sergiotarxz
/
Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Delay Trackback data escaping until after mb_convert_encoding(). Props to Stefan Esser. 

git-svn-id: https://develop.svn.wordpress.org/trunk@4676 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Mark Jaquith 2007-01-05 05:45:46 +00:00
parent bb14ecda53
commit cc801d6aac
1 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
wp-trackback.php
View File

@ -30,11 +30,13 @@ if ( !$_GET['tb_id'] ) {
$tb_id = intval( $tb_id[ count($tb_id) - 1 ] ); $tb_id = intval( $tb_id[ count($tb_id) - 1 ] );
} }
$tb_url = $_POST['url']; $tb_url = $_POST['url'];
$title = $_POST['title']; $charset = $_POST['charset'];
$excerpt = $_POST['excerpt'];
$blog_name = $_POST['blog_name']; // These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()
$charset = $_POST['charset']; $title = stripslashes($_POST['title']);
$excerpt = stripslashes($_POST['excerpt']);
$blog_name = stripslashes($_POST['blog_name']);
if ($charset) if ($charset)
$charset = strtoupper( trim($charset) ); $charset = strtoupper( trim($charset) );
@ -47,6 +49,11 @@ if ( function_exists('mb_convert_encoding') ) { // For international trackbacks
$blog_name = mb_convert_encoding($blog_name, get_option('blog_charset'), $charset); $blog_name = mb_convert_encoding($blog_name, get_option('blog_charset'), $charset);
} }
// Now that mb_convert_encoding() has been given a swing, we need to escape these three
$title = $wpdb->escape($title);
$excerpt = $wpdb->escape($excerpt);
$blog_name = $wpdb->escape($blog_name);
if ( is_single() || is_page() ) if ( is_single() || is_page() )
$tb_id = $posts[0]->ID; $tb_id = $posts[0]->ID;