From b2c2d93ed41cf48d0940f54c756ae33847681a83 Mon Sep 17 00:00:00 2001 From: Matt Mullenweg Date: Tue, 14 Oct 2008 22:58:30 +0000 Subject: [PATCH] clean_url improvements, Hat tip: markjaquith. Reviewed by nbachiyskip. Fixes #7386. git-svn-id: https://develop.svn.wordpress.org/trunk@9179 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-includes/formatting.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index d6f9879424..78cb2a3713 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -1670,7 +1670,7 @@ function clean_url( $url, $protocols = null, $context = 'display' ) { $original_url = $url; if ('' == $url) return $url; - $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@()\\x80-\\xff]|i', '', $url); + $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$*\'()\\x80-\\xff]|i', '', $url); $strip = array('%0d', '%0a'); $url = str_replace($strip, '', $url); $url = str_replace(';//', '://', $url); @@ -1682,9 +1682,11 @@ function clean_url( $url, $protocols = null, $context = 'display' ) { substr( $url, 0, 1 ) != '/' && !preg_match('/^[a-z0-9-]+?\.php/i', $url) ) $url = 'http://' . $url; - // Replace ampersands only when displaying. - if ( 'display' == $context ) + // Replace ampersands and single quotes only when displaying. + if ( 'display' == $context ) { $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); + $url = str_replace( "'", ''', $url ); + } if ( !is_array($protocols) ) $protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet');