The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.
Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.
Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.
Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.
Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.
Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.
Plugins should use wp_unslash() on data being passed to core API.
Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.
Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.
Remove many no longer necessary calls to $wpdb->escape() and esc_sql().
In wp_get_referer() and wp_get_original_referer(), return unslashed data.
Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.
Switch several queries over to prepare().
Expect something to break.
Props alexkingorg
see #21767
git-svn-id: https://develop.svn.wordpress.org/trunk@23416 602fd350-edb4-49c9-b593-d223f7449a82
* In 3.4.x, both $url and UPLOADS had trailing slashes
* Due to refactoring, $url is no longer expected to have a trailing slash
* Because of the mismatch, the str_replace() was not working, resulting in an incorrectly verbose upload dir URL
git-svn-id: https://develop.svn.wordpress.org/trunk@22736 602fd350-edb4-49c9-b593-d223f7449a82
Prevents wp_upload_dir() from obeying the UPLOADS constant when ms-files rewriting is enabled and a blog is switched.
Reverts [22106] thanks to [22108].
see #19235.
git-svn-id: https://develop.svn.wordpress.org/trunk@22222 602fd350-edb4-49c9-b593-d223f7449a82
* Introduce a wp_checkdate() function with a single filter to centralise the code that validates dates.
* Improve the error message
* Correctly handle the return value of wp_insert_post which is not always a WP_Error on failure
Fixes#17180
git-svn-id: https://develop.svn.wordpress.org/trunk@21922 602fd350-edb4-49c9-b593-d223f7449a82
* Will be replaced with http://wordpress.org/extend/plugins/atom-publishing-protocol/.
* Introduces an action, xmlrpc_rsd_apis, to add APIs to xmlrpc.php?rsd.
* Introduces support for 'error' being 403 and 50x in class-wp.php.
* Removes 'Remote Publishing' from Writing Settings (see [21804]). Keeps the remote_publishing settings section.
DB version is bumped to generate the new wp-app rewrite rule and remove the old enable_app option.
props wonderboymusic.
fixes#21509.
git-svn-id: https://develop.svn.wordpress.org/trunk@21818 602fd350-edb4-49c9-b593-d223f7449a82
Introduce wp_send_json_success() and wp_send_json_error(), which will allow us to fire appropriate done() or fail() callbacks in JS.
props koopersmith. see #21390.
git-svn-id: https://develop.svn.wordpress.org/trunk@21679 602fd350-edb4-49c9-b593-d223f7449a82
wp-includes/admin-bar.php:
* Replace get_admin_url() and get_home_url() with admin_url() and home_url() and place them inside a switch/restore. Likewise replace current_user_can_for_blog() with current_user_can(). This avoids doing multiple switch restores.
wp-includes/ms-blogs.php:
* Deprecate the $validate argument to switch_to_blog(). This avoids a not very necessary call to get_blog_details(), possibly saving a few queries.
* Use $_wp_switched and $_wp_switched_stack instead of $switched and $switched_stack to make it less likely these globals will be stomped.
* Use GLOBALS to access blog_id and other globals. I've preferred this style lately since it makes it obvious a global is being used and avoids global blog_id being stomped by a local variable.
* Lose some is_object() checks. wp_get_current_user() always returns an object, for example.
* Call the new WP_Roles::reinit() method.
wp-includes/class-wp-xmlrpc-server.php:
* Replace current_user_can_for_blog() with current_user_can() and move it inside the switch/restore pair. This eliminates a switch/restore.
wp-includes/capabilities.php:
* Use array_keys() instead of $role => $data since $data is unused. I *think* this is a bit faster.
* Introduce WP_Roles::reinit(). This reinitializes WP_Roles and is used after switch_to_blog() has already update the blog ID in the wpdb object. If a global roles array is being used instead of the db, reinit is skipped.
* current_user_can_for_blog() now does a switch/restore. It didn't before meaning it could be reinitializing the user with the wrong role information for the current blog.
wp-includes/ms-settings.php:
* Define $_wp_switched_stack and $_wp_switched. This way switch_to_blog() and restore_current_blog() can rely on it being set.
wp-settings.php:
* Instantiate the WP_Roles global. This was it is always defined during init. To remove the WP_Roles checks from WP_Role and WP_User this would probably have to move before plugins are loaded, which might not be a good thing.
wp-includes/functions.php:
* Update wp_upload_dir() to reference _wp_switched.
git-svn-id: https://develop.svn.wordpress.org/trunk@21485 602fd350-edb4-49c9-b593-d223f7449a82
Sergey Biryukov
Mark Jaquith
Ryan Boren
Dion Hulse
Andrew Nacin
Andrew Ozz
Peter Westwood