Strip a number of special characters in sanitize_title_with_dashes on save. Includes quotes (curly, angle), dashes, marks, etc. props SergeyBiryukov. props ampt for the unit tests in [UT438]. see #10797.

git-svn-id: http://svn.automattic.com/wordpress/trunk@18705 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-09-18 19:53:59 +00:00 · 2011-09-18 19:53:59 +00:00 · e5ca4fea40
parent 80720acfc4
commit e5ca4fea40
2 changed files with 19 additions and 3 deletions
--- a/wp-includes/default-filters.php
+++ b/wp-includes/default-filters.php
@ -182,7 +182,7 @@ add_filter( 'option_home',              '_config_wp_home'                     );
 add_filter( 'option_siteurl',           '_config_wp_siteurl'                  );
 add_filter( 'tiny_mce_before_init',     '_mce_set_direction'                  );
 add_filter( 'pre_kses',                 'wp_pre_kses_less_than'               );
-add_filter( 'sanitize_title',           'sanitize_title_with_dashes'          );
+add_filter( 'sanitize_title',           'sanitize_title_with_dashes',   10, 3 );
 add_action( 'check_comment_flood',      'check_comment_flood_db',       10, 3 );
 add_filter( 'comment_flood_filter',     'wp_throttle_comment_flood',    10, 3 );
 add_filter( 'pre_comment_content',      'wp_rel_nofollow',              15    );
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@ -803,7 +803,7 @@ function sanitize_title_for_query($title) {
 }

 /**
- * Sanitizes title, replacing whitespace with dashes.
+ * Sanitizes title, replacing whitespace and a few other characters with dashes.
 *
 * Limits the output to alphanumeric characters, underscore (_) and dash (-).
 * Whitespace becomes a dash.
@ -811,9 +811,11 @@ function sanitize_title_for_query($title) {
 * @since 1.2.0
 *
 * @param string $title The title to be sanitized.
+ * @param string $raw_title Optional. Not used.
+ * @param string $context Optional. The operation for which the string is sanitized.
 * @return string The sanitized title.
 */
-function sanitize_title_with_dashes($title) {
+function sanitize_title_with_dashes($title, $raw_title = '', $context = 'display') {
 	$title = strip_tags($title);
 	// Preserve escaped octets.
 	$title = preg_replace('|%([a-fA-F0-9][a-fA-F0-9])|', '---$1---', $title);
@ -832,6 +834,20 @@ function sanitize_title_with_dashes($title) {
 	$title = strtolower($title);
 	$title = preg_replace('/&.+?;/', '', $title); // kill entities
 	$title = str_replace('.', '-', $title);
+
+	if ( 'save' == $context ) {
+		// nbsp, ndash and mdash
+		$title = str_replace( array( '%c2%a0', '%e2%80%93', '%e2%80%94' ), '-', $title );
+		// iexcl and iquest
+		$title = str_replace( array( '%c2%a1', '%c2%bf' ), '', $title );
+		// angle quotes
+		$title = str_replace( array( '%c2%ab', '%c2%bb', '%e2%80%b9', '%e2%80%ba' ), '', $title );
+		// curly quotes
+		$title = str_replace( array( '%e2%80%98', '%e2%80%99', '%e2%80%9c', '%e2%80%9d' ), '', $title );
+		// copy, reg, deg, hellip and trade
+		$title = str_replace( array( '%c2%a9', '%c2%ae', '%c2%b0', '%e2%80%a6', '%e2%84%a2' ), '', $title );
+	}
+
 	$title = preg_replace('/[^%a-z0-9 _-]/', '', $title);
 	$title = preg_replace('/\s+/', '-', $title);
 	$title = preg_replace('|-+|', '-', $title);