Delay Trackback data escaping until after mb_convert_encoding(). Props to Stefan Esser.

git-svn-id: http://svn.automattic.com/wordpress/branches/2.0@4677 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-trackback.php

@@ -30,11 +30,13 @@ if ( !$_GET['tb_id'] ) {
 	$tb_id = intval( $tb_id[ count($tb_id) - 1 ] );
 }
 
-$tb_url    = $_POST['url'];
-$title     = $_POST['title'];
-$excerpt   = $_POST['excerpt'];
-$blog_name = $_POST['blog_name'];
-$charset   = $_POST['charset'];
+$tb_url  = $_POST['url'];
+$charset = $_POST['charset'];
+
+// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()
+$title     = stripslashes($_POST['title']);
+$excerpt   = stripslashes($_POST['excerpt']);
+$blog_name = stripslashes($_POST['blog_name']);
 
 if ($charset)
 	$charset = strtoupper( trim($charset) );
@@ -42,11 +44,16 @@ else
 	$charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
 
 if ( function_exists('mb_convert_encoding') ) { // For international trackbacks
-	$title     = mb_convert_encoding($title, get_settings('blog_charset'), $charset);
-	$excerpt   = mb_convert_encoding($excerpt, get_settings('blog_charset'), $charset);
-	$blog_name = mb_convert_encoding($blog_name, get_settings('blog_charset'), $charset);
+	$title     = mb_convert_encoding($title, get_option('blog_charset'), $charset);
+	$excerpt   = mb_convert_encoding($excerpt, get_option('blog_charset'), $charset);
+	$blog_name = mb_convert_encoding($blog_name, get_option('blog_charset'), $charset);
 }
 
+// Now that mb_convert_encoding() has been given a swing, we need to escape these three
+$title     = $wpdb->escape($title);
+$excerpt   = $wpdb->escape($excerpt);
+$blog_name = $wpdb->escape($blog_name);
+
 if ( is_single() || is_page() ) 
     $tb_id = $posts[0]->ID;