bookmark sanitizer funcs and default filter cleanup. see #4546

git-svn-id: http://svn.automattic.com/wordpress/trunk@5906 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2007-08-20 22:50:04 +00:00
parent 7bacf89b7e
commit ba0f401390
6 changed files with 170 additions and 164 deletions

View File

@ -60,23 +60,17 @@ function wp_get_link_cats($link_id = 0) {
} }
function get_link_to_edit( $link_id ) { function get_link_to_edit( $link_id ) {
$link = get_link( $link_id ); return get_link( $link_id, OBJECT, 'edit' );
$link->link_url = clean_url($link->link_url);
$link->link_name = attribute_escape($link->link_name);
$link->link_image = attribute_escape($link->link_image);
$link->link_description = attribute_escape($link->link_description);
$link->link_rss = clean_url($link->link_rss);
$link->link_rel = attribute_escape($link->link_rel);
$link->link_notes = wp_specialchars($link->link_notes);
$link->post_category = $link->link_category;
return $link;
} }
function wp_insert_link($linkdata) { function wp_insert_link($linkdata) {
global $wpdb, $current_user; global $wpdb, $current_user;
$defaults = array('link_id' => 0, 'link_name' => '', 'link_url' => '', 'link_rating' => 0 );
$linkdata = wp_parse_args($linkdata, $defaults);
$linkdata = sanitize_bookmark($linkdata, 'db');
extract($linkdata, EXTR_SKIP); extract($linkdata, EXTR_SKIP);
$update = false; $update = false;
@ -84,53 +78,38 @@ function wp_insert_link($linkdata) {
if ( !empty($link_id) ) if ( !empty($link_id) )
$update = true; $update = true;
$link_id = (int) $link_id; if ( trim( $link_name ) == '' )
if( trim( $link_name ) == '' )
return 0; return 0;
$link_name = apply_filters('pre_link_name', $link_name);
if( trim( $link_url ) == '' ) if ( trim( $link_url ) == '' )
return 0; return 0;
$link_url = apply_filters('pre_link_url', $link_url);
if ( empty($link_rating) ) if ( empty($link_rating) )
$link_rating = 0; $link_rating = 0;
else
$link_rating = (int) $link_rating;
if ( empty($link_image) ) if ( empty($link_image) )
$link_image = ''; $link_image = '';
$link_image = apply_filters('pre_link_image', $link_image);
if ( empty($link_target) ) if ( empty($link_target) )
$link_target = ''; $link_target = '';
$link_target = apply_filters('pre_link_target', $link_target);
if ( empty($link_visible) ) if ( empty($link_visible) )
$link_visible = 'Y'; $link_visible = 'Y';
$link_visibile = preg_replace('/[^YNyn]/', '', $link_visible);
if ( empty($link_owner) ) if ( empty($link_owner) )
$link_owner = $current_user->id; $link_owner = $current_user->id;
else
$link_owner = (int) $link_owner;
if ( empty($link_notes) ) if ( empty($link_notes) )
$link_notes = ''; $link_notes = '';
$link_notes = apply_filters('pre_link_notes', $link_notes);
if ( empty($link_description) ) if ( empty($link_description) )
$link_description = ''; $link_description = '';
$link_description = apply_filters('pre_link_description', $link_description);
if ( empty($link_rss) ) if ( empty($link_rss) )
$link_rss = ''; $link_rss = '';
$link_rss = apply_filters('pre_link_rss', $link_rss);
if ( empty($link_rel) ) if ( empty($link_rel) )
$link_rel = ''; $link_rel = '';
$link_rel = apply_filters('pre_link_rel', $link_rel);
// Make sure we set a valid category // Make sure we set a valid category
if (0 == count($link_category) || !is_array($link_category)) { if (0 == count($link_category) || !is_array($link_category)) {

View File

@ -80,7 +80,7 @@ $categories = get_terms('link_category', "hide_empty=1");
$select_cat = "<select name=\"cat_id\">\n"; $select_cat = "<select name=\"cat_id\">\n";
$select_cat .= '<option value="all"' . (($cat_id == 'all') ? " selected='selected'" : '') . '>' . __('All') . "</option>\n"; $select_cat .= '<option value="all"' . (($cat_id == 'all') ? " selected='selected'" : '') . '>' . __('All') . "</option>\n";
foreach ((array) $categories as $cat) foreach ((array) $categories as $cat)
$select_cat .= '<option value="' . $cat->term_id . '"' . (($cat->term_id == $cat_id) ? " selected='selected'" : '') . '>' . wp_specialchars(apply_filters('link_category', $cat->name)) . "</option>\n"; $select_cat .= '<option value="' . $cat->term_id . '"' . (($cat->term_id == $cat_id) ? " selected='selected'" : '') . '>' . sanitize_term_field('name', $cat->name, $cat->term_id, 'link_category', 'display') . "</option>\n";
$select_cat .= "</select>\n"; $select_cat .= "</select>\n";
$select_order = "<select name=\"order_by\">\n"; $select_order = "<select name=\"order_by\">\n";
@ -131,9 +131,8 @@ if ( $links ) {
<tbody id="the-list"> <tbody id="the-list">
<?php <?php
foreach ($links as $link) { foreach ($links as $link) {
$link->link_name = attribute_escape(apply_filters('link_title', $link->link_name)); $link = sanitize_bookmark($link);
$link->link_description = wp_specialchars(apply_filters('link_description', $link->link_description)); $link->link_name = attribute_escape($link->link_name);
$link->link_url = clean_url($link->link_url);
$link->link_category = wp_get_link_cats($link->link_id); $link->link_category = wp_get_link_cats($link->link_id);
$short_url = str_replace('http://', '', $link->link_url); $short_url = str_replace('http://', '', $link->link_url);
$short_url = str_replace('www.', '', $short_url); $short_url = str_replace('www.', '', $short_url);
@ -159,8 +158,8 @@ if ( $links ) {
?><td><?php ?><td><?php
$cat_names = array(); $cat_names = array();
foreach ($link->link_category as $category) { foreach ($link->link_category as $category) {
$cat = get_term($category, 'link_category'); $cat = get_term($category, 'link_category', OBJECT, 'display');
$cat_name = wp_specialchars(apply_filters('link_category', $cat->name)); $cat_name = $cat->name;
if ( $cat_id != $category ) if ( $cat_id != $category )
$cat_name = "<a href='link-manager.php?cat_id=$category'>$cat_name</a>"; $cat_name = "<a href='link-manager.php?cat_id=$category'>$cat_name</a>";
$cat_names[] = $cat_name; $cat_names[] = $cat_name;

View File

@ -1,12 +1,14 @@
<?php <?php
function get_bookmark($bookmark_id, $output = OBJECT) { function get_bookmark($bookmark_id, $output = OBJECT, $filter = 'raw') {
global $wpdb; global $wpdb;
$bookmark_id = (int) $bookmark_id; $bookmark_id = (int) $bookmark_id;
$link = $wpdb->get_row("SELECT * FROM $wpdb->links WHERE link_id = '$bookmark_id'"); $link = $wpdb->get_row("SELECT * FROM $wpdb->links WHERE link_id = '$bookmark_id'");
$link->link_category = wp_get_link_cats($bookmark_id); $link->link_category = wp_get_link_cats($bookmark_id);
$link = sanitize_bookmark($link, $filter);
if ( $output == OBJECT ) { if ( $output == OBJECT ) {
return $link; return $link;
} elseif ( $output == ARRAY_A ) { } elseif ( $output == ARRAY_A ) {
@ -18,6 +20,22 @@ function get_bookmark($bookmark_id, $output = OBJECT) {
} }
} }
function get_bookmark_field( $field, $bookmark, $context = 'display' ) {
$bookmark = (int) $bookmark;
$bookmark = get_bookmark( $bookmark );
if ( is_wp_error($bookmark) )
return $bookmark;
if ( !is_object($bookmark) )
return '';
if ( !isset($bookmark->$field) )
return '';
return sanitize_bookmark_field($field, $bookmark->$field, $bookmark->link_id, $context);
}
// Deprecate // Deprecate
function get_link($bookmark_id, $output = OBJECT) { function get_link($bookmark_id, $output = OBJECT) {
return get_bookmark($bookmark_id, $output); return get_bookmark($bookmark_id, $output);
@ -142,6 +160,67 @@ function get_bookmarks($args = '') {
return apply_filters('get_bookmarks', $results, $r); return apply_filters('get_bookmarks', $results, $r);
} }
function sanitize_bookmark($bookmark, $context = 'display') {
$fields = array('link_id', 'link_url', 'link_name', 'link_image', 'link_target', 'link_category',
'link_description', 'link_visible', 'link_owner', 'link_rating', 'link_updated',
'link_rel', 'link_notes', 'link_rss', );
$do_object = false;
if ( is_object($bookmark) )
$do_object = true;
foreach ( $fields as $field ) {
if ( $do_object )
$bookmark->$field = sanitize_bookmark_field($field, $bookmark->$field, $bookmark->link_id, $context);
else
$bookmark[$field] = sanitize_bookmark_field($field, $bookmark[$field], $bookmark['link_id'], $context);
}
return $bookmark;
}
function sanitize_bookmark_field($field, $value, $bookmark_id, $context) {
$int_fields = array('link_id', 'link_rating');
if ( in_array($field, $int_fields) )
$value = (int) $value;
$yesno = array('link_visible');
if ( in_array($field, $yesno) )
$value = preg_replace('/[^YNyn]/', '', $value);
if ( 'link_target' == $field ) {
$targets = array('_top', '_blank');
if ( ! in_array($value, $targets) )
$value = '';
}
if ( 'raw' == $context )
return $value;
if ( 'edit' == $context ) {
$format_to_edit = array('link_notes');
$value = apply_filters("edit_$field", $value, $bookmark_id);
if ( in_array($field, $format_to_edit) ) {
$value = format_to_edit($value);
} else {
$value = attribute_escape($value);
}
} else if ( 'db' == $context ) {
$value = apply_filters("pre_$field", $value);
} else {
// Use display filters by default.
$value = apply_filters($field, $value, $bookmark_id, $context);
}
if ( 'attribute' == $context )
$value = attribute_escape($value);
else if ( 'js' == $context )
$value = js_escape($value);
return $value;
}
function delete_get_bookmark_cache() { function delete_get_bookmark_cache() {
wp_cache_delete( 'get_bookmarks', 'bookmark' ); wp_cache_delete( 'get_bookmarks', 'bookmark' );
} }

