Make sure sanitize_option() is always called when updating options.
git-svn-id: http://svn.automattic.com/wordpress/trunk@5541 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan
parent
677b609ee2
commit
92e7d3c3bc
|
|
@ -10,77 +10,6 @@ wp_reset_vars(array('action'));
|
|||
if ( !current_user_can('manage_options') )
|
||||
wp_die(__('Cheatin’ uh?'));
|
||||
|
||||
function sanitize_option($option, $value) { // Remember to call stripslashes!
|
||||
|
||||
switch ($option) {
|
||||
case 'admin_email':
|
||||
$value = stripslashes($value);
|
||||
$value = sanitize_email($value);
|
||||
break;
|
||||
|
||||
case 'default_post_edit_rows':
|
||||
case 'mailserver_port':
|
||||
case 'comment_max_links':
|
||||
$value = stripslashes($value);
|
||||
$value = abs((int) $value);
|
||||
break;
|
||||
|
||||
case 'posts_per_page':
|
||||
case 'posts_per_rss':
|
||||
$value = stripslashes($value);
|
||||
$value = (int) $value;
|
||||
if ( empty($value) ) $value = 1;
|
||||
if ( $value < -1 ) $value = abs($value);
|
||||
break;
|
||||
|
||||
case 'default_ping_status':
|
||||
case 'default_comment_status':
|
||||
$value = stripslashes($value);
|
||||
// Options that if not there have 0 value but need to be something like "closed"
|
||||
if ( $value == '0' || $value == '')
|
||||
$value = 'closed';
|
||||
break;
|
||||
|
||||
case 'blogdescription':
|
||||
case 'blogname':
|
||||
if (current_user_can('unfiltered_html') == false)
|
||||
$value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
|
||||
$value = stripslashes($value);
|
||||
break;
|
||||
|
||||
case 'blog_charset':
|
||||
$value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes
|
||||
break;
|
||||
|
||||
case 'date_format':
|
||||
case 'time_format':
|
||||
case 'mailserver_url':
|
||||
case 'mailserver_login':
|
||||
case 'mailserver_pass':
|
||||
case 'ping_sites':
|
||||
case 'upload_path':
|
||||
$value = strip_tags($value);
|
||||
$value = wp_filter_kses($value); // calls stripslashes then addslashes
|
||||
$value = stripslashes($value);
|
||||
break;
|
||||
|
||||
case 'gmt_offset':
|
||||
$value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes
|
||||
break;
|
||||
|
||||
case 'siteurl':
|
||||
case 'home':
|
||||
$value = stripslashes($value);
|
||||
$value = clean_url($value);
|
||||
break;
|
||||
default :
|
||||
$value = stripslashes($value);
|
||||
break;
|
||||
}
|
||||
|
||||
return $value;
|
||||
}
|
||||
|
||||
switch($action) {
|
||||
|
||||
case 'update':
|
||||
|
|
@ -101,7 +30,7 @@ case 'update':
|
|||
foreach ($options as $option) {
|
||||
$option = trim($option);
|
||||
$value = trim($_POST[$option]);
|
||||
$value = sanitize_option($option, $value); // This does stripslashes on those that need it
|
||||
$value = stripslashes($value);
|
||||
update_option($option, $value);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1118,4 +1118,72 @@ function wp_make_link_relative( $link ) {
|
|||
return preg_replace('|https?://[^/]+(/.*)|i', '$1', $link );
|
||||
}
|
||||
|
||||
function sanitize_option($option, $value) { // Remember to call stripslashes!
|
||||
|
||||
switch ($option) {
|
||||
case 'admin_email':
|
||||
$value = sanitize_email($value);
|
||||
break;
|
||||
|
||||
case 'default_post_edit_rows':
|
||||
case 'mailserver_port':
|
||||
case 'comment_max_links':
|
||||
$value = abs((int) $value);
|
||||
break;
|
||||
|
||||
case 'posts_per_page':
|
||||
case 'posts_per_rss':
|
||||
$value = (int) $value;
|
||||
if ( empty($value) ) $value = 1;
|
||||
if ( $value < -1 ) $value = abs($value);
|
||||
break;
|
||||
|
||||
case 'default_ping_status':
|
||||
case 'default_comment_status':
|
||||
// Options that if not there have 0 value but need to be something like "closed"
|
||||
if ( $value == '0' || $value == '')
|
||||
$value = 'closed';
|
||||
break;
|
||||
|
||||
case 'blogdescription':
|
||||
case 'blogname':
|
||||
$value = addslashes($value);
|
||||
$value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
|
||||
$value = stripslashes($value);
|
||||
$value = wp_specialchars( $value );
|
||||
break;
|
||||
|
||||
case 'blog_charset':
|
||||
$value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes
|
||||
break;
|
||||
|
||||
case 'date_format':
|
||||
case 'time_format':
|
||||
case 'mailserver_url':
|
||||
case 'mailserver_login':
|
||||
case 'mailserver_pass':
|
||||
case 'ping_sites':
|
||||
case 'upload_path':
|
||||
$value = strip_tags($value);
|
||||
$value = addslashes($value);
|
||||
$value = wp_filter_kses($value); // calls stripslashes then addslashes
|
||||
$value = stripslashes($value);
|
||||
break;
|
||||
|
||||
case 'gmt_offset':
|
||||
$value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes
|
||||
break;
|
||||
|
||||
case 'siteurl':
|
||||
case 'home':
|
||||
$value = stripslashes($value);
|
||||
$value = clean_url($value);
|
||||
break;
|
||||
default :
|
||||
break;
|
||||
}
|
||||
|
||||
return $value;
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -315,6 +315,8 @@ function update_option($option_name, $newvalue) {
|
|||
|
||||
wp_protect_special_option($option_name);
|
||||
|
||||
$newvalue = sanitize_option($option_name, $newvalue);
|
||||
|
||||
if ( is_string($newvalue) )
|
||||
$newvalue = trim($newvalue);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue