From cc5ed3a485f2130c40daa7cdb56abcf66d878a84 Mon Sep 17 00:00:00 2001 From: Ryan Boren Date: Thu, 14 Feb 2013 22:51:06 +0000 Subject: [PATCH] Change all core API to expect unslashed rather than slashed arguments. The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now. Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet. Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed. Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary. Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core. Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests. Plugins should use wp_unslash() on data being passed to core API. Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer. Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data. Remove many no longer necessary calls to $wpdb->escape() and esc_sql(). In wp_get_referer() and wp_get_original_referer(), return unslashed data. Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget. Switch several queries over to prepare(). Expect something to break. Props alexkingorg see #21767 git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/admin.php | 4 +- wp-admin/custom-background.php | 4 +- wp-admin/custom-header.php | 2 +- wp-admin/edit-comments.php | 10 +- wp-admin/edit-form-advanced.php | 2 +- wp-admin/edit-form-comment.php | 2 +- wp-admin/edit-tags.php | 17 +- wp-admin/edit.php | 2 +- wp-admin/includes/ajax-actions.php | 81 +++---- wp-admin/includes/bookmark.php | 9 +- .../includes/class-wp-comments-list-table.php | 2 +- .../includes/class-wp-ms-sites-list-table.php | 2 +- .../class-wp-ms-themes-list-table.php | 2 +- .../includes/class-wp-ms-users-list-table.php | 6 +- .../class-wp-plugin-install-list-table.php | 6 +- .../includes/class-wp-plugins-list-table.php | 4 +- .../includes/class-wp-terms-list-table.php | 6 +- .../class-wp-theme-install-list-table.php | 4 +- .../includes/class-wp-themes-list-table.php | 4 +- wp-admin/includes/class-wp-upgrader.php | 2 +- .../includes/class-wp-users-list-table.php | 2 +- wp-admin/includes/comment.php | 39 ++-- wp-admin/includes/dashboard.php | 2 +- wp-admin/includes/deprecated.php | 7 +- wp-admin/includes/file.php | 14 +- wp-admin/includes/image-edit.php | 8 +- wp-admin/includes/media.php | 17 +- wp-admin/includes/misc.php | 10 +- wp-admin/includes/plugin-install.php | 12 +- wp-admin/includes/post.php | 54 ++--- wp-admin/includes/schema.php | 8 +- wp-admin/includes/taxonomy.php | 3 - wp-admin/includes/template.php | 2 +- wp-admin/includes/theme-install.php | 6 +- wp-admin/includes/upgrade.php | 20 +- wp-admin/includes/user.php | 71 +++--- wp-admin/install.php | 18 +- wp-admin/link-manager.php | 4 +- wp-admin/media.php | 2 +- wp-admin/nav-menus.php | 10 +- wp-admin/network.php | 2 +- wp-admin/network/settings.php | 12 +- wp-admin/network/site-info.php | 2 +- wp-admin/network/site-new.php | 4 +- wp-admin/network/site-settings.php | 6 +- wp-admin/network/sites.php | 2 +- wp-admin/options.php | 8 +- wp-admin/plugin-editor.php | 6 +- wp-admin/press-this.php | 4 +- wp-admin/setup-config.php | 2 +- wp-admin/theme-editor.php | 4 +- wp-admin/update.php | 6 +- wp-admin/upgrade.php | 4 +- wp-admin/upload.php | 2 +- wp-admin/user-edit.php | 2 +- wp-admin/user-new.php | 8 +- wp-admin/users.php | 8 +- wp-comments-post.php | 26 ++- wp-includes/class-wp-customize-manager.php | 2 +- wp-includes/class-wp-customize-setting.php | 2 +- wp-includes/class-wp-xmlrpc-server.php | 205 +++--------------- wp-includes/class-wp.php | 12 +- wp-includes/comment.php | 26 +-- wp-includes/cron.php | 2 +- wp-includes/default-filters.php | 8 +- wp-includes/default-widgets.php | 8 +- wp-includes/deprecated.php | 2 +- wp-includes/feed.php | 2 +- wp-includes/formatting.php | 53 ++++- wp-includes/functions.php | 16 +- wp-includes/kses.php | 24 +- wp-includes/link-template.php | 2 +- wp-includes/meta.php | 9 - wp-includes/ms-files.php | 2 +- wp-includes/ms-functions.php | 28 +-- wp-includes/nav-menu.php | 18 +- wp-includes/pluggable.php | 6 +- wp-includes/post-template.php | 2 +- wp-includes/post.php | 109 +++++++--- wp-includes/query.php | 5 - wp-includes/taxonomy.php | 15 +- wp-includes/user.php | 8 +- wp-includes/widgets.php | 2 +- wp-login.php | 14 +- wp-mail.php | 1 - wp-trackback.php | 11 +- 86 files changed, 531 insertions(+), 651 deletions(-) diff --git a/wp-admin/admin.php b/wp-admin/admin.php index bd2e5406a6..8df02e5b5c 100644 --- a/wp-admin/admin.php +++ b/wp-admin/admin.php @@ -43,7 +43,7 @@ if ( get_option('db_upgraded') ) { do_action('after_db_upgrade'); } elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) { if ( !is_multisite() ) { - wp_redirect(admin_url('upgrade.php?_wp_http_referer=' . urlencode(stripslashes($_SERVER['REQUEST_URI'])))); + wp_redirect( admin_url( 'upgrade.php?_wp_http_referer=' . urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ); exit; } elseif ( apply_filters( 'do_mu_upgrade', true ) ) { /** @@ -84,7 +84,7 @@ wp_enqueue_script( 'common' ); $editing = false; if ( isset($_GET['page']) ) { - $plugin_page = stripslashes($_GET['page']); + $plugin_page = wp_unslash( $_GET['page'] ); $plugin_page = plugin_basename($plugin_page); } diff --git a/wp-admin/custom-background.php b/wp-admin/custom-background.php index a924ecaf79..85a684b792 100644 --- a/wp-admin/custom-background.php +++ b/wp-admin/custom-background.php @@ -378,7 +378,7 @@ if ( current_theme_supports( 'custom-background', 'default-color' ) ) // Add the meta-data wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) ); - update_post_meta( $id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) ); + wp_update_post_meta( $id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) ); set_theme_mod('background_image', esc_url_raw($url)); @@ -415,7 +415,7 @@ if ( current_theme_supports( 'custom-background', 'default-color' ) ) if ( in_array( $_POST['size'], $sizes ) ) $size = esc_attr( $_POST['size'] ); - update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) ); + wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) ); $url = wp_get_attachment_image_src( $attachment_id, $size ); $thumbnail = wp_get_attachment_image_src( $attachment_id, 'thumbnail' ); set_theme_mod( 'background_image', esc_url_raw( $url[0] ) ); diff --git a/wp-admin/custom-header.php b/wp-admin/custom-header.php index 7629af3d3a..10c81a31eb 100644 --- a/wp-admin/custom-header.php +++ b/wp-admin/custom-header.php @@ -948,7 +948,7 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?> 'width' => $choice['width'], ); - update_post_meta( $choice['attachment_id'], '_wp_attachment_is_custom_header', get_stylesheet() ); + wp_update_post_meta( $choice['attachment_id'], '_wp_attachment_is_custom_header', get_stylesheet() ); set_theme_mod( 'header_image', $choice['url'] ); set_theme_mod( 'header_image_data', $header_image_data ); return; diff --git a/wp-admin/edit-comments.php b/wp-admin/edit-comments.php index 174cd9af11..f6dd19c0b3 100644 --- a/wp-admin/edit-comments.php +++ b/wp-admin/edit-comments.php @@ -20,9 +20,9 @@ if ( $doaction ) { check_admin_referer( 'bulk-comments' ); if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) { - $comment_status = $wpdb->escape( $_REQUEST['comment_status'] ); - $delete_time = $wpdb->escape( $_REQUEST['pagegen_timestamp'] ); - $comment_ids = $wpdb->get_col( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = '$comment_status' AND '$delete_time' > comment_date_gmt" ); + $comment_status = $_REQUEST['comment_status']; + $delete_time = $_REQUEST['pagegen_timestamp']; + $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) ); $doaction = 'delete'; } elseif ( isset( $_REQUEST['delete_comments'] ) ) { $comment_ids = $_REQUEST['delete_comments']; @@ -95,7 +95,7 @@ if ( $doaction ) { wp_safe_redirect( $redirect_to ); exit; } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { - wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) ); + wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); exit; } @@ -153,7 +153,7 @@ else echo __('Comments'); if ( isset($_REQUEST['s']) && $_REQUEST['s'] ) - printf( '' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( esc_html( stripslashes( $_REQUEST['s'] ) ), 50 ) ) . '' ); ?> + printf( '' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50 ) ) . '' ); ?> cap->create - + comment_ID) ?>" /> - + diff --git a/wp-admin/edit-tags.php b/wp-admin/edit-tags.php index 7250a66984..8d3a02abd8 100644 --- a/wp-admin/edit-tags.php +++ b/wp-admin/edit-tags.php @@ -47,7 +47,9 @@ case 'add-tag': if ( !current_user_can( $tax->cap->edit_terms ) ) wp_die( __( 'Cheatin’ uh?' ) ); - $ret = wp_insert_term( $_POST['tag-name'], $taxonomy, $_POST ); + $post_data = wp_unslash( $_POST ); + + $ret = wp_insert_term( $post_data['tag-name'], $taxonomy, $post_data ); $location = 'edit-tags.php?taxonomy=' . $taxonomy; if ( 'post' != $post_type ) $location .= '&post_type=' . $post_type; @@ -132,7 +134,10 @@ case 'edit': break; case 'editedtag': - $tag_ID = (int) $_POST['tag_ID']; + + $post_data = wp_unslash( $_POST ); + + $tag_ID = (int) $post_data['tag_ID']; check_admin_referer( 'update-tag_' . $tag_ID ); if ( !current_user_can( $tax->cap->edit_terms ) ) @@ -142,7 +147,7 @@ case 'editedtag': if ( ! $tag ) wp_die( __( 'You attempted to edit an item that doesn’t exist. Perhaps it was deleted?' ) ); - $ret = wp_update_term( $tag_ID, $taxonomy, $_POST ); + $ret = wp_update_term( $tag_ID, $taxonomy, $post_data ); $location = 'edit-tags.php?taxonomy=' . $taxonomy; if ( 'post' != $post_type ) @@ -164,7 +169,7 @@ break; default: if ( ! empty($_REQUEST['_wp_http_referer']) ) { - $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ); + $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ); if ( ! empty( $_REQUEST['paged'] ) ) $location = add_query_arg( 'paged', (int) $_REQUEST['paged'] ); @@ -264,8 +269,8 @@ $messages[6] = __('Items deleted.');

' . __('Search results for “%s”') . '', esc_html( stripslashes($_REQUEST['s']) ) ); ?> +if ( ! empty($_REQUEST['s']) ) + printf( '' . __('Search results for “%s”') . '', esc_html( wp_unslash( $_REQUEST['s'] ) ) ); ?>

diff --git a/wp-admin/edit.php b/wp-admin/edit.php index 9eae3cf395..d265f1f049 100644 --- a/wp-admin/edit.php +++ b/wp-admin/edit.php @@ -138,7 +138,7 @@ if ( $doaction ) { wp_redirect($sendback); exit(); } elseif ( ! empty($_REQUEST['_wp_http_referer']) ) { - wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ) ); + wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); exit; } diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php index cd4ba083e5..bd4d5b93c4 100644 --- a/wp-admin/includes/ajax-actions.php +++ b/wp-admin/includes/ajax-actions.php @@ -59,7 +59,7 @@ function wp_ajax_ajax_tag_search() { wp_die( 0 ); } - $s = stripslashes( $_GET['q'] ); + $s = wp_unslash( $_GET['q'] ); $comma = _x( ',', 'tag delimiter' ); if ( ',' !== $comma ) @@ -279,19 +279,21 @@ function _wp_ajax_delete_comment_response( $comment_id, $delta = -1 ) { */ function _wp_ajax_add_hierarchical_term() { - $action = $_POST['action']; + $post_data = wp_unslash( $_POST ); + + $action = $post_data['action']; $taxonomy = get_taxonomy(substr($action, 4)); check_ajax_referer( $action, '_ajax_nonce-add-' . $taxonomy->name ); if ( !current_user_can( $taxonomy->cap->edit_terms ) ) wp_die( -1 ); - $names = explode(',', $_POST['new'.$taxonomy->name]); - $parent = isset($_POST['new'.$taxonomy->name.'_parent']) ? (int) $_POST['new'.$taxonomy->name.'_parent'] : 0; + $names = explode(',', $post_data['new'.$taxonomy->name]); + $parent = isset($post_data['new'.$taxonomy->name.'_parent']) ? (int) $post_data['new'.$taxonomy->name.'_parent'] : 0; if ( 0 > $parent ) $parent = 0; if ( $taxonomy->name == 'category' ) - $post_category = isset($_POST['post_category']) ? (array) $_POST['post_category'] : array(); + $post_category = isset( $post_data['post_category'] ) ? (array) $post_data['post_category'] : array(); else - $post_category = ( isset($_POST['tax_input']) && isset($_POST['tax_input'][$taxonomy->name]) ) ? (array) $_POST['tax_input'][$taxonomy->name] : array(); + $post_category = ( isset( $post_data['tax_input'] ) && isset( $post_data['tax_input'][$taxonomy->name] ) ) ? (array) $post_data['tax_input'][$taxonomy->name] : array(); $checked_categories = array_map( 'absint', (array) $post_category ); $popular_ids = wp_popular_terms_checklist($taxonomy->name, 0, 10, false); @@ -559,7 +561,7 @@ function wp_ajax_add_link_category( $action ) { check_ajax_referer( $action ); if ( !current_user_can( 'manage_categories' ) ) wp_die( -1 ); - $names = explode(',', $_POST['newcat']); + $names = explode( ',', wp_unslash( $_POST['newcat'] ) ); $x = new WP_Ajax_Response(); foreach ( $names as $cat_name ) { $cat_name = trim($cat_name); @@ -572,7 +574,7 @@ function wp_ajax_add_link_category( $action ) { continue; else if ( is_array( $cat_id ) ) $cat_id = $cat_id['term_id']; - $cat_name = esc_html(stripslashes($cat_name)); + $cat_name = esc_html( wp_unslash( $cat_name ) ); $x->add( array( 'what' => 'link-category', 'id' => $cat_id, @@ -586,9 +588,11 @@ function wp_ajax_add_link_category( $action ) { function wp_ajax_add_tag() { global $wp_list_table; + $post_data = wp_unslash( $_POST ); + check_ajax_referer( 'add-tag', '_wpnonce_add-tag' ); - $post_type = !empty($_POST['post_type']) ? $_POST['post_type'] : 'post'; - $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag'; + $post_type = !empty($post_data['post_type']) ? $post_data['post_type'] : 'post'; + $taxonomy = !empty($post_data['taxonomy']) ? $post_data['taxonomy'] : 'post_tag'; $tax = get_taxonomy($taxonomy); if ( !current_user_can( $tax->cap->edit_terms ) ) @@ -596,7 +600,7 @@ function wp_ajax_add_tag() { $x = new WP_Ajax_Response(); - $tag = wp_insert_term($_POST['tag-name'], $taxonomy, $_POST ); + $tag = wp_insert_term( $post_data['tag-name'], $taxonomy, $post_data ); if ( !$tag || is_wp_error($tag) || (!$tag = get_term( $tag['term_id'], $taxonomy )) ) { $message = __('An error has occurred. Please reload the page and try again.'); @@ -610,7 +614,7 @@ function wp_ajax_add_tag() { $x->send(); } - $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $_POST['screen'] ) ); + $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $post_data['screen'] ) ); $level = 0; if ( is_taxonomy_hierarchical($taxonomy) ) { @@ -728,10 +732,10 @@ function wp_ajax_replyto_comment( $action ) { $user = wp_get_current_user(); if ( $user->exists() ) { $user_ID = $user->ID; - $comment_author = $wpdb->escape($user->display_name); - $comment_author_email = $wpdb->escape($user->user_email); - $comment_author_url = $wpdb->escape($user->user_url); - $comment_content = trim($_POST['content']); + $comment_author = $user->display_name; + $comment_author_email = $user->user_email; + $comment_author_url = $user->user_url; + $comment_content = trim( wp_unslash( $_POST['content'] ) ); if ( current_user_can( 'unfiltered_html' ) ) { if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) { kses_remove_filters(); // start with a clean slate @@ -957,8 +961,8 @@ function wp_ajax_add_meta() { ) ); } else { // Update? $mid = (int) key( $_POST['meta'] ); - $key = stripslashes( $_POST['meta'][$mid]['key'] ); - $value = stripslashes( $_POST['meta'][$mid]['value'] ); + $key = wp_unslash( $_POST['meta'][$mid]['key'] ); + $value = wp_unslash( $_POST['meta'][$mid]['value'] ); if ( '' == trim($key) ) wp_die( __( 'Please provide a custom field name.' ) ); if ( '' == trim($value) ) @@ -1227,7 +1231,7 @@ function wp_ajax_wp_link_ajax() { $args = array(); if ( isset( $_POST['search'] ) ) - $args['s'] = stripslashes( $_POST['search'] ); + $args['s'] = wp_unslash( $_POST['search'] ); $args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1; require(ABSPATH . WPINC . '/class-wp-editor.php'); @@ -1328,7 +1332,6 @@ function wp_ajax_inline_save() { $data = &$_POST; $post = get_post( $post_ID, ARRAY_A ); - $post = add_magic_quotes($post); //since it is from db $data['content'] = $post['post_content']; $data['excerpt'] = $post['post_excerpt']; @@ -1376,8 +1379,10 @@ function wp_ajax_inline_save_tax() { global $wp_list_table; check_ajax_referer( 'taxinlineeditnonce', '_inline_edit' ); + + $post_data = wp_unslash( $_POST ); - $taxonomy = sanitize_key( $_POST['taxonomy'] ); + $taxonomy = sanitize_key( $post_data['taxonomy'] ); $tax = get_taxonomy( $taxonomy ); if ( ! $tax ) wp_die( 0 ); @@ -1387,13 +1392,13 @@ function wp_ajax_inline_save_tax() { $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) ); - if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) ) + if ( ! isset($post_data['tax_ID']) || ! ( $id = (int) $post_data['tax_ID'] ) ) wp_die( -1 ); $tag = get_term( $id, $taxonomy ); - $_POST['description'] = $tag->description; + $post_data['description'] = $tag->description; - $updated = wp_update_term($id, $taxonomy, $_POST); + $updated = wp_update_term($id, $taxonomy, $post_data ); if ( $updated && !is_wp_error($updated) ) { $tag = get_term( $updated['term_id'], $taxonomy ); if ( !$tag || is_wp_error( $tag ) ) { @@ -1425,7 +1430,7 @@ function wp_ajax_find_posts() { $post_types = get_post_types( array( 'public' => true ), 'objects' ); unset( $post_types['attachment'] ); - $s = stripslashes( $_POST['ps'] ); + $s = wp_unslash( $_POST['ps'] ); $searchand = $search = ''; $args = array( 'post_type' => array_keys( $post_types ), @@ -1596,7 +1601,7 @@ function wp_ajax_upload_attachment() { $post_id = null; } - $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array(); + $post_data = isset( $_REQUEST['post_data'] ) ? wp_unslash( $_REQUEST['post_data'] ) : array(); // If the context is custom header or background, make sure the uploaded file is an image. if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) { @@ -1630,10 +1635,10 @@ function wp_ajax_upload_attachment() { if ( isset( $post_data['context'] ) && isset( $post_data['theme'] ) ) { if ( 'custom-background' === $post_data['context'] ) - update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] ); + wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] ); if ( 'custom-header' === $post_data['context'] ) - update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] ); + wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] ); } if ( ! $attachment = wp_prepare_attachment_for_js( $attachment_id ) ) @@ -1778,7 +1783,7 @@ function wp_ajax_wp_remove_post_lock() { wp_die( 0 ); $new_lock = ( time() - apply_filters( 'wp_check_post_lock_window', AUTOSAVE_INTERVAL * 2 ) + 5 ) . ':' . $active_lock[1]; - update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) ); + wp_update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) ); wp_die( 1 ); } @@ -1873,7 +1878,7 @@ function wp_ajax_save_attachment() { if ( ! current_user_can( 'edit_post', $id ) ) wp_send_json_error(); - $changes = $_REQUEST['changes']; + $changes = wp_unslash( $_REQUEST['changes'] ); $post = get_post( $id, ARRAY_A ); if ( 'attachment' != $post['post_type'] ) @@ -1890,10 +1895,10 @@ function wp_ajax_save_attachment() { if ( isset( $changes['alt'] ) ) { $alt = get_post_meta( $id, '_wp_attachment_image_alt', true ); - $new_alt = stripslashes( $changes['alt'] ); + $new_alt = $changes['alt']; if ( $alt != $new_alt ) { $new_alt = wp_strip_all_tags( $new_alt, true ); - update_post_meta( $id, '_wp_attachment_image_alt', addslashes( $new_alt ) ); + wp_update_post_meta( $id, '_wp_attachment_image_alt', $new_alt ); } } @@ -1915,7 +1920,7 @@ function wp_ajax_save_attachment_compat() { if ( empty( $_REQUEST['attachments'] ) || empty( $_REQUEST['attachments'][ $id ] ) ) wp_send_json_error(); - $attachment_data = $_REQUEST['attachments'][ $id ]; + $attachment_data = wp_unslash( $_REQUEST['attachments'][ $id ] ); check_ajax_referer( 'update-post_' . $id, 'nonce' ); @@ -1959,7 +1964,7 @@ function wp_ajax_save_attachment_order() { check_ajax_referer( 'update-post_' . $post_id, 'nonce' ); - $attachments = $_REQUEST['attachments']; + $attachments = wp_unslash( $_REQUEST['attachments'] ); if ( ! current_user_can( 'edit_post', $post_id ) ) wp_send_json_error(); @@ -1990,7 +1995,7 @@ function wp_ajax_save_attachment_order() { function wp_ajax_send_attachment_to_editor() { check_ajax_referer( 'media-send-to-editor', 'nonce' ); - $attachment = stripslashes_deep( $_POST['attachment'] ); + $attachment = wp_unslash( $_POST['attachment'] ); $id = intval( $attachment['id'] ); @@ -2045,7 +2050,7 @@ function wp_ajax_send_attachment_to_editor() { function wp_ajax_send_link_to_editor() { check_ajax_referer( 'media-send-to-editor', 'nonce' ); - if ( ! $src = stripslashes( $_POST['src'] ) ) + if ( ! $src = wp_unslash( $_POST['src'] ) ) wp_send_json_error(); if ( ! strpos( $src, '://' ) ) @@ -2054,7 +2059,7 @@ function wp_ajax_send_link_to_editor() { if ( ! $src = esc_url_raw( $src ) ) wp_send_json_error(); - if ( ! $title = trim( stripslashes( $_POST['title'] ) ) ) + if ( ! $title = trim( wp_unslash( $_POST['title'] ) ) ) $title = wp_basename( $src ); $html = ''; @@ -2083,7 +2088,7 @@ function wp_ajax_heartbeat() { $screen_id = 'site'; if ( ! empty($_POST['data']) ) { - $data = (array) $_POST['data']; + $data = wp_unslash( (array) $_POST['data'] ); // todo: how much to sanitize and preset and what to leave to be accessed from $data or $_POST..? $user = wp_get_current_user(); $data['user_id'] = $user->exists() ? $user->ID : 0; diff --git a/wp-admin/includes/bookmark.php b/wp-admin/includes/bookmark.php index 4d240b775c..23809099d0 100644 --- a/wp-admin/includes/bookmark.php +++ b/wp-admin/includes/bookmark.php @@ -39,9 +39,9 @@ function edit_link( $link_id = 0 ) { if ( !empty( $link_id ) ) { $_POST['link_id'] = $link_id; - return wp_update_link( $_POST ); + return wp_update_link( wp_unslash( $_POST ) ); } else { - return wp_insert_link( $_POST ); + return wp_insert_link( wp_unslash( $_POST ) ); } } @@ -137,7 +137,7 @@ function wp_insert_link( $linkdata, $wp_error = false ) { $linkdata = wp_parse_args( $linkdata, $defaults ); $linkdata = sanitize_bookmark( $linkdata, 'db' ); - extract( stripslashes_deep( $linkdata ), EXTR_SKIP ); + extract( $linkdata, EXTR_SKIP ); $update = false; @@ -250,9 +250,6 @@ function wp_update_link( $linkdata ) { $link = get_bookmark( $link_id, ARRAY_A ); - // Escape data pulled from DB. - $link = add_magic_quotes( $link ); - // Passed link category list overwrites existing category list if not empty. if ( isset( $linkdata['link_category'] ) && is_array( $linkdata['link_category'] ) && 0 != count( $linkdata['link_category'] ) ) diff --git a/wp-admin/includes/class-wp-comments-list-table.php b/wp-admin/includes/class-wp-comments-list-table.php index cf0ab88a82..bd04f09be1 100644 --- a/wp-admin/includes/class-wp-comments-list-table.php +++ b/wp-admin/includes/class-wp-comments-list-table.php @@ -170,7 +170,7 @@ class WP_Comments_List_Table extends WP_List_Table { /* // I toyed with this, but decided against it. Leaving it in here in case anyone thinks it is a good idea. ~ Mark if ( !empty( $_REQUEST['s'] ) ) - $link = add_query_arg( 's', esc_attr( stripslashes( $_REQUEST['s'] ) ), $link ); + $link = add_query_arg( 's', esc_attr( wp_unslash( $_REQUEST['s'] ) ), $link ); */ $status_links[$status] = "" . sprintf( translate_nooped_plural( $label, $num_comments->$status ), diff --git a/wp-admin/includes/class-wp-ms-sites-list-table.php b/wp-admin/includes/class-wp-ms-sites-list-table.php index 371901a638..b9d68a1f35 100644 --- a/wp-admin/includes/class-wp-ms-sites-list-table.php +++ b/wp-admin/includes/class-wp-ms-sites-list-table.php @@ -29,7 +29,7 @@ class WP_MS_Sites_List_Table extends WP_List_Table { $pagenum = $this->get_pagenum(); - $s = isset( $_REQUEST['s'] ) ? stripslashes( trim( $_REQUEST[ 's' ] ) ) : ''; + $s = isset( $_REQUEST['s'] ) ? wp_unslash( trim( $_REQUEST[ 's' ] ) ) : ''; $wild = ''; if ( false !== strpos($s, '*') ) { $wild = '%'; diff --git a/wp-admin/includes/class-wp-ms-themes-list-table.php b/wp-admin/includes/class-wp-ms-themes-list-table.php index d4190249bf..df9db5e892 100644 --- a/wp-admin/includes/class-wp-ms-themes-list-table.php +++ b/wp-admin/includes/class-wp-ms-themes-list-table.php @@ -126,7 +126,7 @@ class WP_MS_Themes_List_Table extends WP_List_Table { function _search_callback( $theme ) { static $term; if ( is_null( $term ) ) - $term = stripslashes( $_REQUEST['s'] ); + $term = wp_unslash( $_REQUEST['s'] ); foreach ( array( 'Name', 'Description', 'Author', 'Author', 'AuthorURI' ) as $field ) { // Don't mark up; Do translate. diff --git a/wp-admin/includes/class-wp-ms-users-list-table.php b/wp-admin/includes/class-wp-ms-users-list-table.php index 6a4268f6ae..ab1ee3620e 100644 --- a/wp-admin/includes/class-wp-ms-users-list-table.php +++ b/wp-admin/includes/class-wp-ms-users-list-table.php @@ -173,10 +173,10 @@ class WP_MS_Users_List_Table extends WP_List_Table { case 'username': $avatar = get_avatar( $user->user_email, 32 ); - $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) ); + $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) ); echo ""; ?> - user_login ); ?>user_login; ?>user_login, $super_admins ) ) echo ' - ' . __( 'Super Admin' ); ?> @@ -186,7 +186,7 @@ class WP_MS_Users_List_Table extends WP_List_Table { $actions['edit'] = '' . __( 'Edit' ) . ''; if ( current_user_can( 'delete_user', $user->ID ) && ! in_array( $user->user_login, $super_admins ) ) { - $actions['delete'] = '' . __( 'Delete' ) . ''; + $actions['delete'] = '' . __( 'Delete' ) . ''; } $actions = apply_filters( 'ms_user_row_actions', $actions, $user ); diff --git a/wp-admin/includes/class-wp-plugin-install-list-table.php b/wp-admin/includes/class-wp-plugin-install-list-table.php index aa7cffe4c9..76ef2ce2c1 100644 --- a/wp-admin/includes/class-wp-plugin-install-list-table.php +++ b/wp-admin/includes/class-wp-plugin-install-list-table.php @@ -48,8 +48,8 @@ class WP_Plugin_Install_List_Table extends WP_List_Table { switch ( $tab ) { case 'search': - $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term'; - $term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : ''; + $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term'; + $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : ''; switch ( $type ) { case 'tag': @@ -73,7 +73,7 @@ class WP_Plugin_Install_List_Table extends WP_List_Table { break; case 'favorites': - $user = isset( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); + $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); update_user_meta( get_current_user_id(), 'wporg_favorites', $user ); if ( $user ) $args['user'] = $user; diff --git a/wp-admin/includes/class-wp-plugins-list-table.php b/wp-admin/includes/class-wp-plugins-list-table.php index ec60afdfe6..64086d8d49 100644 --- a/wp-admin/includes/class-wp-plugins-list-table.php +++ b/wp-admin/includes/class-wp-plugins-list-table.php @@ -22,7 +22,7 @@ class WP_Plugins_List_Table extends WP_List_Table { $status = $_REQUEST['plugin_status']; if ( isset($_REQUEST['s']) ) - $_SERVER['REQUEST_URI'] = add_query_arg('s', stripslashes($_REQUEST['s']) ); + $_SERVER['REQUEST_URI'] = add_query_arg('s', wp_unslash($_REQUEST['s']) ); $page = $this->get_pagenum(); } @@ -140,7 +140,7 @@ class WP_Plugins_List_Table extends WP_List_Table { function _search_callback( $plugin ) { static $term; if ( is_null( $term ) ) - $term = stripslashes( $_REQUEST['s'] ); + $term = wp_unslash( $_REQUEST['s'] ); foreach ( $plugin as $value ) if ( stripos( $value, $term ) !== false ) diff --git a/wp-admin/includes/class-wp-terms-list-table.php b/wp-admin/includes/class-wp-terms-list-table.php index 85010105cd..de8d8d32c1 100644 --- a/wp-admin/includes/class-wp-terms-list-table.php +++ b/wp-admin/includes/class-wp-terms-list-table.php @@ -52,7 +52,7 @@ class WP_Terms_List_Table extends WP_List_Table { $tags_per_page = apply_filters( 'edit_categories_per_page', $tags_per_page ); // Old filter } - $search = !empty( $_REQUEST['s'] ) ? trim( stripslashes( $_REQUEST['s'] ) ) : ''; + $search = !empty( $_REQUEST['s'] ) ? trim( wp_unslash( $_REQUEST['s'] ) ) : ''; $args = array( 'search' => $search, @@ -61,10 +61,10 @@ class WP_Terms_List_Table extends WP_List_Table { ); if ( !empty( $_REQUEST['orderby'] ) ) - $args['orderby'] = trim( stripslashes( $_REQUEST['orderby'] ) ); + $args['orderby'] = trim( wp_unslash( $_REQUEST['orderby'] ) ); if ( !empty( $_REQUEST['order'] ) ) - $args['order'] = trim( stripslashes( $_REQUEST['order'] ) ); + $args['order'] = trim( wp_unslash( $_REQUEST['order'] ) ); $this->callback_args = $args; diff --git a/wp-admin/includes/class-wp-theme-install-list-table.php b/wp-admin/includes/class-wp-theme-install-list-table.php index 8aa892929d..5bc80502f6 100644 --- a/wp-admin/includes/class-wp-theme-install-list-table.php +++ b/wp-admin/includes/class-wp-theme-install-list-table.php @@ -24,7 +24,7 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table { $search_terms = array(); $search_string = ''; if ( ! empty( $_REQUEST['s'] ) ){ - $search_string = strtolower( stripslashes( $_REQUEST['s'] ) ); + $search_string = strtolower( wp_unslash( $_REQUEST['s'] ) ); $search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', $search_string ) ) ) ); } @@ -59,7 +59,7 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table { switch ( $tab ) { case 'search': - $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term'; + $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term'; switch ( $type ) { case 'tag': $args['tag'] = array_map( 'sanitize_key', $search_terms ); diff --git a/wp-admin/includes/class-wp-themes-list-table.php b/wp-admin/includes/class-wp-themes-list-table.php index 420495efe3..684bd8be00 100644 --- a/wp-admin/includes/class-wp-themes-list-table.php +++ b/wp-admin/includes/class-wp-themes-list-table.php @@ -28,7 +28,7 @@ class WP_Themes_List_Table extends WP_List_Table { $themes = wp_get_themes( array( 'allowed' => true ) ); if ( ! empty( $_REQUEST['s'] ) ) - $this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( stripslashes( $_REQUEST['s'] ) ) ) ) ) ); + $this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( wp_unslash( $_REQUEST['s'] ) ) ) ) ) ); if ( ! empty( $_REQUEST['features'] ) ) $this->features = $_REQUEST['features']; @@ -235,7 +235,7 @@ class WP_Themes_List_Table extends WP_List_Table { * @uses _pagination_args['total_pages'] */ function _js_vars( $extra_args = array() ) { - $search_string = isset( $_REQUEST['s'] ) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : ''; + $search_string = isset( $_REQUEST['s'] ) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : ''; $args = array( 'search' => $search_string, diff --git a/wp-admin/includes/class-wp-upgrader.php b/wp-admin/includes/class-wp-upgrader.php index c9bfec3dc4..a42ab3fdfd 100644 --- a/wp-admin/includes/class-wp-upgrader.php +++ b/wp-admin/includes/class-wp-upgrader.php @@ -1427,7 +1427,7 @@ class Plugin_Installer_Skin extends WP_Upgrader_Skin { $install_actions = array(); - $from = isset($_GET['from']) ? stripslashes($_GET['from']) : 'plugins'; + $from = isset($_GET['from']) ? wp_unslash( $_GET['from'] ) : 'plugins'; if ( 'import' == $from ) $install_actions['activate_plugin'] = '' . __('Activate Plugin & Run Importer') . ''; diff --git a/wp-admin/includes/class-wp-users-list-table.php b/wp-admin/includes/class-wp-users-list-table.php index 10802c110c..3071fa97af 100644 --- a/wp-admin/includes/class-wp-users-list-table.php +++ b/wp-admin/includes/class-wp-users-list-table.php @@ -241,7 +241,7 @@ class WP_Users_List_Table extends WP_List_Table { // Check if the user for this row is editable if ( current_user_can( 'list_users' ) ) { // Set up the user editing link - $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) ); + $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) ); // Set up the hover actions for this user $actions = array(); diff --git a/wp-admin/includes/comment.php b/wp-admin/includes/comment.php index 2930c050df..72a0b40e3b 100644 --- a/wp-admin/includes/comment.php +++ b/wp-admin/includes/comment.php @@ -19,9 +19,6 @@ function comment_exists($comment_author, $comment_date) { global $wpdb; - $comment_author = stripslashes($comment_author); - $comment_date = stripslashes($comment_date); - return $wpdb->get_var( $wpdb->prepare("SELECT comment_post_ID FROM $wpdb->comments WHERE comment_author = %s AND comment_date = %s", $comment_author, $comment_date) ); } @@ -33,38 +30,40 @@ function comment_exists($comment_author, $comment_date) { */ function edit_comment() { - if ( ! current_user_can( 'edit_comment', (int) $_POST['comment_ID'] ) ) + $post_data = wp_unslash( $_POST ); + + if ( ! current_user_can( 'edit_comment', (int) $post_data['comment_ID'] ) ) wp_die ( __( 'You are not allowed to edit comments on this post.' ) ); - $_POST['comment_author'] = $_POST['newcomment_author']; - $_POST['comment_author_email'] = $_POST['newcomment_author_email']; - $_POST['comment_author_url'] = $_POST['newcomment_author_url']; - $_POST['comment_approved'] = $_POST['comment_status']; - $_POST['comment_content'] = $_POST['content']; - $_POST['comment_ID'] = (int) $_POST['comment_ID']; + $post_data['comment_author'] = $post_data['newcomment_author']; + $post_data['comment_author_email'] = $post_data['newcomment_author_email']; + $post_data['comment_author_url'] = $post_data['newcomment_author_url']; + $post_data['comment_approved'] = $post_data['comment_status']; + $post_data['comment_content'] = $post_data['content']; + $post_data['comment_ID'] = (int) $post_data['comment_ID']; foreach ( array ('aa', 'mm', 'jj', 'hh', 'mn') as $timeunit ) { - if ( !empty( $_POST['hidden_' . $timeunit] ) && $_POST['hidden_' . $timeunit] != $_POST[$timeunit] ) { + if ( !empty( $post_data['hidden_' . $timeunit] ) && $post_data['hidden_' . $timeunit] != $post_data[$timeunit] ) { $_POST['edit_date'] = '1'; break; } } - if ( !empty ( $_POST['edit_date'] ) ) { - $aa = $_POST['aa']; - $mm = $_POST['mm']; - $jj = $_POST['jj']; - $hh = $_POST['hh']; - $mn = $_POST['mn']; - $ss = $_POST['ss']; + if ( !empty ( $post_data['edit_date'] ) ) { + $aa = $post_data['aa']; + $mm = $post_data['mm']; + $jj = $post_data['jj']; + $hh = $post_data['hh']; + $mn = $post_data['mn']; + $ss = $post_data['ss']; $jj = ($jj > 31 ) ? 31 : $jj; $hh = ($hh > 23 ) ? $hh -24 : $hh; $mn = ($mn > 59 ) ? $mn -60 : $mn; $ss = ($ss > 59 ) ? $ss -60 : $ss; - $_POST['comment_date'] = "$aa-$mm-$jj $hh:$mn:$ss"; + $post_data['comment_date'] = "$aa-$mm-$jj $hh:$mn:$ss"; } - wp_update_comment( $_POST ); + wp_update_comment( $post_data ); } /** diff --git a/wp-admin/includes/dashboard.php b/wp-admin/includes/dashboard.php index ee41d53e7b..5576d510b0 100644 --- a/wp-admin/includes/dashboard.php +++ b/wp-admin/includes/dashboard.php @@ -1093,7 +1093,7 @@ function wp_dashboard_rss_control( $widget_id, $form_inputs = array() ) { $widget_options[$widget_id]['number'] = $number; if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset($_POST['widget-rss'][$number]) ) { - $_POST['widget-rss'][$number] = stripslashes_deep( $_POST['widget-rss'][$number] ); + $_POST['widget-rss'][$number] = wp_unslash( $_POST['widget-rss'][$number] ); $widget_options[$widget_id] = wp_widget_rss_process( $_POST['widget-rss'][$number] ); // title is optional. If black, fill it if possible if ( !$widget_options[$widget_id]['title'] && isset($_POST['widget-rss'][$number]['title']) ) { diff --git a/wp-admin/includes/deprecated.php b/wp-admin/includes/deprecated.php index 5d88b3a1ec..9624031ba9 100644 --- a/wp-admin/includes/deprecated.php +++ b/wp-admin/includes/deprecated.php @@ -472,14 +472,13 @@ class WP_User_Search { function WP_User_Search ($search_term = '', $page = '', $role = '') { _deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' ); - $this->search_term = stripslashes( $search_term ); + $this->search_term = $search_term; $this->raw_page = ( '' == $page ) ? false : (int) $page; $this->page = (int) ( '' == $page ) ? 1 : $page; $this->role = $role; $this->prepare_query(); $this->query(); - $this->prepare_vars_for_template_usage(); $this->do_paging(); } @@ -550,9 +549,7 @@ class WP_User_Search { * @since 2.1.0 * @access public */ - function prepare_vars_for_template_usage() { - $this->search_term = stripslashes($this->search_term); // done with DB, from now on we want slashes gone - } + function prepare_vars_for_template_usage() {} /** * {@internal Missing Short Description}} diff --git a/wp-admin/includes/file.php b/wp-admin/includes/file.php index 05eaf82527..eac8ab53a5 100644 --- a/wp-admin/includes/file.php +++ b/wp-admin/includes/file.php @@ -901,13 +901,13 @@ function request_filesystem_credentials($form_post, $type = '', $error = false, $credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => '')); // If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option) - $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? stripslashes($_POST['hostname']) : $credentials['hostname']); - $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? stripslashes($_POST['username']) : $credentials['username']); - $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? stripslashes($_POST['password']) : ''); + $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? wp_unslash( $_POST['hostname'] ) : $credentials['hostname']); + $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? wp_unslash( $_POST['username'] ) : $credentials['username']); + $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? wp_unslash( $_POST['password'] ) : ''); // Check to see if we are setting the public/private keys for ssh - $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? stripslashes($_POST['public_key']) : ''); - $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? stripslashes($_POST['private_key']) : ''); + $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? wp_unslash( $_POST['public_key'] ) : ''); + $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? wp_unslash( $_POST['private_key'] ) : ''); //sanitize the hostname, Some people might pass in odd-data: $credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off @@ -925,7 +925,7 @@ function request_filesystem_credentials($form_post, $type = '', $error = false, else if ( (defined('FTP_SSL') && FTP_SSL) && 'ftpext' == $type ) //Only the FTP Extension understands SSL $credentials['connection_type'] = 'ftps'; else if ( !empty($_POST['connection_type']) ) - $credentials['connection_type'] = stripslashes($_POST['connection_type']); + $credentials['connection_type'] = wp_unslash( $_POST['connection_type'] ); else if ( !isset($credentials['connection_type']) ) //All else fails (And it's not defaulted to something else saved), Default to FTP $credentials['connection_type'] = 'ftp'; @@ -1050,7 +1050,7 @@ jQuery(function($){ '; + echo ''; } submit_button( __( 'Proceed' ), 'button', 'upgrade' ); ?> diff --git a/wp-admin/includes/image-edit.php b/wp-admin/includes/image-edit.php index 01bce7bd97..f0ded2f73d 100644 --- a/wp-admin/includes/image-edit.php +++ b/wp-admin/includes/image-edit.php @@ -454,7 +454,7 @@ function stream_preview_image( $post_id ) { if ( is_wp_error( $img ) ) return false; - $changes = !empty($_REQUEST['history']) ? json_decode( stripslashes($_REQUEST['history']) ) : null; + $changes = !empty($_REQUEST['history']) ? json_decode( wp_unslash( $_REQUEST['history'] ) ) : null; if ( $changes ) $img = image_edit_apply_changes( $img, $changes ); @@ -533,7 +533,7 @@ function wp_restore_image($post_id) { } } - if ( !wp_update_attachment_metadata($post_id, $meta) || !update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes) ) { + if ( !wp_update_attachment_metadata($post_id, $meta) || !wp_update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes) ) { $msg->error = __('Cannot save image metadata.'); return $msg; } @@ -587,7 +587,7 @@ function wp_save_image( $post_id ) { return $return; } } elseif ( !empty($_REQUEST['history']) ) { - $changes = json_decode( stripslashes($_REQUEST['history']) ); + $changes = json_decode( wp_unslash( $_REQUEST['history'] ) ); if ( $changes ) $img = image_edit_apply_changes($img, $changes); } else { @@ -699,7 +699,7 @@ function wp_save_image( $post_id ) { if ( $success ) { wp_update_attachment_metadata( $post_id, $meta ); - update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes); + wp_update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes); if ( $target == 'thumbnail' || $target == 'all' || $target == 'full' ) { // Check if it's an image edit from attachment edit screen diff --git a/wp-admin/includes/media.php b/wp-admin/includes/media.php index 814cae9f9e..5e9912be68 100644 --- a/wp-admin/includes/media.php +++ b/wp-admin/includes/media.php @@ -444,6 +444,8 @@ function media_upload_form_handler() { } if ( !empty($_POST['attachments']) ) foreach ( $_POST['attachments'] as $attachment_id => $attachment ) { + $attachment = wp_unslash( $attachment ); + $post = $_post = get_post($attachment_id, ARRAY_A); $post_type_object = get_post_type_object( $post[ 'post_type' ] ); @@ -468,10 +470,9 @@ function media_upload_form_handler() { if ( isset($attachment['image_alt']) ) { $image_alt = get_post_meta($attachment_id, '_wp_attachment_image_alt', true); - if ( $image_alt != stripslashes($attachment['image_alt']) ) { - $image_alt = wp_strip_all_tags( stripslashes($attachment['image_alt']), true ); - // update_meta expects slashed - update_post_meta( $attachment_id, '_wp_attachment_image_alt', addslashes($image_alt) ); + if ( $image_alt != $attachment['image_alt'] ) { + $image_alt = wp_strip_all_tags( $attachment['image_alt'], true ); + wp_update_post_meta( $attachment_id, '_wp_attachment_image_alt', $image_alt ); } } @@ -501,7 +502,7 @@ function media_upload_form_handler() { } if ( isset($send_id) ) { - $attachment = stripslashes_deep( $_POST['attachments'][$send_id] ); + $attachment = wp_unslash( $_POST['attachments'][$send_id] ); $html = isset( $attachment['post_title'] ) ? $attachment['post_title'] : ''; if ( !empty($attachment['url']) ) { @@ -546,7 +547,7 @@ function wp_media_upload_handler() { $src = "http://$src"; if ( isset( $_POST['media_type'] ) && 'image' != $_POST['media_type'] ) { - $title = esc_html( stripslashes( $_POST['title'] ) ); + $title = esc_html( wp_unslash( $_POST['title'] ) ); if ( empty( $title ) ) $title = esc_html( basename( $src ) ); @@ -561,9 +562,9 @@ function wp_media_upload_handler() { $html = apply_filters( $type . '_send_to_editor_url', $html, esc_url_raw( $src ), $title ); } else { $align = ''; - $alt = esc_attr( stripslashes( $_POST['alt'] ) ); + $alt = esc_attr( wp_unslash( $_POST['alt'] ) ); if ( isset($_POST['align']) ) { - $align = esc_attr( stripslashes( $_POST['align'] ) ); + $align = esc_attr( wp_unslash( $_POST['align'] ) ); $class = " class='align$align'"; } if ( !empty($src) ) diff --git a/wp-admin/includes/misc.php b/wp-admin/includes/misc.php index f09ef45289..f500ca16e1 100644 --- a/wp-admin/includes/misc.php +++ b/wp-admin/includes/misc.php @@ -220,7 +220,7 @@ add_action( 'update_option_page_on_front', 'update_home_siteurl', 10, 2 ); * @return string */ function url_shorten( $url ) { - $short_url = str_replace( 'http://', '', stripslashes( $url )); + $short_url = str_replace( 'http://', '', $url ); $short_url = str_replace( 'www.', '', $short_url ); $short_url = untrailingslashit( $short_url ); if ( strlen( $short_url ) > 35 ) @@ -248,9 +248,9 @@ function wp_reset_vars( $vars ) { if ( empty( $_GET[$var] ) ) $$var = ''; else - $$var = $_GET[$var]; + $$var = wp_unslash( $_GET[$var] ); } else { - $$var = $_POST[$var]; + $$var = wp_unslash( $_POST[$var] ); } } } @@ -323,8 +323,8 @@ function set_screen_options() { if ( !$user = wp_get_current_user() ) return; - $option = $_POST['wp_screen_options']['option']; - $value = $_POST['wp_screen_options']['value']; + $option = wp_unslash( $_POST['wp_screen_options']['option'] ); + $value = wp_unslash( $_POST['wp_screen_options']['value'] ); if ( $option != sanitize_key( $option ) ) return; diff --git a/wp-admin/includes/plugin-install.php b/wp-admin/includes/plugin-install.php index 63a5f711f2..32b4c676cb 100644 --- a/wp-admin/includes/plugin-install.php +++ b/wp-admin/includes/plugin-install.php @@ -116,8 +116,8 @@ add_action('install_plugins_dashboard', 'install_dashboard'); * @since 2.7.0 */ function install_search_form( $type_selector = true ) { - $type = isset($_REQUEST['type']) ? stripslashes( $_REQUEST['type'] ) : 'term'; - $term = isset($_REQUEST['s']) ? stripslashes( $_REQUEST['s'] ) : ''; + $type = isset($_REQUEST['type']) ? wp_unslash( $_REQUEST['type'] ) : 'term'; + $term = isset($_REQUEST['s']) ? wp_unslash( $_REQUEST['s'] ) : ''; ?>
@@ -160,7 +160,7 @@ add_action('install_plugins_upload', 'install_plugins_upload', 10, 1); * */ function install_plugins_favorites_form() { - $user = ! empty( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); + $user = ! empty( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' ); ?>

@@ -251,7 +251,7 @@ function install_plugin_install_status($api, $loop = false) { } } if ( isset($_GET['from']) ) - $url .= '&from=' . urlencode(stripslashes($_GET['from'])); + $url .= '&from=' . urlencode( wp_unslash( $_GET['from'] ) ); return compact('status', 'url', 'version'); } @@ -264,7 +264,7 @@ function install_plugin_install_status($api, $loop = false) { function install_plugin_information() { global $tab; - $api = plugins_api('plugin_information', array('slug' => stripslashes( $_REQUEST['plugin'] ) )); + $api = plugins_api('plugin_information', array('slug' => wp_unslash( $_REQUEST['plugin'] ) )); if ( is_wp_error($api) ) wp_die($api); @@ -295,7 +295,7 @@ function install_plugin_information() { $api->$key = wp_kses( $api->$key, $plugins_allowedtags ); } - $section = isset($_REQUEST['section']) ? stripslashes( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English. + $section = isset($_REQUEST['section']) ? wp_unslash( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English. if ( empty($section) || ! isset($api->sections[ $section ]) ) $section = array_shift( $section_titles = array_keys((array)$api->sections) ); diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php index e4866ad516..cc43c5522f 100644 --- a/wp-admin/includes/post.php +++ b/wp-admin/includes/post.php @@ -149,8 +149,8 @@ function _wp_translate_postdata( $update = false, $post_data = null ) { */ function edit_post( $post_data = null ) { - if ( empty($post_data) ) - $post_data = &$_POST; + if ( empty( $post_data ) ) + $post_data = wp_unslash( $_POST ); // Clear out any data in internal vars. unset( $post_data['filter'] ); @@ -228,10 +228,9 @@ function edit_post( $post_data = null ) { if ( 'attachment' == $post_data['post_type'] ) { if ( isset( $post_data[ '_wp_attachment_image_alt' ] ) ) { $image_alt = get_post_meta( $post_ID, '_wp_attachment_image_alt', true ); - if ( $image_alt != stripslashes( $post_data['_wp_attachment_image_alt'] ) ) { - $image_alt = wp_strip_all_tags( stripslashes( $post_data['_wp_attachment_image_alt'] ), true ); - // update_meta expects slashed - update_post_meta( $post_ID, '_wp_attachment_image_alt', addslashes( $image_alt ) ); + if ( $image_alt != $post_data['_wp_attachment_image_alt'] ) { + $image_alt = wp_strip_all_tags( $post_data['_wp_attachment_image_alt'], true ); + wp_update_post_meta( $post_ID, '_wp_attachment_image_alt', $image_alt ); } } @@ -241,7 +240,7 @@ function edit_post( $post_data = null ) { add_meta( $post_ID ); - update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); + wp_update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); wp_update_post( $post_data ); @@ -422,15 +421,15 @@ function get_default_post_to_edit( $post_type = 'post', $create_in_db = false ) $post_title = ''; if ( !empty( $_REQUEST['post_title'] ) ) - $post_title = esc_html( stripslashes( $_REQUEST['post_title'] )); + $post_title = esc_html( wp_unslash( $_REQUEST['post_title'] )); $post_content = ''; if ( !empty( $_REQUEST['content'] ) ) - $post_content = esc_html( stripslashes( $_REQUEST['content'] )); + $post_content = esc_html( wp_unslash( $_REQUEST['content'] )); $post_excerpt = ''; if ( !empty( $_REQUEST['excerpt'] ) ) - $post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] )); + $post_excerpt = esc_html( wp_unslash( $_REQUEST['excerpt'] )); if ( $create_in_db ) { $post_id = wp_insert_post( array( 'post_title' => __( 'Auto Draft' ), 'post_type' => $post_type, 'post_status' => 'auto-draft' ) ); @@ -479,9 +478,9 @@ function get_default_post_to_edit( $post_type = 'post', $create_in_db = false ) function post_exists($title, $content = '', $date = '') { global $wpdb; - $post_title = stripslashes( sanitize_post_field( 'post_title', $title, 0, 'db' ) ); - $post_content = stripslashes( sanitize_post_field( 'post_content', $content, 0, 'db' ) ); - $post_date = stripslashes( sanitize_post_field( 'post_date', $date, 0, 'db' ) ); + $post_title = sanitize_post_field( 'post_title', $title, 0, 'db' ); + $post_content = sanitize_post_field( 'post_content', $content, 0, 'db' ); + $post_date = sanitize_post_field( 'post_date', $date, 0, 'db' ); $query = "SELECT ID FROM $wpdb->posts WHERE 1=1"; $args = array(); @@ -559,7 +558,7 @@ function wp_write_post() { } // Create the post. - $post_ID = wp_insert_post( $_POST ); + $post_ID = wp_insert_post( wp_unslash( $_POST ) ); if ( is_wp_error( $post_ID ) ) return $post_ID; @@ -568,7 +567,7 @@ function wp_write_post() { add_meta( $post_ID ); - add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); + wp_add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID ); // Now that we have an ID we can fix any attachment anchor hrefs _fix_attachment_links( $post_ID ); @@ -612,9 +611,9 @@ function add_meta( $post_ID ) { global $wpdb; $post_ID = (int) $post_ID; - $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : ''; - $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : ''; - $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : ''; + $metakeyselect = isset($_POST['metakeyselect']) ? wp_unslash( trim( $_POST['metakeyselect'] ) ) : ''; + $metakeyinput = isset($_POST['metakeyinput']) ? wp_unslash( trim( $_POST['metakeyinput'] ) ) : ''; + $metavalue = isset($_POST['metavalue']) ? wp_unslash( trim( $_POST['metavalue'] ) ) : ''; if ( is_string( $metavalue ) ) $metavalue = trim( $metavalue ); @@ -631,9 +630,7 @@ function add_meta( $post_ID ) { if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) ) return false; - $metakey = esc_sql( $metakey ); - - return add_post_meta( $post_ID, $metakey, $metavalue ); + return wp_add_post_meta( $post_ID, $metakey, $metavalue ); } return false; @@ -706,14 +703,11 @@ function has_meta( $postid ) { * @since 1.2.0 * * @param unknown_type $meta_id - * @param unknown_type $meta_key Expect Slashed - * @param unknown_type $meta_value Expect Slashed + * @param unknown_type $meta_key + * @param unknown_type $meta_value * @return unknown */ function update_meta( $meta_id, $meta_key, $meta_value ) { - $meta_key = stripslashes( $meta_key ); - $meta_value = stripslashes_deep( $meta_value ); - return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key ); } @@ -767,8 +761,6 @@ function _fix_attachment_links( $post_ID ) { if ( $replace ) { $post['post_content'] = $content; - // Escape data pulled from DB. - $post = add_magic_quotes($post); return wp_update_post($post); } @@ -1179,7 +1171,7 @@ function wp_set_post_lock( $post_id ) { $now = time(); $lock = "$now:$user_id"; - update_post_meta( $post->ID, '_edit_lock', $lock ); + wp_update_post_meta( $post->ID, '_edit_lock', $lock ); return array( $now, $user_id ); } @@ -1230,14 +1222,14 @@ function wp_create_post_autosave( $post_id ) { // Only store one autosave. If there is already an autosave, overwrite it. if ( $old_autosave = wp_get_post_autosave( $post_id ) ) { - $new_autosave = _wp_post_revision_fields( $_POST, true ); + $new_autosave = _wp_post_revision_fields( wp_unslash( $_POST ), true ); $new_autosave['ID'] = $old_autosave->ID; $new_autosave['post_author'] = get_current_user_id(); return wp_update_post( $new_autosave ); } // _wp_put_post_revision() expects unescaped. - $_POST = stripslashes_deep($_POST); + $_POST = wp_unslash( $_POST ); // Otherwise create the new autosave as a special post revision return _wp_put_post_revision( $_POST, true ); diff --git a/wp-admin/includes/schema.php b/wp-admin/includes/schema.php index 5dfb41b952..1f57cb1492 100644 --- a/wp-admin/includes/schema.php +++ b/wp-admin/includes/schema.php @@ -505,13 +505,11 @@ function populate_options() { else $autoload = 'yes'; - $option = $wpdb->escape($option); if ( is_array($value) ) $value = serialize($value); - $value = $wpdb->escape($value); if ( !empty($insert) ) $insert .= ', '; - $insert .= "('$option', '$value', '$autoload')"; + $insert .= $wpdb->prepare( "(%s, %s, %s)", $option, $value, $autoload ); } if ( !empty($insert) ) @@ -921,13 +919,11 @@ We hope you enjoy your new site. Thanks! $insert = ''; foreach ( $sitemeta as $meta_key => $meta_value ) { - $meta_key = $wpdb->escape( $meta_key ); if ( is_array( $meta_value ) ) $meta_value = serialize( $meta_value ); - $meta_value = $wpdb->escape( $meta_value ); if ( !empty( $insert ) ) $insert .= ', '; - $insert .= "( $network_id, '$meta_key', '$meta_value')"; + $insert .= $wpdb->prepare( "( %d, %s, %s)", $network_id, $meta_key, $meta_value ); } $wpdb->query( "INSERT INTO $wpdb->sitemeta ( site_id, meta_key, meta_value ) VALUES " . $insert ); diff --git a/wp-admin/includes/taxonomy.php b/wp-admin/includes/taxonomy.php index 7423cf9214..f31dadc757 100644 --- a/wp-admin/includes/taxonomy.php +++ b/wp-admin/includes/taxonomy.php @@ -157,9 +157,6 @@ function wp_update_category($catarr) { // First, get all of the original fields $category = get_category($cat_ID, ARRAY_A); - // Escape data pulled from DB. - $category = add_magic_quotes($category); - // Merge old and new fields with new fields overwriting old ones. $catarr = array_merge($category, $catarr); diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php index f9382d5000..bee7befa48 100644 --- a/wp-admin/includes/template.php +++ b/wp-admin/includes/template.php @@ -1331,7 +1331,7 @@ function _draft_or_post_title( $post = 0 ) { * */ function _admin_search_query() { - echo isset($_REQUEST['s']) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : ''; + echo isset($_REQUEST['s']) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : ''; } /** diff --git a/wp-admin/includes/theme-install.php b/wp-admin/includes/theme-install.php index 5654f05e3c..5d5191b38a 100644 --- a/wp-admin/includes/theme-install.php +++ b/wp-admin/includes/theme-install.php @@ -50,8 +50,8 @@ function install_themes_feature_list() { * @since 2.8.0 */ function install_theme_search_form( $type_selector = true ) { - $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term'; - $term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : ''; + $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term'; + $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : ''; if ( ! $type_selector ) echo '

' . __( 'Search for themes by keyword.' ) . '

'; ?> @@ -179,7 +179,7 @@ add_action('install_themes_updated', 'display_themes'); function install_theme_information() { global $tab, $themes_allowedtags, $wp_list_table; - $theme = themes_api( 'theme_information', array( 'slug' => stripslashes( $_REQUEST['theme'] ) ) ); + $theme = themes_api( 'theme_information', array( 'slug' => wp_unslash( $_REQUEST['theme'] ) ) ); if ( is_wp_error( $theme ) ) wp_die( $theme ); diff --git a/wp-admin/includes/upgrade.php b/wp-admin/includes/upgrade.php index 7ba271a38d..64c9db09e9 100644 --- a/wp-admin/includes/upgrade.php +++ b/wp-admin/includes/upgrade.php @@ -132,7 +132,7 @@ function wp_install_defaults($user_id) { $first_post = get_site_option( 'first_post' ); if ( empty($first_post) ) - $first_post = stripslashes( __( 'Welcome to SITE_NAME. This is your first post. Edit or delete it, then start blogging!' ) ); + $first_post = __( 'Welcome to SITE_NAME. This is your first post. Edit or delete it, then start blogging!' ); $first_post = str_replace( "SITE_URL", esc_url( network_home_url() ), $first_post ); $first_post = str_replace( "SITE_NAME", $current_site->site_name, $first_post ); @@ -636,23 +636,23 @@ function upgrade_160() { $users = $wpdb->get_results("SELECT * FROM $wpdb->users"); foreach ( $users as $user ) : if ( !empty( $user->user_firstname ) ) - update_user_meta( $user->ID, 'first_name', $wpdb->escape($user->user_firstname) ); + update_user_meta( $user->ID, 'first_name', $user->user_firstname ); if ( !empty( $user->user_lastname ) ) - update_user_meta( $user->ID, 'last_name', $wpdb->escape($user->user_lastname) ); + update_user_meta( $user->ID, 'last_name', $user->user_lastname ); if ( !empty( $user->user_nickname ) ) - update_user_meta( $user->ID, 'nickname', $wpdb->escape($user->user_nickname) ); + update_user_meta( $user->ID, 'nickname', $user->user_nickname ); if ( !empty( $user->user_level ) ) update_user_meta( $user->ID, $wpdb->prefix . 'user_level', $user->user_level ); if ( !empty( $user->user_icq ) ) - update_user_meta( $user->ID, 'icq', $wpdb->escape($user->user_icq) ); + update_user_meta( $user->ID, 'icq', $user->user_icq ); if ( !empty( $user->user_aim ) ) - update_user_meta( $user->ID, 'aim', $wpdb->escape($user->user_aim) ); + update_user_meta( $user->ID, 'aim', $user->user_aim ); if ( !empty( $user->user_msn ) ) - update_user_meta( $user->ID, 'msn', $wpdb->escape($user->user_msn) ); + update_user_meta( $user->ID, 'msn', $user->user_msn ); if ( !empty( $user->user_yim ) ) - update_user_meta( $user->ID, 'yim', $wpdb->escape($user->user_icq) ); + update_user_meta( $user->ID, 'yim', $user->user_icq ); if ( !empty( $user->user_description ) ) - update_user_meta( $user->ID, 'description', $wpdb->escape($user->user_description) ); + update_user_meta( $user->ID, 'description', $user->user_description ); if ( isset( $user->user_idmode ) ): $idmode = $user->user_idmode; @@ -854,7 +854,7 @@ function upgrade_230() { foreach ( $link_cats as $category) { $cat_id = (int) $category->cat_id; $term_id = 0; - $name = $wpdb->escape($category->cat_name); + $name = $category->cat_name; $slug = sanitize_title($name); $term_group = 0; diff --git a/wp-admin/includes/user.php b/wp-admin/includes/user.php index ea3bdbf6a9..90c18d0c3d 100644 --- a/wp-admin/includes/user.php +++ b/wp-admin/includes/user.php @@ -34,22 +34,25 @@ function edit_user( $user_id = 0 ) { $update = true; $user->ID = (int) $user_id; $userdata = get_userdata( $user_id ); - $user->user_login = $wpdb->escape( $userdata->user_login ); + $user->user_login = $userdata->user_login; } else { $update = false; } - if ( !$update && isset( $_POST['user_login'] ) ) - $user->user_login = sanitize_user($_POST['user_login'], true); + // get clean data before we get started. + $post_data = wp_unslash( $_POST ); + + if ( !$update && isset( $post_data['user_login'] ) ) + $user->user_login = sanitize_user($post_data['user_login'], true); $pass1 = $pass2 = ''; - if ( isset( $_POST['pass1'] )) - $pass1 = $_POST['pass1']; - if ( isset( $_POST['pass2'] )) - $pass2 = $_POST['pass2']; + if ( isset( $post_data['pass1'] )) + $pass1 = $post_data['pass1']; + if ( isset( $post_data['pass2'] )) + $pass2 = $post_data['pass2']; - if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) { - $new_role = sanitize_text_field( $_POST['role'] ); + if ( isset( $post_data['role'] ) && current_user_can( 'edit_users' ) ) { + $new_role = sanitize_text_field( $post_data['role'] ); $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false; // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. // Multisite super admins can freely edit their blog roles -- they possess all caps. @@ -62,44 +65,44 @@ function edit_user( $user_id = 0 ) { wp_die(__('You can’t give users that role.')); } - if ( isset( $_POST['email'] )) - $user->user_email = sanitize_text_field( $_POST['email'] ); - if ( isset( $_POST['url'] ) ) { - if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) { + if ( isset( $post_data['email'] )) + $user->user_email = sanitize_text_field( $post_data['email'] ); + if ( isset( $post_data['url'] ) ) { + if ( empty ( $post_data['url'] ) || $post_data['url'] == 'http://' ) { $user->user_url = ''; } else { - $user->user_url = esc_url_raw( $_POST['url'] ); + $user->user_url = esc_url_raw( $post_data['url'] ); $protocols = implode( '|', array_map( 'preg_quote', wp_allowed_protocols() ) ); $user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url; } } - if ( isset( $_POST['first_name'] ) ) - $user->first_name = sanitize_text_field( $_POST['first_name'] ); - if ( isset( $_POST['last_name'] ) ) - $user->last_name = sanitize_text_field( $_POST['last_name'] ); - if ( isset( $_POST['nickname'] ) ) - $user->nickname = sanitize_text_field( $_POST['nickname'] ); - if ( isset( $_POST['display_name'] ) ) - $user->display_name = sanitize_text_field( $_POST['display_name'] ); + if ( isset( $post_data['first_name'] ) ) + $user->first_name = sanitize_text_field( $post_data['first_name'] ); + if ( isset( $post_data['last_name'] ) ) + $user->last_name = sanitize_text_field( $post_data['last_name'] ); + if ( isset( $post_data['nickname'] ) ) + $user->nickname = sanitize_text_field( $post_data['nickname'] ); + if ( isset( $post_data['display_name'] ) ) + $user->display_name = sanitize_text_field( $post_data['display_name'] ); - if ( isset( $_POST['description'] ) ) - $user->description = trim( $_POST['description'] ); + if ( isset( $post_data['description'] ) ) + $user->description = trim( $post_data['description'] ); foreach ( _wp_get_user_contactmethods( $user ) as $method => $name ) { - if ( isset( $_POST[$method] )) - $user->$method = sanitize_text_field( $_POST[$method] ); + if ( isset( $post_data[$method] )) + $user->$method = sanitize_text_field( $post_data[$method] ); } if ( $update ) { - $user->rich_editing = isset( $_POST['rich_editing'] ) && 'false' == $_POST['rich_editing'] ? 'false' : 'true'; - $user->admin_color = isset( $_POST['admin_color'] ) ? sanitize_text_field( $_POST['admin_color'] ) : 'fresh'; - $user->show_admin_bar_front = isset( $_POST['admin_bar_front'] ) ? 'true' : 'false'; + $user->rich_editing = isset( $post_data['rich_editing'] ) && 'false' == $post_data['rich_editing'] ? 'false' : 'true'; + $user->admin_color = isset( $post_data['admin_color'] ) ? sanitize_text_field( $post_data['admin_color'] ) : 'fresh'; + $user->show_admin_bar_front = isset( $post_data['admin_bar_front'] ) ? 'true' : 'false'; } - $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] ) && 'true' == $_POST['comment_shortcuts'] ? 'true' : ''; + $user->comment_shortcuts = isset( $post_data['comment_shortcuts'] ) && 'true' == $post_data['comment_shortcuts'] ? 'true' : ''; $user->use_ssl = 0; - if ( !empty($_POST['use_ssl']) ) + if ( !empty($post_data['use_ssl']) ) $user->use_ssl = 1; $errors = new WP_Error(); @@ -124,7 +127,7 @@ function edit_user( $user_id = 0 ) { } /* Check for "\" in password */ - if ( false !== strpos( stripslashes($pass1), "\\" ) ) + if ( false !== strpos( $pass1, "\\" ) ) $errors->add( 'pass', __( 'ERROR: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) ); /* checking the password has been typed twice the same */ @@ -134,7 +137,7 @@ function edit_user( $user_id = 0 ) { if ( !empty( $pass1 ) ) $user->user_pass = $pass1; - if ( !$update && isset( $_POST['user_login'] ) && !validate_username( $_POST['user_login'] ) ) + if ( !$update && isset( $post_data['user_login'] ) && !validate_username( $post_data['user_login'] ) ) $errors->add( 'user_login', __( 'ERROR: This username is invalid because it uses illegal characters. Please enter a valid username.' )); if ( !$update && username_exists( $user->user_login ) ) @@ -159,7 +162,7 @@ function edit_user( $user_id = 0 ) { $user_id = wp_update_user( $user ); } else { $user_id = wp_insert_user( $user ); - wp_new_user_notification( $user_id, isset($_POST['send_password']) ? $pass1 : '' ); + wp_new_user_notification( $user_id, isset($post_data['send_password']) ? $pass1 : '' ); } return $user_id; } diff --git a/wp-admin/install.php b/wp-admin/install.php index dd489af0cc..c8ade7323e 100644 --- a/wp-admin/install.php +++ b/wp-admin/install.php @@ -84,10 +84,10 @@ function display_setup_form( $error = null ) { if ( ! empty( $_POST ) ) $blog_public = isset( $_POST['blog_public'] ); - $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : ''; - $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin'; - $admin_password = isset($_POST['admin_password']) ? trim( stripslashes( $_POST['admin_password'] ) ) : ''; - $admin_email = isset( $_POST['admin_email'] ) ? trim( stripslashes( $_POST['admin_email'] ) ) : ''; + $weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : ''; + $user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin'; + $admin_password = isset($_POST['admin_password']) ? trim( wp_unslash( $_POST['admin_password'] ) ) : ''; + $admin_email = isset( $_POST['admin_email'] ) ? trim( wp_unslash( $_POST['admin_email'] ) ) : ''; if ( ! is_null( $error ) ) { ?> @@ -189,11 +189,11 @@ switch($step) { display_header(); // Fill in the data we gathered - $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : ''; - $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin'; - $admin_password = isset($_POST['admin_password']) ? $_POST['admin_password'] : ''; - $admin_password_check = isset($_POST['admin_password2']) ? $_POST['admin_password2'] : ''; - $admin_email = isset( $_POST['admin_email'] ) ?trim( stripslashes( $_POST['admin_email'] ) ) : ''; + $weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : ''; + $user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin'; + $admin_password = isset($_POST['admin_password']) ? wp_unslash( $_POST['admin_password'] ) : ''; + $admin_password_check = isset($_POST['admin_password2']) ? wp_unslash( $_POST['admin_password2'] ) : ''; + $admin_email = isset( $_POST['admin_email'] ) ?trim( wp_unslash( $_POST['admin_email'] ) ) : ''; $public = isset( $_POST['blog_public'] ) ? (int) $_POST['blog_public'] : 0; // check e-mail address $error = false; diff --git a/wp-admin/link-manager.php b/wp-admin/link-manager.php index 92194f0392..3154f8e3db 100644 --- a/wp-admin/link-manager.php +++ b/wp-admin/link-manager.php @@ -31,7 +31,7 @@ if ( $doaction && isset( $_REQUEST['linkcheck'] ) ) { exit; } } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { - wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) ); + wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); exit; } @@ -72,7 +72,7 @@ if ( ! current_user_can('manage_links') )

' . __('Search results for “%s”') . '', esc_html( stripslashes($_REQUEST['s']) ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( wp_unslash($_REQUEST['s']) ) ); ?>

get_error_codes() ) && 'no_wildcard_dns' == $result->get_error_code() ) network_step2( $result ); diff --git a/wp-admin/network/settings.php b/wp-admin/network/settings.php index b3a0f897f4..e745694031 100644 --- a/wp-admin/network/settings.php +++ b/wp-admin/network/settings.php @@ -61,7 +61,7 @@ if ( $_POST ) { foreach ( $options as $option_name ) { if ( ! isset($_POST[$option_name]) ) continue; - $value = stripslashes_deep( $_POST[$option_name] ); + $value = wp_unslash( $_POST[$option_name] ); update_site_option( $option_name, $value ); } @@ -181,7 +181,7 @@ if ( isset( $_GET['updated'] ) ) { +
@@ -190,7 +190,7 @@ if ( isset( $_GET['updated'] ) ) { +
@@ -199,7 +199,7 @@ if ( isset( $_GET['updated'] ) ) { +
@@ -208,7 +208,7 @@ if ( isset( $_GET['updated'] ) ) { +
@@ -217,7 +217,7 @@ if ( isset( $_GET['updated'] ) ) { +
diff --git a/wp-admin/network/site-info.php b/wp-admin/network/site-info.php index bcc71f9f18..7dd6aeb23a 100644 --- a/wp-admin/network/site-info.php +++ b/wp-admin/network/site-info.php @@ -62,7 +62,7 @@ if ( isset($_REQUEST['action']) && 'update-site' == $_REQUEST['action'] ) { delete_option( 'rewrite_rules' ); // update blogs table - $blog_data = stripslashes_deep( $_POST['blog'] ); + $blog_data = wp_unslash( $_POST['blog'] ); $existing_details = get_blog_details( $id, false ); $blog_data_checkboxes = array( 'public', 'archived', 'spam', 'mature', 'deleted' ); foreach ( $blog_data_checkboxes as $c ) { diff --git a/wp-admin/network/site-new.php b/wp-admin/network/site-new.php index db2e1f74c0..3712c08c42 100644 --- a/wp-admin/network/site-new.php +++ b/wp-admin/network/site-new.php @@ -38,7 +38,7 @@ if ( isset($_REQUEST['action']) && 'add-site' == $_REQUEST['action'] ) { if ( ! is_array( $_POST['blog'] ) ) wp_die( __( 'Can’t create an empty site.' ) ); - $blog = $_POST['blog']; + $blog = wp_unslash( $_POST['blog'] ); $domain = ''; if ( preg_match( '|^([a-zA-Z0-9-])+$|', $blog['domain'] ) ) $domain = strtolower( $blog['domain'] ); @@ -88,7 +88,7 @@ if ( isset($_REQUEST['action']) && 'add-site' == $_REQUEST['action'] ) { $content_mail = sprintf( __( 'New site created by %1$s Address: %2$s -Name: %3$s' ), $current_user->user_login , get_site_url( $id ), stripslashes( $title ) ); +Name: %3$s' ), $current_user->user_login , get_site_url( $id ), $title ); wp_mail( get_site_option('admin_email'), sprintf( __( '[%s] New Site Created' ), $current_site->site_name ), $content_mail, 'From: "Site Admin" <' . get_site_option( 'admin_email' ) . '>' ); wpmu_welcome_notification( $id, $user_id, $password, $title, array( 'public' => 1 ) ); wp_redirect( add_query_arg( array( 'update' => 'added', 'id' => $id ), 'site-new.php' ) ); diff --git a/wp-admin/network/site-settings.php b/wp-admin/network/site-settings.php index f807fcf2c5..a4ab33b707 100644 --- a/wp-admin/network/site-settings.php +++ b/wp-admin/network/site-settings.php @@ -53,12 +53,14 @@ if ( isset($_REQUEST['action']) && 'update-site' == $_REQUEST['action'] && is_ar $count = count( $_POST['option'] ); $skip_options = array( 'allowedthemes' ); // Don't update these options since they are handled elsewhere in the form. foreach ( (array) $_POST['option'] as $key => $val ) { + $key = wp_unslash( $key ); + $val = wp_unslash( $val ); if ( $key === 0 || is_array( $val ) || in_array($key, $skip_options) ) continue; // Avoids "0 is a protected WP option and may not be modified" error when edit blog options if ( $c == $count ) - update_option( $key, stripslashes( $val ) ); + update_option( $key, $val ); else - update_option( $key, stripslashes( $val ), false ); // no need to refresh blog details yet + update_option( $key, $val, false ); // no need to refresh blog details yet $c++; } diff --git a/wp-admin/network/sites.php b/wp-admin/network/sites.php index 3a102e3100..93341c35e9 100644 --- a/wp-admin/network/sites.php +++ b/wp-admin/network/sites.php @@ -79,7 +79,7 @@ if ( isset( $_GET['action'] ) ) { -

+

diff --git a/wp-admin/options.php b/wp-admin/options.php index 92ae917bf7..80a07190df 100644 --- a/wp-admin/options.php +++ b/wp-admin/options.php @@ -120,16 +120,16 @@ if ( 'update' == $action ) { if ( 'options' == $option_page ) { if ( is_multisite() && ! is_super_admin() ) wp_die( __( 'You do not have sufficient permissions to modify unregistered settings for this site.' ) ); - $options = explode( ',', stripslashes( $_POST[ 'page_options' ] ) ); + $options = explode( ',', wp_unslash( $_POST[ 'page_options' ] ) ); } else { $options = $whitelist_options[ $option_page ]; } // Handle custom date/time formats if ( 'general' == $option_page ) { - if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['date_format'] ) ) + if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['date_format'] ) ) $_POST['date_format'] = $_POST['date_format_custom']; - if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['time_format'] ) ) + if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['time_format'] ) ) $_POST['time_format'] = $_POST['time_format_custom']; // Map UTC+- timezones to gmt_offsets and set timezone_string to empty. if ( !empty($_POST['timezone_string']) && preg_match('/^UTC[+-]/', $_POST['timezone_string']) ) { @@ -150,7 +150,7 @@ if ( 'update' == $action ) { $value = $_POST[ $option ]; if ( ! is_array( $value ) ) $value = trim( $value ); - $value = stripslashes_deep( $value ); + $value = wp_unslash( $value ); } update_option( $option, $value ); } diff --git a/wp-admin/plugin-editor.php b/wp-admin/plugin-editor.php index 31e7cd8c09..1bfb12d69b 100644 --- a/wp-admin/plugin-editor.php +++ b/wp-admin/plugin-editor.php @@ -28,7 +28,7 @@ if ( empty($plugins) ) wp_die( __('There are no plugins installed on this site.') ); if ( isset($_REQUEST['file']) ) - $plugin = stripslashes($_REQUEST['file']); + $plugin = wp_unslash($_REQUEST['file']); if ( empty($plugin) ) { $plugin = array_keys($plugins); @@ -40,7 +40,7 @@ $plugin_files = get_plugin_files($plugin); if ( empty($file) ) $file = $plugin_files[0]; else - $file = stripslashes($file); + $file = wp_unslash($file); $file = validate_file_to_edit($file, $plugin_files); $real_file = WP_PLUGIN_DIR . '/' . $file; @@ -52,7 +52,7 @@ case 'update': check_admin_referer('edit-plugin_' . $file); - $newcontent = stripslashes($_POST['newcontent']); + $newcontent = wp_unslash( $_POST['newcontent'] ); if ( is_writeable($real_file) ) { $f = fopen($real_file, 'w+'); fwrite($f, $newcontent); diff --git a/wp-admin/press-this.php b/wp-admin/press-this.php index 6542fa31e8..9fa610d2c9 100644 --- a/wp-admin/press-this.php +++ b/wp-admin/press-this.php @@ -91,11 +91,11 @@ if ( isset($_REQUEST['action']) && 'post' == $_REQUEST['action'] ) { } // Set Variables -$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( stripslashes( $_GET['t'] ) , ENT_QUOTES) ) ) : ''; +$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( wp_unslash( $_GET['t'] ) , ENT_QUOTES) ) ) : ''; $selection = ''; if ( !empty($_GET['s']) ) { - $selection = str_replace(''', "'", stripslashes($_GET['s'])); + $selection = str_replace(''', "'", wp_unslash($_GET['s'])); $selection = trim( htmlspecialchars( html_entity_decode($selection, ENT_QUOTES) ) ); } diff --git a/wp-admin/setup-config.php b/wp-admin/setup-config.php index 6097e86062..909ab57a9f 100644 --- a/wp-admin/setup-config.php +++ b/wp-admin/setup-config.php @@ -164,7 +164,7 @@ switch($step) { case 2: foreach ( array( 'dbname', 'uname', 'pwd', 'dbhost', 'prefix' ) as $key ) - $$key = trim( stripslashes( $_POST[ $key ] ) ); + $$key = trim( wp_unslash( $_POST[ $key ] ) ); $tryagain_link = '

' . __( 'Try again' ) . ''; diff --git a/wp-admin/theme-editor.php b/wp-admin/theme-editor.php index 7f814d28eb..c8298d0c3b 100644 --- a/wp-admin/theme-editor.php +++ b/wp-admin/theme-editor.php @@ -68,7 +68,7 @@ if ( empty( $file ) ) { $relative_file = 'style.css'; $file = $allowed_files['style.css']; } else { - $relative_file = stripslashes( $file ); + $relative_file = wp_unslash( $file ); $file = $theme->get_stylesheet_directory() . '/' . $relative_file; } @@ -78,7 +78,7 @@ $scrollto = isset( $_REQUEST['scrollto'] ) ? (int) $_REQUEST['scrollto'] : 0; switch( $action ) { case 'update': check_admin_referer( 'edit-theme_' . $file . $stylesheet ); - $newcontent = stripslashes( $_POST['newcontent'] ); + $newcontent = wp_unslash( $_POST['newcontent'] ); $location = 'theme-editor.php?file=' . urlencode( $relative_file ) . '&theme=' . urlencode( $stylesheet ) . '&scrollto=' . $scrollto; if ( is_writeable( $file ) ) { //is_writable() not always reliable, check return value. see comments @ http://uk.php.net/is_writable diff --git a/wp-admin/update.php b/wp-admin/update.php index 687142e218..7383aefa2c 100644 --- a/wp-admin/update.php +++ b/wp-admin/update.php @@ -26,7 +26,7 @@ if ( isset($_GET['action']) ) { check_admin_referer( 'bulk-update-plugins' ); if ( isset( $_GET['plugins'] ) ) - $plugins = explode( ',', stripslashes($_GET['plugins']) ); + $plugins = explode( ',', wp_unslash($_GET['plugins']) ); elseif ( isset( $_POST['checked'] ) ) $plugins = (array) $_POST['checked']; else @@ -109,7 +109,7 @@ if ( isset($_GET['action']) ) { $nonce = 'install-plugin_' . $plugin; $url = 'update.php?action=install-plugin&plugin=' . $plugin; if ( isset($_GET['from']) ) - $url .= '&from=' . urlencode(stripslashes($_GET['from'])); + $url .= '&from=' . urlencode( wp_unslash( $_GET['from'] ) ); $type = 'web'; //Install plugin type, From Web or an Upload. @@ -173,7 +173,7 @@ if ( isset($_GET['action']) ) { check_admin_referer( 'bulk-update-themes' ); if ( isset( $_GET['themes'] ) ) - $themes = explode( ',', stripslashes($_GET['themes']) ); + $themes = explode( ',', wp_unslash( $_GET['themes'] ) ); elseif ( isset( $_POST['checked'] ) ) $themes = (array) $_POST['checked']; else diff --git a/wp-admin/upgrade.php b/wp-admin/upgrade.php index 73933db424..b04287735d 100644 --- a/wp-admin/upgrade.php +++ b/wp-admin/upgrade.php @@ -77,7 +77,7 @@ else @@ -90,7 +90,7 @@ switch ( $step ) : case 1: wp_upgrade(); - $backto = !empty($_GET['backto']) ? stripslashes( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/'; + $backto = !empty($_GET['backto']) ? wp_unslash( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/'; $backto = esc_url( $backto ); $backto = wp_validate_redirect($backto, __get_option( 'home' ) . '/'); ?> diff --git a/wp-admin/upload.php b/wp-admin/upload.php index 7d50d5290d..db4c5220f3 100644 --- a/wp-admin/upload.php +++ b/wp-admin/upload.php @@ -132,7 +132,7 @@ if ( $doaction ) { wp_redirect( $location ); exit; } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { - wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) ); + wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); exit; } diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php index a72ac9a441..e8b977deda 100644 --- a/wp-admin/user-edit.php +++ b/wp-admin/user-edit.php @@ -54,7 +54,7 @@ get_current_screen()->set_help_sidebar( '

' . __('Support Forums') . '

' ); -$wp_http_referer = remove_query_arg(array('update', 'delete_count'), stripslashes($wp_http_referer)); +$wp_http_referer = remove_query_arg(array('update', 'delete_count'), wp_unslash( $wp_http_referer ) ); $user_can_edit = current_user_can( 'edit_posts' ) || current_user_can( 'edit_pages' ); diff --git a/wp-admin/user-new.php b/wp-admin/user-new.php index c834273550..9c480f59dd 100644 --- a/wp-admin/user-new.php +++ b/wp-admin/user-new.php @@ -112,15 +112,15 @@ Please click the following link to confirm the invite: } } else { // Adding a new user to this blog - $user_details = wpmu_validate_user_signup( $_REQUEST[ 'user_login' ], $_REQUEST[ 'email' ] ); + $user_details = wpmu_validate_user_signup( wp_unslash( $_REQUEST[ 'user_login' ] ), wp_unslash( $_REQUEST[ 'email' ] ) ); if ( is_wp_error( $user_details[ 'errors' ] ) && !empty( $user_details[ 'errors' ]->errors ) ) { $add_user_errors = $user_details[ 'errors' ]; } else { - $new_user_login = apply_filters('pre_user_login', sanitize_user(stripslashes($_REQUEST['user_login']), true)); + $new_user_login = apply_filters('pre_user_login', sanitize_user( wp_unslash( $_REQUEST['user_login'] ), true ) ); if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email } - wpmu_signup_user( $new_user_login, $_REQUEST[ 'email' ], array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) ); + wpmu_signup_user( $new_user_login, wp_unslash( $_REQUEST[ 'email' ] ), array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) ); if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $_REQUEST[ 'email' ] ) ); wpmu_activate_signup( $key ); @@ -309,7 +309,7 @@ foreach ( array( 'user_login' => 'login', 'first_name' => 'firstname', 'last_nam $var = "new_user_$var"; if( isset( $_POST['createuser'] ) ) { if ( ! isset($$var) ) - $$var = isset( $_POST[$post_field] ) ? stripslashes( $_POST[$post_field] ) : ''; + $$var = isset( $_POST[$post_field] ) ? wp_unslash( $_POST[$post_field] ) : ''; } else { $$var = false; } diff --git a/wp-admin/users.php b/wp-admin/users.php index d6fef420c8..e807487a57 100644 --- a/wp-admin/users.php +++ b/wp-admin/users.php @@ -64,9 +64,9 @@ get_current_screen()->set_help_sidebar( ); if ( empty($_REQUEST) ) { - $referer = ''; + $referer = ''; } elseif ( isset($_REQUEST['wp_http_referer']) ) { - $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), stripslashes($_REQUEST['wp_http_referer'])); + $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), wp_unslash( $_REQUEST['wp_http_referer'] ) ); $referer = ''; } else { $redirect = 'users.php'; @@ -357,7 +357,7 @@ break; default: if ( !empty($_GET['_wp_http_referer']) ) { - wp_redirect(remove_query_arg(array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']))); + wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); exit; } @@ -381,7 +381,7 @@ default: case 'add': if ( isset( $_GET['id'] ) && ( $user_id = $_GET['id'] ) && current_user_can( 'edit_user', $user_id ) ) { $messages[] = '

' . sprintf( __( 'New user created. Edit user' ), - esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), + esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), self_admin_url( 'user-edit.php?user_id=' . $user_id ) ) ) ) . '

'; } else { $messages[] = '

' . __( 'New user created.' ) . '

'; diff --git a/wp-comments-post.php b/wp-comments-post.php index 194e00f544..c19aeadbf5 100644 --- a/wp-comments-post.php +++ b/wp-comments-post.php @@ -17,7 +17,9 @@ require( dirname(__FILE__) . '/wp-load.php' ); nocache_headers(); -$comment_post_ID = isset($_POST['comment_post_ID']) ? (int) $_POST['comment_post_ID'] : 0; +$post_data = wp_unslash( $_POST ); + +$comment_post_ID = isset($post_data['comment_post_ID']) ? (int) $post_data['comment_post_ID'] : 0; $post = get_post($comment_post_ID); @@ -47,21 +49,21 @@ if ( !comments_open($comment_post_ID) ) { do_action('pre_comment_on_post', $comment_post_ID); } -$comment_author = ( isset($_POST['author']) ) ? trim(strip_tags($_POST['author'])) : null; -$comment_author_email = ( isset($_POST['email']) ) ? trim($_POST['email']) : null; -$comment_author_url = ( isset($_POST['url']) ) ? trim($_POST['url']) : null; -$comment_content = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null; +$comment_author = ( isset( $post_data['author'] ) ) ? trim( strip_tags( $post_data['author'] ) ) : null; +$comment_author_email = ( isset( $post_data['email'] ) ) ? trim( $post_data['email'] ) : null; +$comment_author_url = ( isset( $post_data['url'] ) ) ? trim( $post_data['url'] ) : null; +$comment_content = ( isset( $post_data['comment'] ) ) ? trim( $post_data['comment'] ) : null; // If the user is logged in $user = wp_get_current_user(); if ( $user->exists() ) { if ( empty( $user->display_name ) ) - $user->display_name=$user->user_login; - $comment_author = $wpdb->escape($user->display_name); - $comment_author_email = $wpdb->escape($user->user_email); - $comment_author_url = $wpdb->escape($user->user_url); + $user->display_name = $user->user_login; + $comment_author = $user->display_name; + $comment_author_email = $user->user_email; + $comment_author_url = $user->user_url; if ( current_user_can('unfiltered_html') ) { - if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) { + if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $post_data['_wp_unfiltered_html_comment'] ) { kses_remove_filters(); // start with a clean slate kses_init_filters(); // set up the filters } @@ -83,7 +85,7 @@ if ( get_option('require_name_email') && !$user->exists() ) { if ( '' == $comment_content ) wp_die( __('ERROR: please type a comment.') ); -$comment_parent = isset($_POST['comment_parent']) ? absint($_POST['comment_parent']) : 0; +$comment_parent = isset($post_data['comment_parent']) ? absint($post_data['comment_parent']) : 0; $commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type', 'comment_parent', 'user_ID'); @@ -92,7 +94,7 @@ $comment_id = wp_new_comment( $commentdata ); $comment = get_comment($comment_id); do_action('set_comment_cookies', $comment, $user); -$location = empty($_POST['redirect_to']) ? get_comment_link($comment_id) : $_POST['redirect_to'] . '#comment-' . $comment_id; +$location = empty($post_data['redirect_to']) ? get_comment_link($comment_id) : $post_data['redirect_to'] . '#comment-' . $comment_id; $location = apply_filters('comment_post_redirect', $location, $comment); wp_safe_redirect( $location ); diff --git a/wp-includes/class-wp-customize-manager.php b/wp-includes/class-wp-customize-manager.php index 4be338969a..1e41e8fafc 100644 --- a/wp-includes/class-wp-customize-manager.php +++ b/wp-includes/class-wp-customize-manager.php @@ -310,7 +310,7 @@ final class WP_Customize_Manager { public function post_value( $setting ) { if ( ! isset( $this->_post_values ) ) { if ( isset( $_POST['customized'] ) ) - $this->_post_values = json_decode( stripslashes( $_POST['customized'] ), true ); + $this->_post_values = json_decode( wp_unslash( $_POST['customized'] ), true ); else $this->_post_values = false; } diff --git a/wp-includes/class-wp-customize-setting.php b/wp-includes/class-wp-customize-setting.php index dd49f79f26..c8542efefa 100644 --- a/wp-includes/class-wp-customize-setting.php +++ b/wp-includes/class-wp-customize-setting.php @@ -144,7 +144,7 @@ class WP_Customize_Setting { * @return mixed Null if an input isn't valid, otherwise the sanitized value. */ public function sanitize( $value ) { - $value = stripslashes_deep( $value ); + $value = wp_unslash( $value ); return apply_filters( "customize_sanitize_{$this->id}", $value, $this ); } diff --git a/wp-includes/class-wp-xmlrpc-server.php b/wp-includes/class-wp-xmlrpc-server.php index 6c2187f850..b42dddbb62 100644 --- a/wp-includes/class-wp-xmlrpc-server.php +++ b/wp-includes/class-wp-xmlrpc-server.php @@ -280,17 +280,15 @@ class wp_xmlrpc_server extends IXR_Server { $meta['id'] = (int) $meta['id']; $pmeta = get_metadata_by_mid( 'post', $meta['id'] ); if ( isset($meta['key']) ) { - $meta['key'] = stripslashes( $meta['key'] ); if ( $meta['key'] != $pmeta->meta_key ) continue; - $meta['value'] = stripslashes_deep( $meta['value'] ); if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) ) update_metadata_by_mid( 'post', $meta['id'], $meta['value'] ); } elseif ( current_user_can( 'delete_post_meta', $post_id, $pmeta->meta_key ) ) { delete_metadata_by_mid( 'post', $meta['id'] ); } - } elseif ( current_user_can( 'add_post_meta', $post_id, stripslashes( $meta['key'] ) ) ) { - add_post_meta( $post_id, $meta['key'], $meta['value'] ); + } elseif ( current_user_can( 'add_post_meta', $post_id, $meta['key'] ) ) { + wp_add_post_meta( $post_id, $meta['key'], $meta['value'] ); } } } @@ -462,8 +460,6 @@ class wp_xmlrpc_server extends IXR_Server { return $this->blogger_getUsersBlogs( $args ); } - $this->escape( $args ); - $username = $args[0]; $password = $args[1]; @@ -955,8 +951,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 4 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -1239,8 +1233,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 5 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -1274,7 +1266,6 @@ class wp_xmlrpc_server extends IXR_Server { else $post['post_date_gmt'] = $this->_convert_date( $post['post_date_gmt'] ); - $this->escape( $post ); $merged_content_struct = array_merge( $post, $content_struct ); $retval = $this->_insert_post( $user, $merged_content_struct ); @@ -1301,8 +1292,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 4 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -1377,8 +1366,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 4 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -1434,8 +1421,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 3 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -1529,8 +1514,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 4 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -1616,8 +1599,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 5 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -1708,8 +1689,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 5 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -1775,8 +1754,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 5 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -1828,8 +1805,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 4 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -1903,8 +1878,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 4 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -1947,8 +1920,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 3 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2016,8 +1987,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 4 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2069,8 +2038,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 3 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2137,8 +2104,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 3 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2184,8 +2149,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 4 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2249,8 +2212,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function wp_getPage($args) { - $this->escape($args); - $blog_id = (int) $args[0]; $page_id = (int) $args[1]; $username = $args[2]; @@ -2292,8 +2253,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function wp_getPages($args) { - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2336,9 +2295,8 @@ class wp_xmlrpc_server extends IXR_Server { * @return unknown */ function wp_newPage($args) { - // Items not escaped here will be escaped in newPost. - $username = $this->escape($args[1]); - $password = $this->escape($args[2]); + $username = $args[1]; + $password = $args[2]; $page = $args[3]; $publish = $args[4]; @@ -2363,8 +2321,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return bool True, if success. */ function wp_deletePage($args) { - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2404,11 +2360,10 @@ class wp_xmlrpc_server extends IXR_Server { * @return unknown */ function wp_editPage($args) { - // Items not escaped here will be escaped in editPost. $blog_id = (int) $args[0]; - $page_id = (int) $this->escape($args[1]); - $username = $this->escape($args[2]); - $password = $this->escape($args[3]); + $page_id = (int) $args[1]; + $username = $args[2]; + $password = $args[3]; $content = $args[4]; $publish = $args[5]; @@ -2453,8 +2408,6 @@ class wp_xmlrpc_server extends IXR_Server { function wp_getPageList($args) { global $wpdb; - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2503,9 +2456,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function wp_getAuthors($args) { - - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2539,8 +2489,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function wp_getTags( $args ) { - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2580,8 +2528,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return int Category ID. */ function wp_newCategory($args) { - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2641,8 +2587,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return mixed See {@link wp_delete_term()} for return info. */ function wp_deleteCategory($args) { - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2673,8 +2617,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function wp_suggestCategories($args) { - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2710,8 +2652,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function wp_getComment($args) { - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2751,8 +2691,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array. Contains a collection of comments. See {@link wp_xmlrpc_server::wp_getComment()} for a description of each item contents */ function wp_getComments($args) { - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2811,8 +2749,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return mixed {@link wp_delete_comment()} */ function wp_deleteComment($args) { - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2865,8 +2801,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return bool True, on success. */ function wp_editComment($args) { - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2942,8 +2876,6 @@ class wp_xmlrpc_server extends IXR_Server { function wp_newComment($args) { global $wpdb; - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -2978,9 +2910,9 @@ class wp_xmlrpc_server extends IXR_Server { $comment['comment_post_ID'] = $post_id; if ( $logged_in ) { - $comment['comment_author'] = $wpdb->escape( $user->display_name ); - $comment['comment_author_email'] = $wpdb->escape( $user->user_email ); - $comment['comment_author_url'] = $wpdb->escape( $user->user_url ); + $comment['comment_author'] = $user->display_name; + $comment['comment_author_email'] = $user->user_email; + $comment['comment_author_url'] = $user->user_url; $comment['user_ID'] = $user->ID; } else { $comment['comment_author'] = ''; @@ -3027,8 +2959,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function wp_getCommentStatusList($args) { - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3053,8 +2983,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function wp_getCommentCount( $args ) { - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3086,8 +3014,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function wp_getPostStatusList( $args ) { - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3112,8 +3038,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function wp_getPageStatusList( $args ) { - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3138,8 +3062,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function wp_getPageTemplates( $args ) { - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3165,8 +3087,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function wp_getOptions( $args ) { - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3215,8 +3135,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return unknown */ function wp_setOptions( $args ) { - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3264,8 +3182,6 @@ class wp_xmlrpc_server extends IXR_Server { * - 'metadata' */ function wp_getMediaItem($args) { - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3309,8 +3225,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array. Contains a collection of media items. See {@link wp_xmlrpc_server::wp_getMediaItem()} for a description of each item contents */ function wp_getMediaLibrary($args) { - $this->escape($args); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3351,8 +3265,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function wp_getPostFormats( $args ) { - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3411,8 +3323,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 4 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3457,8 +3367,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 3 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3511,8 +3419,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 4 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3577,8 +3483,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( ! $this->minimum_args( $args, 3 ) ) return $this->error; - $this->escape( $args ); - $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -3628,8 +3532,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( is_multisite() ) return $this->_multisite_getUsersBlogs($args); - $this->escape($args); - $username = $args[1]; $password = $args[2]; @@ -3691,9 +3593,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function blogger_getUserInfo($args) { - - $this->escape($args); - $username = $args[1]; $password = $args[2]; @@ -3725,9 +3624,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function blogger_getPost($args) { - - $this->escape($args); - $post_ID = (int) $args[1]; $username = $args[2]; $password = $args[3]; @@ -3746,9 +3642,9 @@ class wp_xmlrpc_server extends IXR_Server { $categories = implode(',', wp_get_post_categories($post_ID)); - $content = ''.stripslashes($post_data['post_title']).''; + $content = ''.$post_data['post_title'].''; $content .= ''.$categories.''; - $content .= stripslashes($post_data['post_content']); + $content .= $post_data['post_content']; $struct = array( 'userid' => (string) $post_data['post_author'], @@ -3769,9 +3665,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function blogger_getRecentPosts($args) { - - $this->escape($args); - // $args[0] = appkey - ignored $blog_ID = (int) $args[1]; /* though we don't use it yet */ $username = $args[2]; @@ -3800,9 +3693,9 @@ class wp_xmlrpc_server extends IXR_Server { $post_date = $this->_convert_date( $entry['post_date'] ); $categories = implode(',', wp_get_post_categories($entry['ID'])); - $content = ''.stripslashes($entry['post_title']).''; + $content = ''.$entry['post_title'].''; $content .= ''.$categories.''; - $content .= stripslashes($entry['post_content']); + $content .= $entry['post_content']; $struct[] = array( 'userid' => (string) $entry['post_author'], @@ -3850,9 +3743,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return int */ function blogger_newPost($args) { - - $this->escape($args); - $blog_ID = (int) $args[1]; /* though we don't use it yet */ $username = $args[2]; $password = $args[3]; @@ -3904,9 +3794,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return bool true when done. */ function blogger_editPost($args) { - - $this->escape($args); - $post_ID = (int) $args[1]; $username = $args[2]; $password = $args[3]; @@ -3923,8 +3810,6 @@ class wp_xmlrpc_server extends IXR_Server { if ( !$actual_post || $actual_post['post_type'] != 'post' ) return new IXR_Error(404, __('Sorry, no such post.')); - $this->escape($actual_post); - if ( !current_user_can('edit_post', $post_ID) ) return new IXR_Error(401, __('Sorry, you do not have the right to edit this post.')); @@ -3960,8 +3845,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return bool True when post is deleted. */ function blogger_deletePost($args) { - $this->escape($args); - $post_ID = (int) $args[1]; $username = $args[2]; $password = $args[3]; @@ -4030,13 +3913,11 @@ class wp_xmlrpc_server extends IXR_Server { * @return int */ function mw_newPost($args) { - $this->escape($args); - - $blog_ID = (int) $args[0]; - $username = $args[1]; - $password = $args[2]; + $blog_ID = (int) $args[0]; + $username = $args[1]; + $password = $args[2]; $content_struct = $args[3]; - $publish = isset( $args[4] ) ? $args[4] : 0; + $publish = isset( $args[4] ) ? $args[4] : 0; if ( !$user = $this->login($username, $password) ) return $this->error; @@ -4316,7 +4197,7 @@ class wp_xmlrpc_server extends IXR_Server { } } if (!$found) - add_post_meta( $post_ID, 'enclosure', $encstring ); + wp_add_post_meta( $post_ID, 'enclosure', $encstring ); } } @@ -4350,9 +4231,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return bool True on success. */ function mw_editPost($args) { - - $this->escape($args); - $post_ID = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -4391,7 +4269,6 @@ class wp_xmlrpc_server extends IXR_Server { } } - $this->escape($postdata); extract($postdata, EXTR_SKIP); // Let WordPress manage slug if none was provided. @@ -4619,9 +4496,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function mw_getPost($args) { - - $this->escape($args); - $post_ID = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -4743,9 +4617,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function mw_getRecentPosts($args) { - - $this->escape($args); - $blog_ID = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -4858,9 +4729,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function mw_getCategories($args) { - - $this->escape($args); - $blog_ID = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -4907,10 +4775,10 @@ class wp_xmlrpc_server extends IXR_Server { function mw_newMediaObject($args) { global $wpdb; - $blog_ID = (int) $args[0]; - $username = $wpdb->escape($args[1]); - $password = $wpdb->escape($args[2]); - $data = $args[3]; + $blog_ID = (int) $args[0]; + $username = $args[1]; + $password = $args[2]; + $data = $args[3]; $name = sanitize_file_name( $data['name'] ); $type = $data['type']; @@ -4997,9 +4865,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function mt_getRecentPostTitles($args) { - - $this->escape($args); - $blog_ID = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -5057,9 +4922,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function mt_getCategoryList($args) { - - $this->escape($args); - $blog_ID = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -5095,9 +4957,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function mt_getPostCategories($args) { - - $this->escape($args); - $post_ID = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -5138,9 +4997,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return bool True on success. */ function mt_setPostCategories($args) { - - $this->escape($args); - $post_ID = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -5250,9 +5106,6 @@ class wp_xmlrpc_server extends IXR_Server { * @return int */ function mt_publishPost($args) { - - $this->escape($args); - $post_ID = (int) $args[0]; $username = $args[1]; $password = $args[2]; @@ -5274,7 +5127,6 @@ class wp_xmlrpc_server extends IXR_Server { // retain old cats $cats = wp_get_post_categories($post_ID); $postdata['post_category'] = $cats; - $this->escape($postdata); $result = wp_update_post($postdata); @@ -5298,8 +5150,6 @@ class wp_xmlrpc_server extends IXR_Server { do_action('xmlrpc_call', 'pingback.ping'); - $this->escape($args); - $pagelinkedfrom = $args[0]; $pagelinkedto = $args[1]; @@ -5435,15 +5285,15 @@ class wp_xmlrpc_server extends IXR_Server { $pagelinkedfrom = str_replace('&', '&', $pagelinkedfrom); $context = '[...] ' . esc_html( $excerpt ) . ' [...]'; - $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom ); + $pagelinkedfrom = $pagelinkedfrom; $comment_post_ID = (int) $post_ID; $comment_author = $title; $comment_author_email = ''; - $this->escape($comment_author); + $comment_author; $comment_author_url = $pagelinkedfrom; $comment_content = $context; - $this->escape($comment_content); + $comment_content; $comment_type = 'pingback'; $commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_url', 'comment_author_email', 'comment_content', 'comment_type'); @@ -5465,13 +5315,10 @@ class wp_xmlrpc_server extends IXR_Server { * @return array */ function pingback_extensions_getPingbacks($args) { - global $wpdb; do_action('xmlrpc_call', 'pingback.extensions.getPingbacks'); - $this->escape($args); - $url = $args; $post_ID = url_to_postid($url); diff --git a/wp-includes/class-wp.php b/wp-includes/class-wp.php index c76030b32c..d25621289e 100644 --- a/wp-includes/class-wp.php +++ b/wp-includes/class-wp.php @@ -142,15 +142,15 @@ class WP { $this->did_permalink = true; if ( isset($_SERVER['PATH_INFO']) ) - $pathinfo = $_SERVER['PATH_INFO']; + $pathinfo = wp_unslash( $_SERVER['PATH_INFO'] ); else $pathinfo = ''; $pathinfo_array = explode('?', $pathinfo); $pathinfo = str_replace("%", "%25", $pathinfo_array[0]); - $req_uri = $_SERVER['REQUEST_URI']; + $req_uri = wp_unslash( $_SERVER['REQUEST_URI'] ); $req_uri_array = explode('?', $req_uri); $req_uri = $req_uri_array[0]; - $self = $_SERVER['PHP_SELF']; + $self = wp_unslash( $_SERVER['PHP_SELF'] ); $home_path = parse_url(home_url()); if ( isset($home_path['path']) ) $home_path = $home_path['path']; @@ -255,9 +255,9 @@ class WP { if ( isset( $this->extra_query_vars[$wpvar] ) ) $this->query_vars[$wpvar] = $this->extra_query_vars[$wpvar]; elseif ( isset( $_POST[$wpvar] ) ) - $this->query_vars[$wpvar] = $_POST[$wpvar]; + $this->query_vars[$wpvar] = wp_unslash( $_POST[$wpvar] ); elseif ( isset( $_GET[$wpvar] ) ) - $this->query_vars[$wpvar] = $_GET[$wpvar]; + $this->query_vars[$wpvar] = wp_unslash( $_GET[$wpvar] ); elseif ( isset( $perma_query_vars[$wpvar] ) ) $this->query_vars[$wpvar] = $perma_query_vars[$wpvar]; @@ -356,7 +356,7 @@ class WP { // Support for Conditional GET if (isset($_SERVER['HTTP_IF_NONE_MATCH'])) - $client_etag = stripslashes(stripslashes($_SERVER['HTTP_IF_NONE_MATCH'])); + $client_etag = stripslashes( wp_unslash( $_SERVER['HTTP_IF_NONE_MATCH'] ) ); // Retain extra strip. See #2597 else $client_etag = false; $client_last_modified = empty($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? '' : trim($_SERVER['HTTP_IF_MODIFIED_SINCE']); diff --git a/wp-includes/comment.php b/wp-includes/comment.php index 65e18a7e4a..647c9e5e4e 100644 --- a/wp-includes/comment.php +++ b/wp-includes/comment.php @@ -633,22 +633,22 @@ function wp_set_comment_cookies($comment, $user) { */ function sanitize_comment_cookies() { if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) { - $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]); - $comment_author = stripslashes($comment_author); + $comment_author = wp_unslash( $_COOKIE['comment_author_'.COOKIEHASH] ); + $comment_author = apply_filters('pre_comment_author_name', $comment_author); $comment_author = esc_attr($comment_author); $_COOKIE['comment_author_'.COOKIEHASH] = $comment_author; } if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) { - $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]); - $comment_author_email = stripslashes($comment_author_email); + $comment_author_email = wp_unslash( $_COOKIE['comment_author_email_'.COOKIEHASH] ); + $comment_author_email = apply_filters('pre_comment_author_email', $comment_author_email); $comment_author_email = esc_attr($comment_author_email); $_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email; } if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) { - $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]); - $comment_author_url = stripslashes($comment_author_url); + $comment_author_url = wp_unslash( $_COOKIE['comment_author_url_'.COOKIEHASH] ); + $comment_author_url = apply_filters('pre_comment_author_url', $comment_author_url); $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url; } } @@ -670,11 +670,10 @@ function wp_allow_comment($commentdata) { extract($commentdata, EXTR_SKIP); // Simple duplicate check - // expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content) - $dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_parent = '$comment_parent' AND comment_approved != 'trash' AND ( comment_author = '$comment_author' "; + $dupe = $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_parent = %s AND comment_approved != 'trash' AND ( comment_author = %s ", $comment_post_ID, $comment_parent, $comment_author ); if ( $comment_author_email ) - $dupe .= "OR comment_author_email = '$comment_author_email' "; - $dupe .= ") AND comment_content = '$comment_content' LIMIT 1"; + $dupe .= $wpdb->prepare( "OR comment_author_email = %s ", $comment_author_email ); + $dupe .= $wpdb->prepare( ") AND comment_content = %s LIMIT 1", $comment_content ); if ( $wpdb->get_var($dupe) ) { do_action( 'comment_duplicate_trigger', $commentdata ); if ( defined('DOING_AJAX') ) @@ -1262,7 +1261,7 @@ function wp_get_current_commenter() { */ function wp_insert_comment($commentdata) { global $wpdb; - extract(stripslashes_deep($commentdata), EXTR_SKIP); + extract($commentdata, EXTR_SKIP); if ( ! isset($comment_author_IP) ) $comment_author_IP = ''; @@ -1491,9 +1490,6 @@ function wp_update_comment($commentarr) { // First, get all of the original fields $comment = get_comment($commentarr['comment_ID'], ARRAY_A); - // Escape data pulled from DB. - $comment = esc_sql($comment); - $old_status = $comment['comment_approved']; // Merge old and new fields with new fields overwriting old ones. @@ -1502,7 +1498,7 @@ function wp_update_comment($commentarr) { $commentarr = wp_filter_comment( $commentarr ); // Now extract the merged array. - extract(stripslashes_deep($commentarr), EXTR_SKIP); + extract($commentarr, EXTR_SKIP); $comment_content = apply_filters('comment_save_pre', $comment_content); diff --git a/wp-includes/cron.php b/wp-includes/cron.php index 4e469a051c..6668dc546e 100644 --- a/wp-includes/cron.php +++ b/wp-includes/cron.php @@ -230,7 +230,7 @@ function spawn_cron( $gmt_time = 0 ) { set_transient( 'doing_cron', $doing_wp_cron ); ob_start(); - wp_redirect( add_query_arg('doing_wp_cron', $doing_wp_cron, stripslashes($_SERVER['REQUEST_URI'])) ); + wp_redirect( add_query_arg( 'doing_wp_cron', $doing_wp_cron, wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); echo ' '; // flush any buffers and send the headers diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php index e85f0322fa..333cf28132 100644 --- a/wp-includes/default-filters.php +++ b/wp-includes/default-filters.php @@ -14,8 +14,8 @@ // Strip, trim, kses, special chars for string saves foreach ( array( 'pre_term_name', 'pre_comment_author_name', 'pre_link_name', 'pre_link_target', 'pre_link_rel', 'pre_user_display_name', 'pre_user_first_name', 'pre_user_last_name', 'pre_user_nickname' ) as $filter ) { - add_filter( $filter, 'sanitize_text_field' ); - add_filter( $filter, 'wp_filter_kses' ); + add_filter( $filter, 'sanitize_text_field' ); + add_filter( $filter, 'wp_kses_data' ); add_filter( $filter, '_wp_specialchars', 30 ); } @@ -31,7 +31,7 @@ foreach ( array( 'term_name', 'comment_author_name', 'link_name', 'link_target', // Kses only for textarea saves foreach ( array( 'pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description' ) as $filter ) { - add_filter( $filter, 'wp_filter_kses' ); + add_filter( $filter, 'wp_kses_data' ); } // Kses only for textarea admin displays @@ -46,7 +46,7 @@ if ( is_admin() ) { foreach ( array( 'pre_comment_author_email', 'pre_user_email' ) as $filter ) { add_filter( $filter, 'trim' ); add_filter( $filter, 'sanitize_email' ); - add_filter( $filter, 'wp_filter_kses' ); + add_filter( $filter, 'wp_kses_data' ); } // Email admin display diff --git a/wp-includes/default-widgets.php b/wp-includes/default-widgets.php index fc0a4d39f2..ae8e926eb9 100644 --- a/wp-includes/default-widgets.php +++ b/wp-includes/default-widgets.php @@ -412,7 +412,7 @@ class WP_Widget_Text extends WP_Widget { if ( current_user_can('unfiltered_html') ) $instance['text'] = $new_instance['text']; else - $instance['text'] = stripslashes( wp_filter_post_kses( addslashes($new_instance['text']) ) ); // wp_filter_post_kses() expects slashed + $instance['text'] = wp_kses_post( $new_instance['text'] ); $instance['filter'] = isset($new_instance['filter']); return $instance; } @@ -1056,8 +1056,8 @@ class WP_Widget_Tag_Cloud extends WP_Widget { } function update( $new_instance, $old_instance ) { - $instance['title'] = strip_tags(stripslashes($new_instance['title'])); - $instance['taxonomy'] = stripslashes($new_instance['taxonomy']); + $instance['title'] = strip_tags( $new_instance['title'] ); + $instance['taxonomy'] = $new_instance['taxonomy']; return $instance; } @@ -1118,7 +1118,7 @@ class WP_Widget_Tag_Cloud extends WP_Widget { } function update( $new_instance, $old_instance ) { - $instance['title'] = strip_tags( stripslashes($new_instance['title']) ); + $instance['title'] = strip_tags( $new_instance['title'] ); $instance['nav_menu'] = (int) $new_instance['nav_menu']; return $instance; } diff --git a/wp-includes/deprecated.php b/wp-includes/deprecated.php index 46874f3eef..32acbf88fb 100644 --- a/wp-includes/deprecated.php +++ b/wp-includes/deprecated.php @@ -2383,7 +2383,7 @@ function update_usermeta( $user_id, $meta_key, $meta_value ) { /** @todo Might need fix because usermeta data is assumed to be already escaped */ if ( is_string($meta_value) ) - $meta_value = stripslashes($meta_value); + $meta_value = $meta_value; $meta_value = maybe_serialize($meta_value); if (empty($meta_value)) { diff --git a/wp-includes/feed.php b/wp-includes/feed.php index 61825f8958..d4fe81f1d1 100644 --- a/wp-includes/feed.php +++ b/wp-includes/feed.php @@ -488,7 +488,7 @@ function prep_atom_text_construct($data) { */ function self_link() { $host = @parse_url(home_url()); - echo esc_url( set_url_scheme( 'http://' . $host['host'] . stripslashes($_SERVER['REQUEST_URI']) ) ); + echo esc_url( set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) ); } /** diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 83f5269eca..c68e3dfbd7 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -1716,10 +1716,7 @@ function _split_str_by_whitespace( $string, $goal ) { * @return string Converted content. */ function wp_rel_nofollow( $text ) { - // This is a pre save filter, so text is already escaped. - $text = stripslashes($text); $text = preg_replace_callback('||i', 'wp_rel_nofollow_callback', $text); - $text = esc_sql($text); return $text; } @@ -3342,3 +3339,53 @@ function sanitize_trackback_urls( $to_ping ) { $urls_to_ping = implode( "\n", $urls_to_ping ); return apply_filters( 'sanitize_trackback_urls', $urls_to_ping, $to_ping ); } + +/** + * Conditionally add slashes to a string or array of strings. When GPCS + * slashing is turned on, slashes are added. When GPCS slashing is turned off, + * slashes are not added. + * + * This should be used when preparing data for core API that deal directly with GPCS data. + * Outside of unit tests, this should be rare. At a future date GPCS will no longer + * be slashed and this function will noop. Do not use it in situations where adding slashes + * is always required regardless of whether GPCS is slashed. + * + * @since 3.6.0 + * + * @param string|array $value String or array of strings to slash. + * @return string|array Slashed $value + */ +function wp_slash( $value ) { + if ( is_array( $value ) ) { + foreach ( $value as $k => $v ) { + if ( is_array( $v ) ) { + $value[$k] = wp_slash( $v ); + } else { + $value[$k] = addslashes( $v ); + } + } + } else { + $value = addslashes( $value ); + } + + return $value; +} + +/** + * Conditionally removes slashes from a string or array of strings. When GPCS + * slashing is turned on, slashes are stripped. When GPCS slashing is turned off, + * slashes are not stripped. + * + * This should be used for GPCS data before passing it along to core API. At a future + * date GPCS will no longer be slashed and this function will noop. Do not use it + * in situations where slash stripping is always required regardless of whether GPCS + * is slashed. + * + * @since 3.6.0 + * + * @param string|array $value String or array of strings to unslash. + * @return string|array Unslashed $value + */ +function wp_unslash( $value ) { + return stripslashes_deep( $value ); +} diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 0dfeb7e52f..66c41cf328 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -468,7 +468,7 @@ function do_enclose( $content, $post_ID ) { } if ( in_array( substr( $type, 0, strpos( $type, "/" ) ), $allowed_types ) ) { - add_post_meta( $post_ID, 'enclosure', "$url\n$len\n$mime\n" ); + wp_add_post_meta( $post_ID, 'enclosure', "$url\n$len\n$mime\n" ); } } } @@ -1256,9 +1256,9 @@ function wp_referer_field( $echo = true ) { * @return string Original referer field. */ function wp_original_referer_field( $echo = true, $jump_back_to = 'current' ) { - $jump_back_to = ( 'previous' == $jump_back_to ) ? wp_get_referer() : $_SERVER['REQUEST_URI']; + $jump_back_to = ( 'previous' == $jump_back_to ) ? wp_get_referer() : wp_unslash( $_SERVER['REQUEST_URI'] ); $ref = ( wp_get_original_referer() ) ? wp_get_original_referer() : $jump_back_to; - $orig_referer_field = ''; + $orig_referer_field = ''; if ( $echo ) echo $orig_referer_field; return $orig_referer_field; @@ -1277,11 +1277,11 @@ function wp_original_referer_field( $echo = true, $jump_back_to = 'current' ) { function wp_get_referer() { $ref = false; if ( ! empty( $_REQUEST['_wp_http_referer'] ) ) - $ref = $_REQUEST['_wp_http_referer']; + $ref = wp_unslash( $_REQUEST['_wp_http_referer'] ); else if ( ! empty( $_SERVER['HTTP_REFERER'] ) ) - $ref = $_SERVER['HTTP_REFERER']; + $ref = wp_unslash( $_SERVER['HTTP_REFERER'] ); - if ( $ref && $ref !