Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().

see #21767


git-svn-id: https://develop.svn.wordpress.org/trunk@23594 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Ryan Boren 2013-03-03 21:11:40 +00:00
parent c61b68d896
commit 6d2a8d2ef0
8 changed files with 35 additions and 35 deletions

View File

@ -583,7 +583,7 @@ function post_password_required( $post = null ) {
$wp_hasher = new PasswordHash(8, true); $wp_hasher = new PasswordHash(8, true);
} }
$hash = stripslashes( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] ); $hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
return ! $wp_hasher->CheckPassword( $post->post_password, $hash ); return ! $wp_hasher->CheckPassword( $post->post_password, $hash );
} }

View File

@ -360,7 +360,7 @@ function get_extended($post) {
$more_text = ''; $more_text = '';
} }
// Strip leading and trailing whitespace // ` leading and trailing whitespace
$main = preg_replace('/^[\s]*(.*)[\s]*$/', '\\1', $main); $main = preg_replace('/^[\s]*(.*)[\s]*$/', '\\1', $main);
$extended = preg_replace('/^[\s]*(.*)[\s]*$/', '\\1', $extended); $extended = preg_replace('/^[\s]*(.*)[\s]*$/', '\\1', $extended);
$more_text = preg_replace('/^[\s]*(.*)[\s]*$/', '\\1', $more_text); $more_text = preg_replace('/^[\s]*(.*)[\s]*$/', '\\1', $more_text);
@ -2797,7 +2797,7 @@ function wp_insert_post($postarr, $wp_error = false) {
// expected_slashed (everything!) // expected_slashed (everything!)
$data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'guid' ) ); $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'guid' ) );
$data = apply_filters('wp_insert_post_data', $data, $postarr); $data = apply_filters('wp_insert_post_data', $data, $postarr);
$data = stripslashes_deep( $data ); $data = wp_unslash( $data );
$where = array( 'ID' => $post_ID ); $where = array( 'ID' => $post_ID );
if ( $update ) { if ( $update ) {
@ -2810,7 +2810,7 @@ function wp_insert_post($postarr, $wp_error = false) {
} }
} else { } else {
if ( isset($post_mime_type) ) if ( isset($post_mime_type) )
$data['post_mime_type'] = stripslashes( $post_mime_type ); // This isn't in the update $data['post_mime_type'] = wp_unslash( $post_mime_type ); // This isn't in the update
// If there is a suggested ID, use it if not already present // If there is a suggested ID, use it if not already present
if ( !empty($import_id) ) { if ( !empty($import_id) ) {
$import_id = (int) $import_id; $import_id = (int) $import_id;
@ -2904,14 +2904,14 @@ function wp_update_post( $postarr = array(), $wp_error = false ) {
if ( is_object($postarr) ) { if ( is_object($postarr) ) {
// non-escaped post was passed // non-escaped post was passed
$postarr = get_object_vars($postarr); $postarr = get_object_vars($postarr);
$postarr = add_magic_quotes($postarr); $postarr = wp_slash($postarr);
} }
// First, get all of the original fields // First, get all of the original fields
$post = get_post($postarr['ID'], ARRAY_A); $post = get_post($postarr['ID'], ARRAY_A);
// Escape data pulled from DB. // Escape data pulled from DB.
$post = add_magic_quotes($post); $post = wp_slash($post);
// Passed post category list overwrites existing category list if not empty. // Passed post category list overwrites existing category list if not empty.
if ( isset($postarr['post_category']) && is_array($postarr['post_category']) if ( isset($postarr['post_category']) && is_array($postarr['post_category'])
@ -3257,7 +3257,7 @@ function add_ping($post_id, $uri) {
$new = implode("\n", $pung); $new = implode("\n", $pung);
$new = apply_filters('add_ping', $new); $new = apply_filters('add_ping', $new);
// expected_slashed ($new) // expected_slashed ($new)
$new = stripslashes($new); $new = wp_unslash($new);
return $wpdb->update( $wpdb->posts, array( 'pinged' => $new ), array( 'ID' => $post_id ) ); return $wpdb->update( $wpdb->posts, array( 'pinged' => $new ), array( 'ID' => $post_id ) );
} }
@ -3350,7 +3350,7 @@ function trackback_url_list($tb_list, $post_id) {
$trackback_urls = explode(',', $tb_list); $trackback_urls = explode(',', $tb_list);
foreach( (array) $trackback_urls as $tb_url) { foreach( (array) $trackback_urls as $tb_url) {
$tb_url = trim($tb_url); $tb_url = trim($tb_url);
trackback($tb_url, stripslashes($post_title), $excerpt, $post_id); trackback($tb_url, wp_unslash($post_title), $excerpt, $post_id);
} }
} }
} }
@ -3694,8 +3694,8 @@ function get_pages($args = '') {
$join = " LEFT JOIN $wpdb->postmeta ON ( $wpdb->posts.ID = $wpdb->postmeta.post_id )"; $join = " LEFT JOIN $wpdb->postmeta ON ( $wpdb->posts.ID = $wpdb->postmeta.post_id )";
// meta_key and meta_value might be slashed // meta_key and meta_value might be slashed
$meta_key = stripslashes($meta_key); $meta_key = wp_unslash($meta_key);
$meta_value = stripslashes($meta_value); $meta_value = wp_unslash($meta_value);
if ( ! empty( $meta_key ) ) if ( ! empty( $meta_key ) )
$where .= $wpdb->prepare(" AND $wpdb->postmeta.meta_key = %s", $meta_key); $where .= $wpdb->prepare(" AND $wpdb->postmeta.meta_key = %s", $meta_key);
if ( ! empty( $meta_value ) ) if ( ! empty( $meta_value ) )
@ -3965,7 +3965,7 @@ function wp_insert_attachment($object, $file = false, $parent = 0) {
// expected_slashed (everything!) // expected_slashed (everything!)
$data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'guid' ) ); $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'guid' ) );
$data = stripslashes_deep( $data ); $data = wp_unslash( $data );
if ( $update ) { if ( $update ) {
$wpdb->update( $wpdb->posts, $data, array( 'ID' => $post_ID ) ); $wpdb->update( $wpdb->posts, $data, array( 'ID' => $post_ID ) );

View File

@ -241,7 +241,7 @@ function _wp_put_post_revision( $post = null, $autosave = false ) {
return new WP_Error( 'post_type', __( 'Cannot create a revision of a revision' ) ); return new WP_Error( 'post_type', __( 'Cannot create a revision of a revision' ) );
$post = _wp_post_revision_fields( $post, $autosave ); $post = _wp_post_revision_fields( $post, $autosave );
$post = add_magic_quotes($post); //since data is from db $post = wp_slash($post); //since data is from db
$revision_id = wp_insert_post( $post ); $revision_id = wp_insert_post( $post );
if ( is_wp_error($revision_id) ) if ( is_wp_error($revision_id) )
@ -320,7 +320,7 @@ function wp_restore_post_revision( $revision_id, $fields = null ) {
$update['ID'] = $revision['post_parent']; $update['ID'] = $revision['post_parent'];
$update = add_magic_quotes( $update ); //since data is from db $update = wp_slash( $update ); //since data is from db
$post_id = wp_update_post( $update ); $post_id = wp_update_post( $update );
if ( is_wp_error( $post_id ) ) if ( is_wp_error( $post_id ) )

View File

@ -959,7 +959,7 @@ function get_term_by($field, $value, $taxonomy, $output = OBJECT, $filter = 'raw
return false; return false;
} else if ( 'name' == $field ) { } else if ( 'name' == $field ) {
// Assume already escaped // Assume already escaped
$value = stripslashes($value); $value = wp_unslash($value);
$field = 't.name'; $field = 't.name';
} else { } else {
$term = get_term( (int) $value, $taxonomy, $output, $filter); $term = get_term( (int) $value, $taxonomy, $output, $filter);
@ -1499,7 +1499,7 @@ function term_exists($term, $taxonomy = '', $parent = 0) {
return $wpdb->get_var( $wpdb->prepare( $select . $where, $term ) ); return $wpdb->get_var( $wpdb->prepare( $select . $where, $term ) );
} }
$term = trim( stripslashes( $term ) ); $term = trim( wp_unslash( $term ) );
if ( '' === $slug = sanitize_title($term) ) if ( '' === $slug = sanitize_title($term) )
return 0; return 0;
@ -2062,8 +2062,8 @@ function wp_insert_term( $term, $taxonomy, $args = array() ) {
extract($args, EXTR_SKIP); extract($args, EXTR_SKIP);
// expected_slashed ($name) // expected_slashed ($name)
$name = stripslashes($name); $name = wp_unslash($name);
$description = stripslashes($description); $description = wp_unslash($description);
if ( empty($slug) ) if ( empty($slug) )
$slug = sanitize_title($name); $slug = sanitize_title($name);
@ -2445,7 +2445,7 @@ function wp_update_term( $term_id, $taxonomy, $args = array() ) {
return $term; return $term;
// Escape data pulled from DB. // Escape data pulled from DB.
$term = add_magic_quotes($term); $term = wp_slash($term);
// Merge old and new args with new args overwriting old ones. // Merge old and new args with new args overwriting old ones.
$args = array_merge($term, $args); $args = array_merge($term, $args);
@ -2456,8 +2456,8 @@ function wp_update_term( $term_id, $taxonomy, $args = array() ) {
extract($args, EXTR_SKIP); extract($args, EXTR_SKIP);
// expected_slashed ($name) // expected_slashed ($name)
$name = stripslashes($name); $name = wp_unslash($name);
$description = stripslashes($description); $description = wp_unslash($description);
if ( '' == trim($name) ) if ( '' == trim($name) )
return new WP_Error('empty_term_name', __('A name is required for this term')); return new WP_Error('empty_term_name', __('A name is required for this term'));

View File

@ -1390,7 +1390,7 @@ function wp_insert_user( $userdata ) {
} }
$data = compact( 'user_pass', 'user_email', 'user_url', 'user_nicename', 'display_name', 'user_registered' ); $data = compact( 'user_pass', 'user_email', 'user_url', 'user_nicename', 'display_name', 'user_registered' );
$data = stripslashes_deep( $data ); $data = wp_unslash( $data );
if ( $update ) { if ( $update ) {
$wpdb->update( $wpdb->users, $data, compact( 'ID' ) ); $wpdb->update( $wpdb->users, $data, compact( 'ID' ) );
@ -1504,8 +1504,8 @@ function wp_update_user($userdata) {
* @return int The new user's ID. * @return int The new user's ID.
*/ */
function wp_create_user($username, $password, $email = '') { function wp_create_user($username, $password, $email = '') {
$user_login = esc_sql( $username ); $user_login = wp_slash( $username );
$user_email = esc_sql( $email ); $user_email = wp_slash( $email );
$user_pass = $password; $user_pass = $password;
$userdata = compact('user_login', 'user_email', 'user_pass'); $userdata = compact('user_login', 'user_email', 'user_pass');

View File

@ -399,7 +399,7 @@ case 'postpass' :
} }
// 10 days // 10 days
setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH ); setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH );
wp_safe_redirect( wp_get_referer() ); wp_safe_redirect( wp_get_referer() );
exit(); exit();
@ -434,7 +434,7 @@ case 'retrievepassword' :
do_action('lost_password'); do_action('lost_password');
login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '</p>', $errors); login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '</p>', $errors);
$user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : ''; $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : '';
?> ?>
@ -550,11 +550,11 @@ case 'register' :
<form name="registerform" id="registerform" action="<?php echo esc_url( site_url('wp-login.php?action=register', 'login_post') ); ?>" method="post"> <form name="registerform" id="registerform" action="<?php echo esc_url( site_url('wp-login.php?action=register', 'login_post') ); ?>" method="post">
<p> <p>
<label for="user_login"><?php _e('Username') ?><br /> <label for="user_login"><?php _e('Username') ?><br />
<input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(stripslashes($user_login)); ?>" size="20" /></label> <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(wp_unslash($user_login)); ?>" size="20" /></label>
</p> </p>
<p> <p>
<label for="user_email"><?php _e('E-mail') ?><br /> <label for="user_email"><?php _e('E-mail') ?><br />
<input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(stripslashes($user_email)); ?>" size="25" /></label> <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(wp_unslash($user_email)); ?>" size="25" /></label>
</p> </p>
<?php do_action('register_form'); ?> <?php do_action('register_form'); ?>
<p id="reg_passmail"><?php _e('A password will be e-mailed to you.') ?></p> <p id="reg_passmail"><?php _e('A password will be e-mailed to you.') ?></p>
@ -670,7 +670,7 @@ default:
login_header(__('Log In'), '', $errors); login_header(__('Log In'), '', $errors);
if ( isset($_POST['log']) ) if ( isset($_POST['log']) )
$user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(stripslashes($_POST['log'])) : ''; $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(wp_unslash($_POST['log'])) : '';
$rememberme = ! empty( $_POST['rememberme'] ); $rememberme = ! empty( $_POST['rememberme'] );
?> ?>

View File

@ -202,7 +202,7 @@ for ( $i = 1; $i <= $count; $i++ ) {
$post_category = array(get_option('default_email_category')); $post_category = array(get_option('default_email_category'));
$post_data = compact('post_content','post_title','post_date','post_date_gmt','post_author','post_category', 'post_status'); $post_data = compact('post_content','post_title','post_date','post_date_gmt','post_author','post_category', 'post_status');
$post_data = add_magic_quotes($post_data); $post_data = wp_slash($post_data);
$post_ID = wp_insert_post($post_data); $post_ID = wp_insert_post($post_data);
if ( is_wp_error( $post_ID ) ) if ( is_wp_error( $post_ID ) )

View File

@ -45,9 +45,9 @@ $tb_url = isset($_POST['url']) ? $_POST['url'] : '';
$charset = isset($_POST['charset']) ? $_POST['charset'] : ''; $charset = isset($_POST['charset']) ? $_POST['charset'] : '';
// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding() // These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()
$title = isset($_POST['title']) ? stripslashes($_POST['title']) : ''; $title = isset($_POST['title']) ? wp_unslash($_POST['title']) : '';
$excerpt = isset($_POST['excerpt']) ? stripslashes($_POST['excerpt']) : ''; $excerpt = isset($_POST['excerpt']) ? wp_unslash($_POST['excerpt']) : '';
$blog_name = isset($_POST['blog_name']) ? stripslashes($_POST['blog_name']) : ''; $blog_name = isset($_POST['blog_name']) ? wp_unslash($_POST['blog_name']) : '';
if ($charset) if ($charset)
$charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) ); $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
@ -65,9 +65,9 @@ if ( function_exists('mb_convert_encoding') ) { // For international trackbacks
} }
// Now that mb_convert_encoding() has been given a swing, we need to escape these three // Now that mb_convert_encoding() has been given a swing, we need to escape these three
$title = $wpdb->escape($title); $title = wp_slash($title);
$excerpt = $wpdb->escape($excerpt); $excerpt = wp_slash($excerpt);
$blog_name = $wpdb->escape($blog_name); $blog_name = wp_slash($blog_name);
if ( is_single() || is_page() ) if ( is_single() || is_page() )
$tb_id = $posts[0]->ID; $tb_id = $posts[0]->ID;