mirror of
https://github.com/WordPress/WordPress.git
synced 2024-12-23 01:27:36 +01:00
The gallery
shortcode used to accept a SQL chunk for the value of the orderby
attribute. The reason? get_posts()
used to be called in the shortcode handler with a query-string blob of arguments passed to it. To mitigate breakage, sanitize_sql_orderby()
was created in [7592].
`sanitize_sql_orderby()` expects a comma to be present when multiple `orderby` values were passed. The correct syntax for multiple fields is space-delimited. Since [29027], comma-separated values would never be parsed correctly when passed to `WP_Query->parse_orderby()`. `sanitize_sql_orderby()` is used nowhere else in core, save for the `playlist` shortcode - I only added it there because I was mimic'ing the `gallery` logic. The function call can be removed from both shortcode handlers. See #6476. Fixes #23873. Built from https://develop.svn.wordpress.org/trunk@30068 git-svn-id: http://core.svn.wordpress.org/trunk@30068 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
e4289bb37e
commit
5d17d2bd28
@ -938,14 +938,6 @@ function gallery_shortcode( $attr ) {
|
||||
return $output;
|
||||
}
|
||||
|
||||
// We're trusting author input, so let's at least make sure it looks like a valid orderby statement
|
||||
if ( isset( $attr['orderby'] ) ) {
|
||||
$attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] );
|
||||
if ( ! $attr['orderby'] ) {
|
||||
unset( $attr['orderby'] );
|
||||
}
|
||||
}
|
||||
|
||||
$html5 = current_theme_supports( 'html5', 'gallery' );
|
||||
$atts = shortcode_atts( array(
|
||||
'order' => 'ASC',
|
||||
@ -1056,7 +1048,7 @@ function gallery_shortcode( $attr ) {
|
||||
|
||||
$i = 0;
|
||||
foreach ( $attachments as $id => $attachment ) {
|
||||
|
||||
|
||||
$attr = ( trim( $attachment->post_excerpt ) ) ? array( 'aria-describedby' => "$selector-$id" ) : '';
|
||||
if ( ! empty( $atts['link'] ) && 'file' === $atts['link'] ) {
|
||||
$image_output = wp_get_attachment_link( $id, $atts['size'], false, false, $attr );
|
||||
@ -1220,16 +1212,6 @@ function wp_playlist_shortcode( $attr ) {
|
||||
return $output;
|
||||
}
|
||||
|
||||
/*
|
||||
* We're trusting author input, so let's at least make sure it looks
|
||||
* like a valid orderby statement.
|
||||
*/
|
||||
if ( isset( $attr['orderby'] ) ) {
|
||||
$attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] );
|
||||
if ( ! $attr['orderby'] )
|
||||
unset( $attr['orderby'] );
|
||||
}
|
||||
|
||||
$atts = shortcode_atts( array(
|
||||
'type' => 'audio',
|
||||
'order' => 'ASC',
|
||||
|
@ -4,7 +4,7 @@
|
||||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '4.1-alpha-30067';
|
||||
$wp_version = '4.1-alpha-30068';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
Loading…
Reference in New Issue
Block a user