Grouped backports to the 3.9 branch.

- Query: Improve sanitization within `WP_Tax_Query`. - Upgrade/Install: Avoid using `unserialize()` unnecessarily. - Formatting: Correctly encode ASCII characters in post slugs. Merges [52454,52456-52457] to the 3.9 branch. Props vortfu, dd32, ehtis, zieladam, whyisjake, xknown, peterwilsoncc, desrosj, iandunn. Built from https://develop.svn.wordpress.org/branches/3.9@52484 git-svn-id: http://core.svn.wordpress.org/branches/3.9@52076 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-11-10 21:00:59 +01:00 · 2022-01-06 18:26:33 +00:00 · 2022-01-06 18:26:33 +00:00 · 42d50b9cc7
commit 42d50b9cc7
parent 175a54e643
4 changed files with 18 additions and 8 deletions
--- a/wp-admin/includes/upgrade.php
+++ b/wp-admin/includes/upgrade.php
@ -1057,8 +1057,8 @@ function upgrade_280() {
 		$start = 0;
 		while( $rows = $wpdb->get_results( "SELECT option_name, option_value FROM $wpdb->options ORDER BY option_id LIMIT $start, 20" ) ) {
 			foreach( $rows as $row ) {
-				$value = $row->option_value;
-				if ( !@unserialize( $value ) )
+				$value = maybe_unserialize( $row->option_value );
+				if ( $value === $row->option_value )
 					$value = stripslashes( $value );
 				if ( $value !== $row->option_value ) {
 					update_option( $row->option_name, $value );
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@ -735,12 +735,14 @@ function wp_check_invalid_utf8( $string, $strip = false ) {
 * Encode the Unicode values to be used in the URI.
 *
 * @since 1.5.0
+ * @since 5.8.3 Added the `encode_ascii_characters` parameter.
 *
 * @param string $utf8_string
 * @param int $length Max length of the string
+ * @param bool   $encode_ascii_characters Whether to encode ascii characters such as < " '
 * @return string String with Unicode encoded for URI.
 */
-function utf8_uri_encode( $utf8_string, $length = 0 ) {
+function utf8_uri_encode( $utf8_string, $length = 0, $encode_ascii_characters = false ) {
 	$unicode = '';
 	$values = array();
 	$num_octets = 1;
@ -752,10 +754,14 @@ function utf8_uri_encode( $utf8_string, $length = 0 ) {
 		$value = ord( $utf8_string[ $i ] );

 		if ( $value < 128 ) {
-			if ( $length && ( $unicode_length >= $length ) )
+			$char                = chr( $value );
+			$encoded_char        = $encode_ascii_characters ? rawurlencode( $char ) : $char;
+			$encoded_char_length = strlen( $encoded_char );
+			if ( $length && ( $unicode_length + $encoded_char_length ) > $length ) {
 				break;
-			$unicode .= chr($value);
-			$unicode_length++;
+			}
+			$unicode        .= $encoded_char;
+			$unicode_length += $encoded_char_length;
 		} else {
 			if ( count( $values ) == 0 ) $num_octets = ( $value < 224 ) ? 2 : 3;

--- a/wp-includes/post.php
+++ b/wp-includes/post.php
@ -3524,7 +3524,7 @@ function _truncate_post_slug( $slug, $length = 200 ) {
 		if ( $decoded_slug === $slug )
 			$slug = substr( $slug, 0, $length );
 		else
-			$slug = utf8_uri_encode( $decoded_slug, $length );
+			$slug = utf8_uri_encode( $decoded_slug, $length, true );
 	}

 	return rtrim( $slug, '-' );
--- a/wp-includes/taxonomy.php
+++ b/wp-includes/taxonomy.php
@ -818,7 +818,11 @@ class WP_Tax_Query {
 			return;
 		}

-		$query['terms'] = array_unique( (array) $query['terms'] );
+		if ( 'slug' === $query['field'] || 'name' === $query['field'] ) {
+			$query['terms'] = array_unique( (array) $query['terms'] );
+		} else {
+			$query['terms'] = wp_parse_id_list( $query['terms'] );
+		}

 		if ( is_taxonomy_hierarchical( $query['taxonomy'] ) && $query['include_children'] ) {
 			$this->transform_query( $query, 'term_id' );