View File

@ -1,142 +1,82 @@
<?php <?php
// Some default filters // Strip, trim, kses, special chars for string saves
add_filter('bloginfo','wp_specialchars'); $filters = array('pre_term_name', 'pre_comment_author_name', 'pre_link_name', 'pre_link_target',
add_filter('term_description', 'wptexturize'); 'pre_link_rel', 'pre_user_display_name', 'pre_user_first_name', 'pre_user_last_name',
add_filter('category_description', 'wptexturize'); 'pre_user_nickname');
add_filter('list_cats', 'wptexturize'); foreach ( $filters as $filter ) {
add_filter('comment_author', 'wptexturize'); add_filter($filter, 'strip_tags');
add_filter('comment_text', 'wptexturize'); add_filter($filter, 'trim');
add_filter('single_post_title', 'wptexturize'); add_filter($filter, 'wp_filter_kses');
add_filter('the_title', 'wptexturize'); add_filter($filter, 'wp_specialchars', 30);
add_filter('the_content', 'wptexturize'); }
add_filter('the_excerpt', 'wptexturize');
add_filter('bloginfo', 'wptexturize');
add_filter('pre_kses', 'wp_pre_kses_less_than');
// Comments, trackbacks, pingbacks // Kses only for textarea saves
add_filter('pre_comment_author_name', 'strip_tags'); $filters = array('pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description');
add_filter('pre_comment_author_name', 'trim'); foreach ( $filters as $filter ) {
add_filter('pre_comment_author_name', 'wp_specialchars', 30); add_filter($filter, 'wp_filter_kses');
}
add_filter('pre_comment_author_email', 'trim'); // Email
add_filter('pre_comment_author_email', 'sanitize_email'); $filters = array('pre_comment_author_email', 'pre_user_email');
foreach ( $filters as $filter ) {
add_filter($filter, 'trim');
add_filter($filter, 'sanitize_email');
add_filter($filter, 'wp_filter_kses');
}
add_filter('pre_comment_author_url', 'strip_tags'); // URL
add_filter('pre_comment_author_url', 'trim'); $filters = array('pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
add_filter('pre_comment_author_url', 'clean_url'); 'pre_link_rss', 'comment_url');
foreach ( $filters as $filter ) {
add_filter('pre_comment_content', 'wp_rel_nofollow', 15); add_filter($filter, 'strip_tags');
add_filter('pre_comment_content', 'balanceTags', 30); add_filter($filter, 'trim');
add_filter($filter, 'clean_url');
add_filter('pre_comment_author_name', 'wp_filter_kses'); add_filter($filter, 'wp_filter_kses');
add_filter('pre_comment_author_email', 'wp_filter_kses'); }
add_filter('pre_comment_author_url', 'wp_filter_kses');
add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');
// Default filters for these functions
add_filter('comment_author', 'wptexturize');
add_filter('comment_author', 'convert_chars');
add_filter('comment_author', 'wp_specialchars');
add_filter('comment_email', 'antispambot');
add_filter('comment_flood_filter', 'wp_throttle_comment_flood', 10, 3);
add_filter('comment_url', 'clean_url');
add_filter('comment_text', 'convert_chars');
add_filter('comment_text', 'make_clickable', 9);
add_filter('comment_text', 'force_balance_tags', 25);
add_filter('comment_text', 'wpautop', 30);
add_filter('comment_text', 'convert_smilies', 20);
add_filter('comment_excerpt', 'convert_chars');
// Terms
add_filter('pre_term_name', 'strip_tags');
add_filter('pre_term_name', 'trim');
add_filter('pre_term_name', 'wp_filter_kses');
add_filter('pre_term_name', 'wp_specialchars', 30);
add_filter('pre_term_description', 'wp_filter_kses');
// Categories
add_filter('pre_category_name', 'strip_tags');
add_filter('pre_category_name', 'trim');
add_filter('pre_category_name', 'wp_filter_kses');
add_filter('pre_category_name', 'wp_specialchars', 30);
add_filter('pre_category_description', 'wp_filter_kses');
//Links
add_filter('pre_link_name', 'strip_tags');
add_filter('pre_link_name', 'trim');
add_filter('pre_link_name', 'wp_filter_kses');
add_filter('pre_link_name', 'wp_specialchars', 30);
add_filter('pre_link_description', 'wp_filter_kses');
add_filter('pre_link_notes', 'wp_filter_kses');
add_filter('pre_link_url', 'strip_tags');
add_filter('pre_link_url', 'trim');
add_filter('pre_link_url', 'clean_url');
add_filter('pre_link_image', 'strip_tags');
add_filter('pre_link_image', 'trim');
add_filter('pre_link_image', 'clean_url');
add_filter('pre_link_rss', 'strip_tags');
add_filter('pre_link_rss', 'trim');
add_filter('pre_link_rss', 'clean_url');
add_filter('pre_link_target', 'strip_tags');
add_filter('pre_link_target', 'trim');
add_filter('pre_link_target', 'wp_filter_kses');
add_filter('pre_link_target', 'wp_specialchars', 30);
add_filter('pre_link_rel', 'strip_tags');
add_filter('pre_link_rel', 'trim');
add_filter('pre_link_rel', 'wp_filter_kses');
add_filter('pre_link_rel', 'wp_specialchars', 30);
// Users
add_filter('pre_user_display_name', 'strip_tags');
add_filter('pre_user_display_name', 'trim');
add_filter('pre_user_display_name', 'wp_filter_kses');
add_filter('pre_user_display_name', 'wp_specialchars', 30);
add_filter('pre_user_first_name', 'strip_tags');
add_filter('pre_user_first_name', 'trim');
add_filter('pre_user_first_name', 'wp_filter_kses');
add_filter('pre_user_first_name', 'wp_specialchars', 30);
add_filter('pre_user_last_name', 'strip_tags');
add_filter('pre_user_last_name', 'trim');
