $meta['value'] = stripslashes_deep( $meta['value'] ); + $meta['value'] = wp_unslash( $meta['value'] ); if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) ) update_metadata_by_mid( 'post', $meta['id'], $meta['value'] ); } elseif ( current_user_can( 'delete_post_meta', $post_id, $pmeta->meta_key ) ) { delete_metadata_by_mid( 'post', $meta['id'] ); } - } elseif ( current_user_can( 'add_post_meta', $post_id, stripslashes( $meta['key'] ) ) ) { + } elseif ( current_user_can( 'add_post_meta', $post_id, wp_unslash( $meta['key'] ) ) ) { add_post_meta( $post_id, $meta['key'], $meta['value'] ); } } @@ -3746,9 +3746,9 @@ class wp_xmlrpc_server extends IXR_Server { $categories = implode(',', wp_get_post_categories($post_ID)); - $content = ''.stripslashes($post_data['post_title']).''; + $content = ''.wp_unslash($post_data['post_title']).''; $content .= ''.$categories.''; - $content .= stripslashes($post_data['post_content']); + $content .= wp_unslash($post_data['post_content']); $struct = array( 'userid' => $post_data['post_author'], @@ -3800,9 +3800,9 @@ class wp_xmlrpc_server extends IXR_Server { $post_date = $this->_convert_date( $entry['post_date'] ); $categories = implode(',', wp_get_post_categories($entry['ID'])); - $content = ''.stripslashes($entry['post_title']).''; + $content = ''.wp_unslash($entry['post_title']).''; $content .= ''.$categories.''; - $content .= stripslashes($entry['post_content']); + $content .= wp_unslash($entry['post_content']); $struct[] = array( 'userid' => $entry['post_author'], diff --git a/wp-includes/comment.php b/wp-includes/comment.php index 7ad081d8a6..e1c3509b47 100644 --- a/wp-includes/comment.php +++ b/wp-includes/comment.php @@ -634,21 +634,21 @@ function wp_set_comment_cookies($comment, $user) { function sanitize_comment_cookies() { if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) { $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]); - $comment_author = stripslashes($comment_author); + $comment_author = wp_unslash($comment_author); $comment_author = esc_attr($comment_author); $_COOKIE['comment_author_'.COOKIEHASH] = $comment_author; } if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) { $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]); - $comment_author_email = stripslashes($comment_author_email); + $comment_author_email = wp_unslash($comment_author_email); $comment_author_email = esc_attr($comment_author_email); $_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email; } if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) { $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]); - $comment_author_url = stripslashes($comment_author_url); + $comment_author_url = wp_unslash($comment_author_url); $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url; } } @@ -1262,7 +1262,7 @@ function wp_get_current_commenter() { */ function wp_insert_comment($commentdata) { global $wpdb; - extract(stripslashes_deep($commentdata), EXTR_SKIP); + extract(wp_unslash($commentdata), EXTR_SKIP); if ( ! isset($comment_author_IP) ) $comment_author_IP = ''; @@ -1502,7 +1502,7 @@ function wp_update_comment($commentarr) { $commentarr = wp_filter_comment( $commentarr ); // Now extract the merged array. - extract(stripslashes_deep($commentarr), EXTR_SKIP); + extract(wp_unslash($commentarr), EXTR_SKIP); $comment_content = apply_filters('comment_save_pre', $comment_content); diff --git a/wp-includes/cron.php b/wp-includes/cron.php index 4e469a051c..6668dc546e 100644 --- a/wp-includes/cron.php +++ b/wp-includes/cron.php @@ -230,7 +230,7 @@ function spawn_cron( $gmt_time = 0 ) { set_transient( 'doing_cron', $doing_wp_cron ); ob_start(); - wp_redirect( add_query_arg('doing_wp_cron', $doing_wp_cron, stripslashes($_SERVER['REQUEST_URI'])) ); + wp_redirect( add_query_arg( 'doing_wp_cron', $doing_wp_cron, wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); echo ' '; // flush any buffers and send the headers diff --git a/wp-includes/feed.php b/wp-includes/feed.php index 678717352e..c0b2440825 100644 --- a/wp-includes/feed.php +++ b/wp-includes/feed.php @@ -488,7 +488,7 @@ function prep_atom_text_construct($data) { */ function self_link() { $host = @parse_url(home_url()); - echo esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . stripslashes( $_SERVER['REQUEST_URI'] ) ) ) ); + echo esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ); } /** diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 659b689c8e..93e6e0d1c1 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -1423,7 +1423,7 @@ function addslashes_gpc($gpc) { if ( get_magic_quotes_gpc() ) $gpc = stripslashes($gpc); - return esc_sql($gpc); + return wp_slash($gpc); } /** @@ -1719,7 +1719,7 @@ function wp_rel_nofollow( $text ) { // This is a pre save filter, so text is already escaped. $text = stripslashes($text); $text = preg_replace_callback('||i', 'wp_rel_nofollow_callback', $text); - $text = esc_sql($text); + $text = wp_slash($text); return $text; } diff --git a/wp-includes/meta.php b/wp-includes/meta.php index 9db1de30cc..5b615d0e5e 100644 --- a/wp-includes/meta.php +++ b/wp-includes/meta.php @@ -43,8 +43,8 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique = $column = esc_sql($meta_type . '_id'); // expected_slashed ($meta_key) - $meta_key = stripslashes($meta_key); - $meta_value = stripslashes_deep($meta_value); + $meta_key = wp_unslash($meta_key); + $meta_value = wp_unslash($meta_value); $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique ); @@ -114,9 +114,9 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; // expected_slashed ($meta_key) - $meta_key = stripslashes($meta_key); + $meta_key = wp_unslash($meta_key); $passed_value = $meta_value; - $meta_value = stripslashes_deep($meta_value); + $meta_value = wp_unslash($meta_value); $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value ); @@ -196,8 +196,8 @@ function delete_metadata($meta_type, $object_id, $meta_key, $meta_value = '', $d $type_column = esc_sql($meta_type . '_id'); $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; // expected_slashed ($meta_key) - $meta_key = stripslashes($meta_key); - $meta_value = stripslashes_deep($meta_value); + $meta_key = wp_unslash($meta_key); + $meta_value = wp_unslash($meta_value); $check = apply_filters( "delete_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $delete_all ); if ( null !== $check ) diff --git a/wp-includes/ms-files.php b/wp-includes/ms-files.php index 100ba2c6d1..5f969bf456 100644 --- a/wp-includes/ms-files.php +++ b/wp-includes/ms-files.php @@ -58,7 +58,7 @@ header( 'ETag: ' . $etag ); header( 'Expires: ' . gmdate( 'D, d M Y H:i:s', time() + 100000000 ) . ' GMT' ); // Support for Conditional GET -$client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false; +$client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? wp_unslash( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false; if( ! isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) ) $_SERVER['HTTP_IF_MODIFIED_SINCE'] = false;