diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php index 2c1000b563..06be04786f 100644 --- a/wp-includes/post-template.php +++ b/wp-includes/post-template.php @@ -583,7 +583,7 @@ function post_password_required( $post = null ) { $wp_hasher = new PasswordHash(8, true); } - $hash = stripslashes( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] ); + $hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] ); return ! $wp_hasher->CheckPassword( $post->post_password, $hash ); } diff --git a/wp-includes/post.php b/wp-includes/post.php index f51481e112..a2352d4656 100644 --- a/wp-includes/post.php +++ b/wp-includes/post.php @@ -360,7 +360,7 @@ function get_extended($post) { $more_text = ''; } - // Strip leading and trailing whitespace + // ` leading and trailing whitespace $main = preg_replace('/^[\s]*(.*)[\s]*$/', '\\1', $main); $extended = preg_replace('/^[\s]*(.*)[\s]*$/', '\\1', $extended); $more_text = preg_replace('/^[\s]*(.*)[\s]*$/', '\\1', $more_text); @@ -2797,7 +2797,7 @@ function wp_insert_post($postarr, $wp_error = false) { // expected_slashed (everything!) $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'guid' ) ); $data = apply_filters('wp_insert_post_data', $data, $postarr); - $data = stripslashes_deep( $data ); + $data = wp_unslash( $data ); $where = array( 'ID' => $post_ID ); if ( $update ) { @@ -2810,7 +2810,7 @@ function wp_insert_post($postarr, $wp_error = false) { } } else { if ( isset($post_mime_type) ) - $data['post_mime_type'] = stripslashes( $post_mime_type ); // This isn't in the update + $data['post_mime_type'] = wp_unslash( $post_mime_type ); // This isn't in the update // If there is a suggested ID, use it if not already present if ( !empty($import_id) ) { $import_id = (int) $import_id; @@ -2904,14 +2904,14 @@ function wp_update_post( $postarr = array(), $wp_error = false ) { if ( is_object($postarr) ) { // non-escaped post was passed $postarr = get_object_vars($postarr); - $postarr = add_magic_quotes($postarr); + $postarr = wp_slash($postarr); } // First, get all of the original fields $post = get_post($postarr['ID'], ARRAY_A); // Escape data pulled from DB. - $post = add_magic_quotes($post); + $post = wp_slash($post); // Passed post category list overwrites existing category list if not empty. if ( isset($postarr['post_category']) && is_array($postarr['post_category']) @@ -3257,7 +3257,7 @@ function add_ping($post_id, $uri) { $new = implode("\n", $pung); $new = apply_filters('add_ping', $new); // expected_slashed ($new) - $new = stripslashes($new); + $new = wp_unslash($new); return $wpdb->update( $wpdb->posts, array( 'pinged' => $new ), array( 'ID' => $post_id ) ); } @@ -3350,7 +3350,7 @@ function trackback_url_list($tb_list, $post_id) { $trackback_urls = explode(',', $tb_list); foreach( (array) $trackback_urls as $tb_url) { $tb_url = trim($tb_url); - trackback($tb_url, stripslashes($post_title), $excerpt, $post_id); + trackback($tb_url, wp_unslash($post_title), $excerpt, $post_id); } } } @@ -3694,8 +3694,8 @@ function get_pages($args = '') { $join = " LEFT JOIN $wpdb->postmeta ON ( $wpdb->posts.ID = $wpdb->postmeta.post_id )"; // meta_key and meta_value might be slashed - $meta_key = stripslashes($meta_key); - $meta_value = stripslashes($meta_value); + $meta_key = wp_unslash($meta_key); + $meta_value = wp_unslash($meta_value); if ( ! empty( $meta_key ) ) $where .= $wpdb->prepare(" AND $wpdb->postmeta.meta_key = %s", $meta_key); if ( ! empty( $meta_value ) ) @@ -3965,7 +3965,7 @@ function wp_insert_attachment($object, $file = false, $parent = 0) { // expected_slashed (everything!) $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'guid' ) ); - $data = stripslashes_deep( $data ); + $data = wp_unslash( $data ); if ( $update ) { $wpdb->update( $wpdb->posts, $data, array( 'ID' => $post_ID ) ); diff --git a/wp-includes/revision.php b/wp-includes/revision.php index 9b2cafc6a3..ea7b17c8a9 100644 --- a/wp-includes/revision.php +++ b/wp-includes/revision.php @@ -241,7 +241,7 @@ function _wp_put_post_revision( $post = null, $autosave = false ) { return new WP_Error( 'post_type', __( 'Cannot create a revision of a revision' ) ); $post = _wp_post_revision_fields( $post, $autosave ); - $post = add_magic_quotes($post); //since data is from db + $post = wp_slash($post); //since data is from db $revision_id = wp_insert_post( $post ); if ( is_wp_error($revision_id) ) @@ -320,7 +320,7 @@ function wp_restore_post_revision( $revision_id, $fields = null ) { $update['ID'] = $revision['post_parent']; - $update = add_magic_quotes( $update ); //since data is from db + $update = wp_slash( $update ); //since data is from db $post_id = wp_update_post( $update ); if ( is_wp_error( $post_id ) ) diff --git a/wp-includes/taxonomy.php b/wp-includes/taxonomy.php index 9d19f67955..ad4a5e4f01 100644 --- a/wp-includes/taxonomy.php +++ b/wp-includes/taxonomy.php @@ -959,7 +959,7 @@ function get_term_by($field, $value, $taxonomy, $output = OBJECT, $filter = 'raw return false; } else if ( 'name' == $field ) { // Assume already escaped - $value = stripslashes($value); + $value = wp_unslash($value); $field = 't.name'; } else { $term = get_term( (int) $value, $taxonomy, $output, $filter); @@ -1499,7 +1499,7 @@ function term_exists($term, $taxonomy = '', $parent = 0) { return $wpdb->get_var( $wpdb->prepare( $select . $where, $term ) ); } - $term = trim( stripslashes( $term ) ); + $term = trim( wp_unslash( $term ) ); if ( '' === $slug = sanitize_title($term) ) return 0; @@ -2062,8 +2062,8 @@ function wp_insert_term( $term, $taxonomy, $args = array() ) { extract($args, EXTR_SKIP); // expected_slashed ($name) - $name = stripslashes($name); - $description = stripslashes($description); + $name = wp_unslash($name); + $description = wp_unslash($description); if ( empty($slug) ) $slug = sanitize_title($name); @@ -2445,7 +2445,7 @@ function wp_update_term( $term_id, $taxonomy, $args = array() ) { return $term; // Escape data pulled from DB. - $term = add_magic_quotes($term); + $term = wp_slash($term); // Merge old and new args with new args overwriting old ones. $args = array_merge($term, $args); @@ -2456,8 +2456,8 @@ function wp_update_term( $term_id, $taxonomy, $args = array() ) { extract($args, EXTR_SKIP); // expected_slashed ($name) - $name = stripslashes($name); - $description = stripslashes($description); + $name = wp_unslash($name); + $description = wp_unslash($description); if ( '' == trim($name) ) return new WP_Error('empty_term_name', __('A name is required for this term')); diff --git a/wp-includes/user.php b/wp-includes/user.php index 9ecf8db93c..68e6127e05 100644 --- a/wp-includes/user.php +++ b/wp-includes/user.php @@ -1390,7 +1390,7 @@ function wp_insert_user( $userdata ) { } $data = compact( 'user_pass', 'user_email', 'user_url', 'user_nicename', 'display_name', 'user_registered' ); - $data = stripslashes_deep( $data ); + $data = wp_unslash( $data ); if ( $update ) { $wpdb->update( $wpdb->users, $data, compact( 'ID' ) ); @@ -1504,8 +1504,8 @@ function wp_update_user($userdata) { * @return int The new user's ID. */ function wp_create_user($username, $password, $email = '') { - $user_login = esc_sql( $username ); - $user_email = esc_sql( $email ); + $user_login = wp_slash( $username ); + $user_email = wp_slash( $email ); $user_pass = $password; $userdata = compact('user_login', 'user_email', 'user_pass'); diff --git a/wp-login.php b/wp-login.php index 473f48e711..035ca66144 100644 --- a/wp-login.php +++ b/wp-login.php @@ -399,7 +399,7 @@ case 'postpass' : } // 10 days - setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH ); + setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH ); wp_safe_redirect( wp_get_referer() ); exit(); @@ -434,7 +434,7 @@ case 'retrievepassword' : do_action('lost_password'); login_header(__('Lost Password'), '

' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '

', $errors); - $user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : ''; + $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : ''; ?> @@ -550,11 +550,11 @@ case 'register' :

+

+

@@ -670,7 +670,7 @@ default: login_header(__('Log In'), '', $errors); if ( isset($_POST['log']) ) - $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(stripslashes($_POST['log'])) : ''; + $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(wp_unslash($_POST['log'])) : ''; $rememberme = ! empty( $_POST['rememberme'] ); ?> diff --git a/wp-mail.php b/wp-mail.php index 5685b3acf9..27290b1115 100644 --- a/wp-mail.php +++ b/wp-mail.php @@ -202,7 +202,7 @@ for ( $i = 1; $i <= $count; $i++ ) { $post_category = array(get_option('default_email_category')); $post_data = compact('post_content','post_title','post_date','post_date_gmt','post_author','post_category', 'post_status'); - $post_data = add_magic_quotes($post_data); + $post_data = wp_slash($post_data); $post_ID = wp_insert_post($post_data); if ( is_wp_error( $post_ID ) ) diff --git a/wp-trackback.php b/wp-trackback.php index 06e47507be..5cee4ddd42 100644 --- a/wp-trackback.php +++ b/wp-trackback.php @@ -45,9 +45,9 @@ $tb_url = isset($_POST['url']) ? $_POST['url'] : ''; $charset = isset($_POST['charset']) ? $_POST['charset'] : ''; // These three are stripslashed here so that they can be properly escaped after mb_convert_encoding() -$title = isset($_POST['title']) ? stripslashes($_POST['title']) : ''; -$excerpt = isset($_POST['excerpt']) ? stripslashes($_POST['excerpt']) : ''; -$blog_name = isset($_POST['blog_name']) ? stripslashes($_POST['blog_name']) : ''; +$title = isset($_POST['title']) ? wp_unslash($_POST['title']) : ''; +$excerpt = isset($_POST['excerpt']) ? wp_unslash($_POST['excerpt']) : ''; +$blog_name = isset($_POST['blog_name']) ? wp_unslash($_POST['blog_name']) : ''; if ($charset) $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) ); @@ -65,9 +65,9 @@ if ( function_exists('mb_convert_encoding') ) { // For international trackbacks } // Now that mb_convert_encoding() has been given a swing, we need to escape these three -$title = $wpdb->escape($title); -$excerpt = $wpdb->escape($excerpt); -$blog_name = $wpdb->escape($blog_name); +$title = wp_slash($title); +$excerpt = wp_slash($excerpt); +$blog_name = wp_slash($blog_name); if ( is_single() || is_page() ) $tb_id = $posts[0]->ID;