Upstream
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Use wp_slash() in places where we improperly used the DB API instead. see #21767. 

git-svn-id: http://core.svn.wordpress.org/trunk@24713 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Andrew Nacin 2013-07-16 14:19:03 +00:00
parent dffd2b1bd9
commit 8d65dc2469
4 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
wp-admin/includes/ajax-actions.php
View File

@ -739,9 +739,9 @@ function wp_ajax_replyto_comment( $action ) {
$user = wp_get_current_user();
if ( $user->exists() ) {
$user_ID = $user->ID;
$comment_author = $wpdb->escape($user->display_name);
$comment_author_email = $wpdb->escape($user->user_email);
$comment_author_url = $wpdb->escape($user->user_url);
$comment_author = wp_slash( $user->display_name );
$comment_author_email = wp_slash( $user->user_email );
$comment_author_url = wp_slash( $user->user_url );
$comment_content = trim($_POST['content']);
if ( current_user_can( 'unfiltered_html' ) ) {
if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {

2
wp-admin/includes/post.php
View File

@ -646,7 +646,7 @@ function add_meta( $post_ID ) {
if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) )
return false;
$metakey = esc_sql( $metakey );
$metakey = wp_slash( $metakey );
return add_post_meta( $post_ID, $metakey, $metavalue );
}

6
wp-comments-post.php
View File

@ -57,9 +57,9 @@ $user = wp_get_current_user();
if ( $user->exists() ) {
if ( empty( $user->display_name ) )
$user->display_name=$user->user_login;
$comment_author = $wpdb->escape($user->display_name);
$comment_author_email = $wpdb->escape($user->user_email);
$comment_author_url = $wpdb->escape($user->user_url);
$comment_author = wp_slash( $user->display_name );
$comment_author_email = wp_slash( $user->user_email );
$comment_author_url = wp_slash( $user->user_url );
if ( current_user_can('unfiltered_html') ) {
if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
kses_remove_filters(); // start with a clean slate

2
wp-includes/comment.php
View File

@ -1492,7 +1492,7 @@ function wp_update_comment($commentarr) {
$comment = get_comment($commentarr['comment_ID'], ARRAY_A);
// Escape data pulled from DB.
$comment = esc_sql($comment);
$comment = wp_slash($comment);
$old_status = $comment['comment_approved'];