== $_SERVER['REQUEST_URI'] ) + if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) ) return $ref; return false; } @@ -1297,7 +1297,7 @@ function wp_get_referer() { */ function wp_get_original_referer() { if ( !empty( $_REQUEST['_wp_original_http_referer'] ) ) - return $_REQUEST['_wp_original_http_referer']; + return wp_unslash( $_REQUEST['_wp_original_http_referer'] ); return false; } @@ -3879,4 +3879,4 @@ function wp_is_stream( $path ) { */ function wp_checkdate( $month, $day, $year, $source_date ) { return apply_filters( 'wp_checkdate', checkdate( $month, $day, $year ), $source_date ); -} +} \ No newline at end of file diff --git a/wp-includes/kses.php b/wp-includes/kses.php index 4c42134e7a..c19ef7729d 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -1326,18 +1326,18 @@ function wp_filter_nohtml_kses( $data ) { */ function kses_init_filters() { // Normal filtering - add_filter('title_save_pre', 'wp_filter_kses'); + add_filter('title_save_pre', 'wp_kses_data'); // Comment filtering if ( current_user_can( 'unfiltered_html' ) ) - add_filter( 'pre_comment_content', 'wp_filter_post_kses' ); + add_filter( 'pre_comment_content', 'wp_kses_post' ); else - add_filter( 'pre_comment_content', 'wp_filter_kses' ); + add_filter( 'pre_comment_content', 'wp_kses_data' ); // Post filtering - add_filter('content_save_pre', 'wp_filter_post_kses'); - add_filter('excerpt_save_pre', 'wp_filter_post_kses'); - add_filter('content_filtered_save_pre', 'wp_filter_post_kses'); + add_filter('content_save_pre', 'wp_kses_post'); + add_filter('excerpt_save_pre', 'wp_kses_post'); + add_filter('content_filtered_save_pre', 'wp_kses_post'); } /** @@ -1354,16 +1354,16 @@ function kses_init_filters() { */ function kses_remove_filters() { // Normal filtering - remove_filter('title_save_pre', 'wp_filter_kses'); + remove_filter('title_save_pre', 'wp_kses_data'); // Comment filtering - remove_filter( 'pre_comment_content', 'wp_filter_post_kses' ); - remove_filter( 'pre_comment_content', 'wp_filter_kses' ); + remove_filter( 'pre_comment_content', 'wp_kses_post' ); + remove_filter( 'pre_comment_content', 'wp_kses_data' ); // Post filtering - remove_filter('content_save_pre', 'wp_filter_post_kses'); - remove_filter('excerpt_save_pre', 'wp_filter_post_kses'); - remove_filter('content_filtered_save_pre', 'wp_filter_post_kses'); + remove_filter('content_save_pre', 'wp_kses_post'); + remove_filter('excerpt_save_pre', 'wp_kses_post'); + remove_filter('content_filtered_save_pre', 'wp_kses_post'); } /** diff --git a/wp-includes/link-template.php b/wp-includes/link-template.php index ad66602610..b53a6fd7a5 100644 --- a/wp-includes/link-template.php +++ b/wp-includes/link-template.php @@ -746,7 +746,7 @@ function get_search_link( $query = '' ) { if ( empty($query) ) $search = get_search_query( false ); else - $search = stripslashes($query); + $search = $query; $permastruct = $wp_rewrite->get_search_permastruct(); diff --git a/wp-includes/meta.php b/wp-includes/meta.php index 9db1de30cc..8a9dad9ecd 100644 --- a/wp-includes/meta.php +++ b/wp-includes/meta.php @@ -42,9 +42,6 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique = $column = esc_sql($meta_type . '_id'); - // expected_slashed ($meta_key) - $meta_key = stripslashes($meta_key); - $meta_value = stripslashes_deep($meta_value); $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique ); @@ -113,10 +110,7 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v $column = esc_sql($meta_type . '_id'); $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; - // expected_slashed ($meta_key) - $meta_key = stripslashes($meta_key); $passed_value = $meta_value; - $meta_value = stripslashes_deep($meta_value); $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type ); $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value ); @@ -195,9 +189,6 @@ function delete_metadata($meta_type, $object_id, $meta_key, $meta_value = '', $d $type_column = esc_sql($meta_type . '_id'); $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; - // expected_slashed ($meta_key) - $meta_key = stripslashes($meta_key); - $meta_value = stripslashes_deep($meta_value); $check = apply_filters( "delete_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $delete_all ); if ( null !== $check ) diff --git a/wp-includes/ms-files.php b/wp-includes/ms-files.php index 100ba2c6d1..5f969bf456 100644 --- a/wp-includes/ms-files.php +++ b/wp-includes/ms-files.php @@ -58,7 +58,7 @@ header( 'ETag: ' . $etag ); header( 'Expires: ' . gmdate( 'D, d M Y H:i:s', time() + 100000000 ) . ' GMT' ); // Support for Conditional GET -$client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false; +$client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? wp_unslash( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false; if( ! isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) ) $_SERVER['HTTP_IF_MODIFIED_SINCE'] = false; diff --git a/wp-includes/ms-functions.php b/wp-includes/ms-functions.php index 090bda505e..67de089c34 100644 --- a/wp-includes/ms-functions.php +++ b/wp-includes/ms-functions.php @@ -279,9 +279,6 @@ function remove_user_from_blog($user_id, $blog_id = '', $reassign = '') { * @return int The ID of the newly created blog */ function create_empty_blog( $domain, $path, $weblog_title, $site_id = 1 ) { - $domain = addslashes( $domain ); - $weblog_title = addslashes( $weblog_title ); - if ( empty($path) ) $path = '/'; @@ -582,7 +579,7 @@ function wpmu_validate_blog_signup($blogname, $blog_title, $user = '') { $blogname = apply_filters( 'newblogname', $blogname ); - $blog_title = stripslashes( $blog_title ); + $blog_title = $blog_title; if ( empty( $blog_title ) ) $errors->add('blog_title', __( 'Please enter a site title.' ) ); @@ -635,10 +632,7 @@ function wpmu_signup_blog($domain, $path, $title, $user, $user_email, $meta = '' global $wpdb; $key = substr( md5( time() . rand() . $domain ), 0, 16 ); - $meta = serialize($meta); - $domain = $wpdb->escape($domain); - $path = $wpdb->escape($path); - $title = $wpdb->escape($title); + $meta = serialize( $meta ); $wpdb->insert( $wpdb->signups, array( 'domain' => $domain, @@ -651,7 +645,7 @@ function wpmu_signup_blog($domain, $path, $title, $user, $user_email, $meta = '' 'meta' => $meta ) ); - wpmu_signup_blog_notification($domain, $path, $title, $user, $user_email, $key, $meta); + wpmu_signup_blog_notification( $domain, $path, $title, $user, $user_email, $key, $meta ); } /** @@ -841,8 +835,8 @@ function wpmu_activate_signup($key) { } $meta = maybe_unserialize($signup->meta); - $user_login = $wpdb->escape($signup->user_login); - $user_email = $wpdb->escape($signup->user_email); + $user_login = $signup->user_login; + $user_email = $signup->user_email; $password = wp_generate_password( 12, false ); $user_id = username_exists($user_login); @@ -1159,7 +1153,7 @@ function install_blog($blog_id, $blog_title = '') { else update_option( 'upload_path', get_blog_option( $current_site->blog_id, 'upload_path' ) ); - update_option( 'blogname', stripslashes( $blog_title ) ); + update_option( 'blogname', $blog_title ); update_option( 'admin_email', '' ); // remove all perms @@ -1216,9 +1210,9 @@ function wpmu_welcome_notification($blog_id, $user_id, $password, $title, $meta if ( !apply_filters('wpmu_welcome_notification', $blog_id, $user_id, $password, $title, $meta) ) return false; - $welcome_email = stripslashes( get_site_option( 'welcome_email' ) ); + $welcome_email = get_site_option( 'welcome_email' ); if ( $welcome_email == false ) - $welcome_email = stripslashes( __( 'Dear User, + $welcome_email = __( 'Dear User, Your new SITE_NAME site has been successfully set up at: BLOG_URL @@ -1230,7 +1224,7 @@ Log in here: BLOG_URLwp-login.php We hope you enjoy your new site. Thanks! ---The Team @ SITE_NAME' ) ); +--The Team @ SITE_NAME' ); $url = get_blogaddress_by_id($blog_id); $user = get_userdata( $user_id ); @@ -1254,7 +1248,7 @@ We hope you enjoy your new site. Thanks! if ( empty( $current_site->site_name ) ) $current_site->site_name = 'WordPress'; - $subject = apply_filters( 'update_welcome_subject', sprintf(__('New %1$s Site: %2$s'), $current_site->site_name, stripslashes( $title ) ) ); + $subject = apply_filters( 'update_welcome_subject', sprintf(__('New %1$s Site: %2$s'), $current_site->site_name, $title ) ); wp_mail($user->user_email, $subject, $message, $message_headers); return true; } @@ -1509,7 +1503,7 @@ function update_posts_count( $deprecated = '' ) { function wpmu_log_new_registrations( $blog_id, $user_id ) { global $wpdb; $user = get_userdata( (int) $user_id ); - $wpdb->insert( $wpdb->registration_log, array('email' => $user->user_email, 'IP' => preg_replace( '/[^0-9., ]/', '',$_SERVER['REMOTE_ADDR'] ), 'blog_id' => $blog_id, 'date_registered' => current_time('mysql')) ); + $wpdb->insert( $wpdb->registration_log, array('email' => $user->user_email, 'IP' => preg_replace( '/[^0-9., ]/', '', wp_unslash( $_SERVER['REMOTE_ADDR'] ) ), 'blog_id' => $blog_id, 'date_registered' => current_time('mysql')) ); } /** diff --git a/wp-includes/nav-menu.php b/wp-includes/nav-menu.php index 7a5da9e202..53768c27e6 100644 --- a/wp-includes/nav-menu.php +++ b/wp-includes/nav-menu.php @@ -369,20 +369,20 @@ function wp_update_nav_menu_item( $menu_id = 0, $menu_item_db_id = 0, $menu_item $menu_item_db_id = (int) $menu_item_db_id; - update_post_meta( $menu_item_db_id, '_menu_item_type', sanitize_key($args['menu-item-type']) ); - update_post_meta( $menu_item_db_id, '_menu_item_menu_item_parent', strval( (int) $args['menu-item-parent-id'] ) ); - update_post_meta( $menu_item_db_id, '_menu_item_object_id', strval( (int) $args['menu-item-object-id'] ) ); - update_post_meta( $menu_item_db_id, '_menu_item_object', sanitize_key($args['menu-item-object']) ); - update_post_meta( $menu_item_db_id, '_menu_item_target', sanitize_key($args['menu-item-target']) ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_type', sanitize_key($args['menu-item-type']) ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_menu_item_parent', strval( (int) $args['menu-item-parent-id'] ) ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_object_id', strval( (int) $args['menu-item-object-id'] ) ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_object', sanitize_key($args['menu-item-object']) ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_target', sanitize_key($args['menu-item-target']) ); $args['menu-item-classes'] = array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-classes'] ) ); $args['menu-item-xfn'] = implode( ' ', array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-xfn'] ) ) ); - update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] ); - update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] ); - update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw($args['menu-item-url']) ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw($args['menu-item-url']) ); if ( 0 == $menu_id ) - update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() ); + wp_update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() ); elseif ( get_post_meta( $menu_item_db_id, '_menu_item_orphaned' ) ) delete_post_meta( $menu_item_db_id, '_menu_item_orphaned' ); diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index eed19f3473..99aaad12bf 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -782,7 +782,7 @@ function auth_redirect() { // The cookie is no good so force login nocache_headers(); - $redirect = ( strpos( $_SERVER['REQUEST_URI'], '/options.php' ) && wp_get_referer() ) ? wp_get_referer() : set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ); + $redirect = ( strpos( $_SERVER['REQUEST_URI'], '/options.php' ) && wp_get_referer() ) ? wp_get_referer() : set_url_scheme( 'http://' . wp_unslash( $_SERVER['HTTP_HOST'] ) . wp_unslash( $_SERVER['REQUEST_URI'] ) ); $login_url = wp_login_url($redirect, true); @@ -1197,8 +1197,8 @@ if ( !function_exists('wp_new_user_notification') ) : function wp_new_user_notification($user_id, $plaintext_pass = '') { $user = get_userdata( $user_id ); - $user_login = stripslashes($user->user_login); - $user_email = stripslashes($user->user_email); + $user_login = $user->user_login; + $user_email = $user->user_email; // The blogname option is escaped with esc_html on the way into the database in sanitize_option // we want to reverse this for the plain text arena of emails. diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php index 21620b456f..13a8407f15 100644 --- a/wp-includes/post-template.php +++ b/wp-includes/post-template.php @@ -583,7 +583,7 @@ function post_password_required( $post = null ) { $wp_hasher = new PasswordHash(8, true); } - $hash = stripslashes( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] ); + $hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] ); return ! $wp_hasher->CheckPassword( $post->post_password, $hash ); } diff --git a/wp-includes/post.php b/wp-includes/post.php index dbedab7bf1..70d650ea82 100644 --- a/wp-includes/post.php +++ b/wp-includes/post.php @@ -1742,17 +1742,41 @@ function get_posts($args = null) { * @link http://codex.wordpress.org/Function_Reference/add_post_meta * * @param int $post_id Post ID. - * @param string $meta_key Metadata name. - * @param mixed $meta_value Metadata value. + * @param string $meta_key Metadata name (expected slashed). + * @param mixed $meta_value Metadata value (expected slashed). * @param bool $unique Optional, default is false. Whether the same key should not be added. * @return bool False for failure. True for success. */ -function add_post_meta($post_id, $meta_key, $meta_value, $unique = false) { +function add_post_meta( $post_id, $meta_key, $meta_value, $unique = false ) { + //_deprecated_function( __FUNCTION__, '3.6', 'wp_add_post_meta() (expects unslashed data)' ); + + // expected slashed + $meta_key = stripslashes( $meta_key ); + $meta_value = stripslashes_deep( $meta_value ); + + return wp_add_post_meta( $post_id, $meta_key, $meta_value, $unique ); +} + +/** + * Add meta data field to a post. + * + * Post meta data is called "Custom Fields" on the Administration Screen. + * + * @since 3.6.0 + * @link http://codex.wordpress.org/Function_Reference/wp_add_post_meta + * + * @param int $post_id Post ID. + * @param string $meta_key Metadata name (clean, slashes already stripped). + * @param mixed $meta_value Metadata value (clean, slashes already stripped). + * @param bool $unique Optional, default is false. Whether the same key should not be added. + * @return bool False for failure. True for success. + */ +function wp_add_post_meta( $post_id, $meta_key, $meta_value, $unique = false ) { // make sure meta is added to the post, not a revision - if ( $the_post = wp_is_post_revision($post_id) ) + if ( $the_post = wp_is_post_revision( $post_id ) ) $post_id = $the_post; - return add_metadata('post', $post_id, $meta_key, $meta_value, $unique); + return add_metadata( 'post', $post_id, $meta_key, $meta_value, $unique ); } /** @@ -1809,17 +1833,45 @@ function get_post_meta($post_id, $key = '', $single = false) { * @link http://codex.wordpress.org/Function_Reference/update_post_meta * * @param int $post_id Post ID. - * @param string $meta_key Metadata key. - * @param mixed $meta_value Metadata value. + * @param string $meta_key Metadata key (expected slashed). + * @param mixed $meta_value Metadata value (expected slashed). * @param mixed $prev_value Optional. Previous value to check before removing. * @return bool False on failure, true if success. */ -function update_post_meta($post_id, $meta_key, $meta_value, $prev_value = '') { +function update_post_meta( $post_id, $meta_key, $meta_value, $prev_value = '' ) { + //_deprecated_function( __FUNCTION__, '3.6', 'wp_update_post_meta() (expects unslashed data)' ); + + // expected slashed + $meta_key = stripslashes( $meta_key ); + $meta_value = stripslashes_deep( $meta_value ); + + return wp_update_post_meta( $post_id, $meta_key, $meta_value, $prev_value ); +} + +/** + * Update post meta field based on post ID. + * + * Use the $prev_value parameter to differentiate between meta fields with the + * same key and post ID. + * + * If the meta field for the post does not exist, it will be added. + * + * @since 3.6.0 + * @uses $wpdb + * @link http://codex.wordpress.org/Function_Reference/wp_update_post_meta + * + * @param int $post_id Post ID. + * @param string $meta_key Metadata key (clean, slashes already stripped). + * @param mixed $meta_value Metadata value (clean, slashes already stripped). + * @param mixed $prev_value Optional. Previous value to check before removing. + * @return bool False on failure, true if success. + */ +function wp_update_post_meta( $post_id, $meta_key, $meta_value, $prev_value = '' ) { // make sure meta is added to the post, not a revision - if ( $the_post = wp_is_post_revision($post_id) ) + if ( $the_post = wp_is_post_revision( $post_id ) ) $post_id = $the_post; - return update_metadata('post', $post_id, $meta_key, $meta_value, $prev_value); + return update_metadata( 'post', $post_id, $meta_key, $meta_value, $prev_value ); } /** @@ -2406,8 +2458,8 @@ function wp_trash_post($post_id = 0) { do_action('wp_trash_post', $post_id); - add_post_meta($post_id,'_wp_trash_meta_status', $post['post_status']); - add_post_meta($post_id,'_wp_trash_meta_time', time()); + wp_add_post_meta($post_id,'_wp_trash_meta_status', $post['post_status']); + wp_add_post_meta($post_id,'_wp_trash_meta_time', time()); $post['post_status'] = 'trash'; wp_insert_post($post); @@ -2483,7 +2535,7 @@ function wp_trash_post_comments($post = null) { $statuses = array(); foreach ( $comments as $comment ) $statuses[$comment->comment_ID] = $comment->comment_approved; - add_post_meta($post_id, '_wp_trash_meta_comments_status', $statuses); + wp_add_post_meta($post_id, '_wp_trash_meta_comments_status', $statuses); // Set status for all comments to post-trashed $result = $wpdb->update($wpdb->comments, array('comment_approved' => 'post-trashed'), array('comment_post_ID' => $post_id)); @@ -2859,10 +2911,8 @@ function wp_insert_post($postarr, $wp_error = false) { $post_name = wp_unique_post_slug($post_name, $post_ID, $post_status, $post_type, $post_parent); - // expected_slashed (everything!) $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'guid' ) ); $data = apply_filters('wp_insert_post_data', $data, $postarr); - $data = stripslashes_deep( $data ); $where = array( 'ID' => $post_ID ); if ( $update ) { @@ -2875,7 +2925,7 @@ function wp_insert_post($postarr, $wp_error = false) { } } else { if ( isset($post_mime_type) ) - $data['post_mime_type'] = stripslashes( $post_mime_type ); // This isn't in the update + $data['post_mime_type'] = $post_mime_type; // This isn't in the update // If there is a suggested ID, use it if not already present if ( !empty($import_id) ) { $import_id = (int) $import_id; @@ -2936,7 +2986,7 @@ function wp_insert_post($postarr, $wp_error = false) { else return 0; } - update_post_meta($post_ID, '_wp_page_template', $page_template); + wp_update_post_meta($post_ID, '_wp_page_template', $page_template); } wp_transition_post_status($data['post_status'], $previous_status, $post); @@ -2969,15 +3019,11 @@ function wp_update_post( $postarr = array(), $wp_error = false ) { if ( is_object($postarr) ) { // non-escaped post was passed $postarr = get_object_vars($postarr); - $postarr = add_magic_quotes($postarr); } // First, get all of the original fields $post = get_post($postarr['ID'], ARRAY_A); - // Escape data pulled from DB. - $post = add_magic_quotes($post); - // Passed post category list overwrites existing category list if not empty. if ( isset($postarr['post_category']) && is_array($postarr['post_category']) && 0 != count($postarr['post_category']) ) @@ -3392,7 +3438,7 @@ function trackback_url_list($tb_list, $post_id) { $trackback_urls = explode(',', $tb_list); foreach( (array) $trackback_urls as $tb_url) { $tb_url = trim($tb_url); - trackback($tb_url, stripslashes($post_title), $excerpt, $post_id); + trackback($tb_url, $post_title, $excerpt, $post_id); } } } @@ -3735,9 +3781,6 @@ function get_pages($args = '') { if ( ! empty( $meta_key ) || ! empty( $meta_value ) ) { $join = " LEFT JOIN $wpdb->postmeta ON ( $wpdb->posts.ID = $wpdb->postmeta.post_id )"; - // meta_key and meta_value might be slashed - $meta_key = stripslashes($meta_key); - $meta_value = stripslashes($meta_value); if ( ! empty( $meta_key ) ) $where .= $wpdb->prepare(" AND $wpdb->postmeta.meta_key = %s", $meta_key); if ( ! empty( $meta_value ) ) @@ -3962,7 +4005,6 @@ function wp_insert_attachment($object, $file = false, $parent = 0) { else $post_name = sanitize_title($post_name); - // expected_slashed ($post_name) $post_name = wp_unique_post_slug($post_name, $post_ID, $post_status, $post_type, $post_parent); if ( empty($post_date) ) @@ -4005,9 +4047,7 @@ function wp_insert_attachment($object, $file = false, $parent = 0) { if ( ! isset($pinged) ) $pinged = ''; - // expected_slashed (everything!) $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'guid' ) ); - $data = stripslashes_deep( $data ); if ( $update ) { $wpdb->update( $wpdb->posts, $data, array( 'ID' => $post_ID ) ); @@ -4052,7 +4092,7 @@ function wp_insert_attachment($object, $file = false, $parent = 0) { clean_post_cache( $post_ID ); if ( ! empty( $context ) ) - add_post_meta( $post_ID, '_wp_attachment_context', $context, true ); + wp_add_post_meta( $post_ID, '_wp_attachment_context', $context, true ); if ( $update) { do_action('edit_attachment', $post_ID); @@ -4439,7 +4479,7 @@ function wp_check_for_changed_slugs($post_id, $post, $post_before) { // if we haven't added this old slug before, add it now if ( !empty( $post_before->post_name ) && !in_array($post_before->post_name, $old_slugs) ) - add_post_meta($post_id, '_wp_old_slug', $post_before->post_name); + wp_add_post_meta($post_id, '_wp_old_slug', $post_before->post_name); // if the new slug was used previously, delete it from the list if ( in_array($post->post_name, $old_slugs) ) @@ -4856,8 +4896,8 @@ function _publish_post_hook($post_id) { return; if ( get_option('default_pingback_flag') ) - add_post_meta( $post_id, '_pingme', '1' ); - add_post_meta( $post_id, '_encloseme', '1' ); + wp_add_post_meta( $post_id, '_pingme', '1' ); + wp_add_post_meta( $post_id, '_encloseme', '1' ); wp_schedule_single_event(time(), 'do_pings'); } @@ -5097,7 +5137,6 @@ function _wp_put_post_revision( $post = null, $autosave = false ) { return new WP_Error( 'post_type', __( 'Cannot create a revision of a revision' ) ); $post = _wp_post_revision_fields( $post, $autosave ); - $post = add_magic_quotes($post); //since data is from db $revision_id = wp_insert_post( $post ); if ( is_wp_error($revision_id) ) @@ -5176,8 +5215,6 @@ function wp_restore_post_revision( $revision_id, $fields = null ) { $update['ID'] = $revision['post_parent']; - $update = add_magic_quotes( $update ); //since data is from db - $post_id = wp_update_post( $update ); if ( is_wp_error( $post_id ) ) return $post_id; @@ -5399,7 +5436,7 @@ function set_post_thumbnail( $post, $thumbnail_id ) { $thumbnail_id = absint( $thumbnail_id ); if ( $post && $thumbnail_id && get_post( $thumbnail_id ) ) { if ( $thumbnail_html = wp_get_attachment_image( $thumbnail_id, 'thumbnail' ) ) - return update_post_meta( $post->ID, '_thumbnail_id', $thumbnail_id ); + return wp_update_post_meta( $post->ID, '_thumbnail_id', $thumbnail_id ); else return delete_post_meta( $post->ID, '_thumbnail_id' ); } diff --git a/wp-includes/query.php b/wp-includes/query.php index be2a965af9..1a5b7a8794 100644 --- a/wp-includes/query.php +++ b/wp-includes/query.php @@ -1733,7 +1733,6 @@ class WP_Query { // Category stuff if ( !empty($q['cat']) && '0' != $q['cat'] && !$this->is_singular && $this->query_vars_changed ) { $q['cat'] = ''.urldecode($q['cat']).''; - $q['cat'] = addslashes_gpc($q['cat']); $cat_array = preg_split('/[,\s]+/', $q['cat']); $q['cat'] = ''; $req_cats = array(); @@ -2180,8 +2179,6 @@ class WP_Query { // If a search pattern is specified, load the posts that match if ( !empty($q['s']) ) { - // added slashes screw with quote grouping when done early, so done later - $q['s'] = stripslashes($q['s']); if ( empty( $_GET['s'] ) && $this->is_main_query() ) $q['s'] = urldecode($q['s']); if ( !empty($q['sentence']) ) { @@ -2290,7 +2287,6 @@ class WP_Query { $whichauthor = ''; } else { $q['author'] = (string)urldecode($q['author']); - $q['author'] = addslashes_gpc($q['author']); if ( strpos($q['author'], '-') !== false ) { $eq = '!='; $andor = 'AND'; @@ -2352,7 +2348,6 @@ class WP_Query { $allowed_keys[] = 'meta_value_num'; } $q['orderby'] = urldecode($q['orderby']); - $q['orderby'] = addslashes_gpc($q['orderby']); $orderby_array = array(); foreach ( explode( ' ', $q['orderby'] ) as $i => $orderby ) { diff --git a/wp-includes/taxonomy.php b/wp-includes/taxonomy.php index cbaecdfa13..ed20bcefea 100644 --- a/wp-includes/taxonomy.php +++ b/wp-includes/taxonomy.php @@ -953,8 +953,6 @@ function get_term_by($field, $value, $taxonomy, $output = OBJECT, $filter = 'raw if ( empty($value) ) return false; } else if ( 'name' == $field ) { - // Assume already escaped - $value = stripslashes($value); $field = 't.name'; } else { $term = get_term( (int) $value, $taxonomy, $output, $filter); @@ -1494,7 +1492,7 @@ function term_exists($term, $taxonomy = '', $parent = 0) { return $wpdb->get_var( $wpdb->prepare( $select . $where, $term ) ); } - $term = trim( stripslashes( $term ) ); + $term = trim( $term ); if ( '' === $slug = sanitize_title($term) ) return 0; @@ -2056,10 +2054,6 @@ function wp_insert_term( $term, $taxonomy, $args = array() ) { $args = sanitize_term($args, $taxonomy, 'db'); extract($args, EXTR_SKIP); - // expected_slashed ($name) - $name = stripslashes($name); - $description = stripslashes($description); - if ( empty($slug) ) $slug = sanitize_title($name); @@ -2439,9 +2433,6 @@ function wp_update_term( $term_id, $taxonomy, $args = array() ) { if ( is_wp_error( $term ) ) return $term; - // Escape data pulled from DB. - $term = add_magic_quotes($term); - // Merge old and new args with new args overwriting old ones. $args = array_merge($term, $args); @@ -2450,10 +2441,6 @@ function wp_update_term( $term_id, $taxonomy, $args = array() ) { $args = sanitize_term($args, $taxonomy, 'db'); extract($args, EXTR_SKIP); - // expected_slashed ($name) - $name = stripslashes($name); - $description = stripslashes($description); - if ( '' == trim($name) ) return new WP_Error('empty_term_name', __('A name is required for this term')); diff --git a/wp-includes/user.php b/wp-includes/user.php index 56e6d082a5..04091f3f76 100644 --- a/wp-includes/user.php +++ b/wp-includes/user.php @@ -1390,7 +1390,6 @@ function wp_insert_user( $userdata ) { } $data = compact( 'user_pass', 'user_email', 'user_url', 'user_nicename', 'display_name', 'user_registered' ); - $data = stripslashes_deep( $data ); if ( $update ) { $wpdb->update( $wpdb->users, $data, compact( 'ID' ) ); @@ -1462,9 +1461,6 @@ function wp_update_user($userdata) { $user[ $key ] = get_user_meta( $ID, $key, true ); } - // Escape data pulled from DB. - $user = add_magic_quotes( $user ); - // If password is changing, hash it now. if ( ! empty($userdata['user_pass']) ) { $plaintext_pass = $userdata['user_pass']; @@ -1504,8 +1500,8 @@ function wp_update_user($userdata) { * @return int The new user's ID. */ function wp_create_user($username, $password, $email = '') { - $user_login = esc_sql( $username ); - $user_email = esc_sql( $email ); + $user_login = $username; + $user_email = $email; $user_pass = $password; $userdata = compact('user_login', 'user_email', 'user_pass'); diff --git a/wp-includes/widgets.php b/wp-includes/widgets.php index 61d2cd7d46..87f023f619 100644 --- a/wp-includes/widgets.php +++ b/wp-includes/widgets.php @@ -224,7 +224,7 @@ class WP_Widget { } foreach ( $settings as $number => $new_instance ) { - $new_instance = stripslashes_deep($new_instance); + $new_instance = wp_unslash($new_instance); $this->_set($number); $old_instance = isset($all_instances[$number]) ? $all_instances[$number] : array(); diff --git a/wp-login.php b/wp-login.php index 766a8bf1f5..92d3911815 100644 --- a/wp-login.php +++ b/wp-login.php @@ -396,7 +396,7 @@ case 'postpass' : } // 10 days - setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH ); + setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH ); wp_safe_redirect( wp_get_referer() ); exit(); @@ -431,7 +431,7 @@ case 'retrievepassword' : do_action('lost_password'); login_header(__('Lost Password'), '

' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '

', $errors); - $user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : ''; + $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : ''; ?> @@ -530,8 +530,8 @@ case 'register' : $user_login = ''; $user_email = ''; if ( $http_post ) { - $user_login = $_POST['user_login']; - $user_email = $_POST['user_email']; + $user_login = wp_unslash( $_POST['user_login'] ); + $user_email = wp_unslash( $_POST['user_email'] ); $errors = register_new_user($user_login, $user_email); if ( !is_wp_error($errors) ) { $redirect_to = !empty( $_POST['redirect_to'] ) ? $_POST['redirect_to'] : 'wp-login.php?checkemail=registered'; @@ -547,11 +547,11 @@ case 'register' :

+

+

@@ -673,7 +673,7 @@ default: login_header(__('Log In'), '', $errors); if ( isset($_POST['log']) ) - $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(stripslashes($_POST['log'])) : ''; + $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr( wp_unslash( $_POST['log'] ) ) : ''; $rememberme = ! empty( $_POST['rememberme'] ); ?> diff --git a/wp-mail.php b/wp-mail.php index 5685b3acf9..8a66e12b62 100644 --- a/wp-mail.php +++ b/wp-mail.php @@ -202,7 +202,6 @@ for ( $i = 1; $i <= $count; $i++ ) { $post_category = array(get_option('default_email_category')); $post_data = compact('post_content','post_title','post_date','post_date_gmt','post_author','post_category', 'post_status'); - $post_data = add_magic_quotes($post_data); $post_ID = wp_insert_post($post_data); if ( is_wp_error( $post_ID ) ) diff --git a/wp-trackback.php b/wp-trackback.php index 06e47507be..5c0c198a41 100644 --- a/wp-trackback.php +++ b/wp-trackback.php @@ -45,9 +45,9 @@ $tb_url = isset($_POST['url']) ? $_POST['url'] : ''; $charset = isset($_POST['charset']) ? $_POST['charset'] : ''; // These three are stripslashed here so that they can be properly escaped after mb_convert_encoding() -$title = isset($_POST['title']) ? stripslashes($_POST['title']) : ''; -$excerpt = isset($_POST['excerpt']) ? stripslashes($_POST['excerpt']) : ''; -$blog_name = isset($_POST['blog_name']) ? stripslashes($_POST['blog_name']) : ''; +$title = isset($_POST['title']) ? wp_unslash( $_POST['title'] ) : ''; +$excerpt = isset($_POST['excerpt']) ? wp_unslash( $_POST['excerpt'] ) : ''; +$blog_name = isset($_POST['blog_name']) ? wp_unslash( $_POST['blog_name'] ) : ''; if ($charset) $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) ); @@ -64,11 +64,6 @@ if ( function_exists('mb_convert_encoding') ) { // For international trackbacks $blog_name = mb_convert_encoding($blog_name, get_option('blog_charset'), $charset); } -// Now that mb_convert_encoding() has been given a swing, we need to escape these three -$title = $wpdb->escape($title); -$excerpt = $wpdb->escape($excerpt); -$blog_name = $wpdb->escape($blog_name); - if ( is_single() || is_page() ) $tb_id = $posts[0]->ID;