add_filter('pre_user_last_name', 'wp_filter_kses');
add_filter('pre_user_last_name', 'wp_specialchars', 30);
add_filter('pre_user_nickname', 'strip_tags');
add_filter('pre_user_nickname', 'trim');
add_filter('pre_user_nickname', 'wp_filter_kses');
add_filter('pre_user_nickname', 'wp_specialchars', 30);
add_filter('pre_user_description', 'trim');
add_filter('pre_user_description', 'wp_filter_kses');
add_filter('pre_user_url', 'strip_tags');
add_filter('pre_user_url', 'trim');
add_filter('pre_user_url', 'clean_url');
add_filter('pre_user_email', 'trim');
add_filter('pre_user_email', 'sanitize_email');
// Places to balance tags on input // Places to balance tags on input
add_filter('content_save_pre', 'balanceTags', 50); $filters = array('content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content');
add_filter('excerpt_save_pre', 'balanceTags', 50); foreach ( $filters as $filter ) {
add_filter('comment_save_pre', 'balanceTags', 50); add_filter( $filter, 'balanceTags', 50);
}
// Misc. title, content, and excerpt filters // Format strings for display.
$filters = array('comment_author', 'term_name', 'term_description', 'link_name', 'link_description',
'link_notes', 'bloginfo');
foreach ( $filters as $filter ) {
add_filter($filter, 'wptexturize');
add_filter($filter, 'convert_chars');
add_filter($filter, 'wp_specialchars');
}
// Display filters
add_filter('the_title', 'wptexturize');
add_filter('the_title', 'convert_chars'); add_filter('the_title', 'convert_chars');
add_filter('the_title', 'trim'); add_filter('the_title', 'trim');
add_filter('the_content', 'wptexturize');
add_filter('the_content', 'convert_smilies'); add_filter('the_content', 'convert_smilies');
add_filter('the_content', 'convert_chars'); add_filter('the_content', 'convert_chars');
add_filter('the_content', 'wpautop'); add_filter('the_content', 'wpautop');
add_filter('the_excerpt', 'wptexturize');
add_filter('the_excerpt', 'convert_smilies'); add_filter('the_excerpt', 'convert_smilies');
add_filter('the_excerpt', 'convert_chars'); add_filter('the_excerpt', 'convert_chars');
add_filter('the_excerpt', 'wpautop'); add_filter('the_excerpt', 'wpautop');
add_filter('get_the_excerpt', 'wp_trim_excerpt'); add_filter('get_the_excerpt', 'wp_trim_excerpt');
add_filter('sanitize_title', 'sanitize_title_with_dashes'); add_filter('comment_text', 'wptexturize');
add_filter('comment_text', 'convert_chars');
add_filter('comment_text', 'make_clickable', 9);
add_filter('comment_text', 'force_balance_tags', 25);
add_filter('comment_text', 'convert_smilies', 20);
add_filter('comment_text', 'wpautop', 30);
add_filter('comment_excerpt', 'convert_chars');
add_filter('list_cats', 'wptexturize');
add_filter('single_post_title', 'wptexturize');
// RSS filters // RSS filters
add_filter('the_title_rss', 'strip_tags'); add_filter('the_title_rss', 'strip_tags');
@ -146,8 +86,8 @@ add_filter('the_content_rss', 'ent2ncr', 8);
add_filter('the_excerpt_rss', 'convert_chars'); add_filter('the_excerpt_rss', 'convert_chars');
add_filter('the_excerpt_rss', 'ent2ncr', 8); add_filter('the_excerpt_rss', 'ent2ncr', 8);
add_filter('comment_author_rss', 'ent2ncr', 8); add_filter('comment_author_rss', 'ent2ncr', 8);
add_filter('comment_text_rss', 'wp_specialchars');
add_filter('comment_text_rss', 'ent2ncr', 8); add_filter('comment_text_rss', 'ent2ncr', 8);
add_filter('comment_text_rss', 'wp_specialchars');
add_filter('bloginfo_rss', 'ent2ncr', 8); add_filter('bloginfo_rss', 'ent2ncr', 8);
add_filter('the_author', 'ent2ncr', 8); add_filter('the_author', 'ent2ncr', 8);
@ -158,11 +98,11 @@ add_filter('option_home', '_config_wp_home');
add_filter('option_siteurl', '_config_wp_siteurl'); add_filter('option_siteurl', '_config_wp_siteurl');
add_filter('mce_plugins', '_mce_load_rtl_plugin'); add_filter('mce_plugins', '_mce_load_rtl_plugin');
add_filter('mce_buttons', '_mce_add_direction_buttons'); add_filter('mce_buttons', '_mce_add_direction_buttons');
add_filter('pre_kses', 'wp_pre_kses_less_than');
// Redirect Old Slugs add_filter('sanitize_title', 'sanitize_title_with_dashes');
add_action('template_redirect', 'wp_old_slug_redirect'); add_filter('comment_flood_filter', 'wp_throttle_comment_flood', 10, 3);
add_action('edit_post', 'wp_check_for_changed_slugs'); add_filter('pre_comment_content', 'wp_rel_nofollow', 15);
add_action('edit_form_advanced', 'wp_remember_old_slug'); add_filter('comment_email', 'antispambot');
// Actions // Actions
add_action('wp_head', 'rsd_link'); add_action('wp_head', 'rsd_link');
@ -189,5 +129,10 @@ add_action('future_post', '_future_post_hook', 5, 2);
add_action('future_page', '_future_post_hook', 5, 2); add_action('future_page', '_future_post_hook', 5, 2);
add_action('save_post', '_save_post_hook', 5, 2); add_action('save_post', '_save_post_hook', 5, 2);
add_action('transition_post_status', '_transition_post_status', 5, 3); add_action('transition_post_status', '_transition_post_status', 5, 3);
add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');
// Redirect Old Slugs
add_action('template_redirect', 'wp_old_slug_redirect');
add_action('edit_post', 'wp_check_for_changed_slugs');
add_action('edit_form_advanced', 'wp_remember_old_slug');
?> ?>

