The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.
Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.
Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.
Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.
Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.
Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.
Plugins should use wp_unslash() on data being passed to core API.
Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.
Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.
Remove many no longer necessary calls to $wpdb->escape() and esc_sql().
In wp_get_referer() and wp_get_original_referer(), return unslashed data.
Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.
Switch several queries over to prepare().
Expect something to break.
Props alexkingorg
see #21767
git-svn-id: https://develop.svn.wordpress.org/trunk@23416 602fd350-edb4-49c9-b593-d223f7449a82
* Handle all set/get of header theme mod through these methods.
* Use these methods in the customizer.
Props kovshenin, nacin, SergeyBiryukov, koopersmith.
fixes#20871
git-svn-id: https://develop.svn.wordpress.org/trunk@21037 602fd350-edb4-49c9-b593-d223f7449a82
* When passing an attachment ID to wp_crop_image(), use load_image_to_edit() to fetch the image via a url fopen when the image does not exist in the filesystem.
* Move load_image_to_edit() to wp-admin/includes/image.php so that it is always available for admin pages loads.
* Fallback to the height and width stored in the attachment meta when the image no longer exists in the filesystem.
see #19840
git-svn-id: https://develop.svn.wordpress.org/trunk@20384 602fd350-edb4-49c9-b593-d223f7449a82
Custom header: Use add_theme_support('custom-header', $args) instead of add_custom_image_header(). Deprecates all use of constants.
* HEADER_TEXTCOLOR is now (string) 'default-text-color'.
* NO_HEADER_TEXT is nowi ! (bool) 'header-text'.
* HEADER_IMAGE_WIDTH (and _HEIGHT) are now (int) 'width' and 'height'.
* HEADER_IMAGE is now (string) 'default-image'.
* The 3.4 arguments 'suggested-width' and 'suggested-height' are now just 'width' and 'height' (they are "suggested" when flex-width and flex-height are set).
* Callback arguments for add_custom_image_header() can now be passed to add_theme_support().
Custom background: Use add_theme_support('custom-background, $args) instead of add_custom_background(). Deprecates all use of constants.
* BACKGROUND_COLOR is now (string) 'default-color'.
* BACKGROUND_IMAGE is now (string) 'default-image'.
* Callback arguments for add_custom_background() can now be passed to add_theme_support().
Inheritance: add_theme_support() arguments for custom headers and custom backgrounds is a first-one-wins situation. This is not an unusual paradigm for theming as a child theme (which is included first) overrides a parent theme.
* Once an argument is explicitly set, it cannot be overridden. You must hook in earlier and set it first.
* Any argument that is not explicitly set before WP is loaded will inherit the default value for that argument.
* It is therefore possible for a child theme to pass minimal arguments as long as the parent theme specifies others that may be necessary.
* Allows for a child theme to alter callbacks for <head> and preview (previously, calling add_custom_image_header more than once broke things).
* The just-in-time bits ensure that arguments fall back to default values, that the values of all constants are considered (such as one defined after an old add_custom_image_header call), and that all constants are defined (so as to be backwards compatible).
get_theme_support(): Introduce new second argument, which headers and backgrounds leverage to return an argument. current_theme_supports() already supported checking the truthiness of the argument.
* For example, get_theme_support( 'custom-header', 'width' ) will return the width specified during registration.
* If you had wanted the default image, use get_theme_support( 'custom-header', 'default-image' ) instead of HEADER_IMAGE.
Deprecate remove_custom_image_header(), remove_custom_background(). Use remove_theme_support('custom-header'), 'custom-background'.
Deprecate short-lived custom-header-uploads internal support; this is now (bool) 'uploads' for add_theme_support().
New 3.4 functions renamed or removed: Rename get_current_header_data() to get_custom_header(). Remove get_header_image_width() and _height() in favor of get_custom_header()->width and height.
git-svn-id: https://develop.svn.wordpress.org/trunk@20212 602fd350-edb4-49c9-b593-d223f7449a82
Ryan Boren
Sergey Biryukov
Andrew Nacin
Daryl Koopersmith
Jon Cave