From 74ed2089b421977fa42c3da85d9816b56e15a4b5 Mon Sep 17 00:00:00 2001 From: Scott Taylor Date: Tue, 28 Oct 2014 20:42:20 +0000 Subject: [PATCH] The `gallery` shortcode used to accept a SQL chunk for the value of the `orderby` attribute. The reason? `get_posts()` used to be called in the shortcode handler with a query-string blob of arguments passed to it. To mitigate breakage, `sanitize_sql_orderby()` was created in [7592]. `sanitize_sql_orderby()` expects a comma to be present when multiple `orderby` values were passed. The correct syntax for multiple fields is space-delimited. Since [29027], comma-separated values would never be parsed correctly when passed to `WP_Query->parse_orderby()`. `sanitize_sql_orderby()` is used nowhere else in core, save for the `playlist` shortcode - I only added it there because I was mimic'ing the `gallery` logic. The function call can be removed from both shortcode handlers. See #6476. Fixes #23873. git-svn-id: https://develop.svn.wordpress.org/trunk@30068 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/media.php | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/src/wp-includes/media.php b/src/wp-includes/media.php index 4cb517a09b..31f5306ee3 100644 --- a/src/wp-includes/media.php +++ b/src/wp-includes/media.php @@ -938,14 +938,6 @@ function gallery_shortcode( $attr ) { return $output; } - // We're trusting author input, so let's at least make sure it looks like a valid orderby statement - if ( isset( $attr['orderby'] ) ) { - $attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] ); - if ( ! $attr['orderby'] ) { - unset( $attr['orderby'] ); - } - } - $html5 = current_theme_supports( 'html5', 'gallery' ); $atts = shortcode_atts( array( 'order' => 'ASC', @@ -1056,7 +1048,7 @@ function gallery_shortcode( $attr ) { $i = 0; foreach ( $attachments as $id => $attachment ) { - + $attr = ( trim( $attachment->post_excerpt ) ) ? array( 'aria-describedby' => "$selector-$id" ) : ''; if ( ! empty( $atts['link'] ) && 'file' === $atts['link'] ) { $image_output = wp_get_attachment_link( $id, $atts['size'], false, false, $attr ); @@ -1220,16 +1212,6 @@ function wp_playlist_shortcode( $attr ) { return $output; } - /* - * We're trusting author input, so let's at least make sure it looks - * like a valid orderby statement. - */ - if ( isset( $attr['orderby'] ) ) { - $attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] ); - if ( ! $attr['orderby'] ) - unset( $attr['orderby'] ); - } - $atts = shortcode_atts( array( 'type' => 'audio', 'order' => 'ASC',