View File

@ -477,6 +477,9 @@ function sanitize_post_field($field, $value, $post_id, $context) {
} }
} else { } else {
// Use display filters by default. // Use display filters by default.
if ( $prefixed )
$value = apply_filters($field, $value, $post_id, $context);
else
$value = apply_filters("post_$field", $value, $post_id, $context); $value = apply_filters("post_$field", $value, $post_id, $context);
} }

View File

@ -229,7 +229,7 @@ function get_objects_in_term( $terms, $taxonomies, $args = array() ) {
* This won't appear but just a note to say that this is all conjecture and parts or whole * This won't appear but just a note to say that this is all conjecture and parts or whole
* might be inaccurate or wrong. * might be inaccurate or wrong.
*/ */
function &get_term(&$term, $taxonomy, $output = OBJECT) { function &get_term(&$term, $taxonomy, $output = OBJECT, $filter = 'raw') {
global $wpdb; global $wpdb;
if ( empty($term) ) if ( empty($term) )
@ -251,6 +251,7 @@ function &get_term(&$term, $taxonomy, $output = OBJECT) {
$_term = apply_filters('get_term', $_term, $taxonomy); $_term = apply_filters('get_term', $_term, $taxonomy);
$_term = apply_filters("get_$taxonomy", $_term, $taxonomy); $_term = apply_filters("get_$taxonomy", $_term, $taxonomy);
$_term = sanitize_term($_term, $taxonomy, $filter);
if ( $output == OBJECT ) { if ( $output == OBJECT ) {
return $_term; return $_term;
@ -559,7 +560,7 @@ function is_term($term, $taxonomy = '') {
} }
function sanitize_term($term, $taxonomy, $context = 'display') { function sanitize_term($term, $taxonomy, $context = 'display') {
$fields = array('term_id', 'name', 'description', 'slug', 'count', 'term_group'); $fields = array('term_id', 'name', 'description', 'slug', 'count', 'parent', 'term_group');
$do_object = false; $do_object = false;
if ( is_object($term) ) if ( is_object($term) )