Commit Graph

103 Commits

Author SHA1 Message Date
Ryan Boren c363aea627 Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767
git-svn-id: https://develop.svn.wordpress.org/trunk@23554 602fd350-edb4-49c9-b593-d223f7449a82
2013-03-01 16:28:40 +00:00
Ryan Boren a6c8efadb9 Change all core API to expect unslashed rather than slashed arguments.
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.

Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.

Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.

Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.

Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.

Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.

Plugins should use wp_unslash() on data being passed to core API.

Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.

Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.

Remove many no longer necessary calls to $wpdb->escape() and esc_sql().

In wp_get_referer() and wp_get_original_referer(), return unslashed data.

Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.

Switch several queries over to prepare().

Expect something to break.

Props alexkingorg
see #21767


git-svn-id: https://develop.svn.wordpress.org/trunk@23416 602fd350-edb4-49c9-b593-d223f7449a82
2013-02-14 22:51:06 +00:00
Andrew Nacin 82229b784f Recommend the wp_kses_allowed_html filter over CUSTOM_TAGS. Soft deprecate CUSTOM_TAGS. see #17977, #20210.
git-svn-id: https://develop.svn.wordpress.org/trunk@21796 602fd350-edb4-49c9-b593-d223f7449a82
2012-09-10 18:00:41 +00:00
Andrew Nacin cce4267f17 Remove kses allowedtags that were commented out long ago. see #17977.
git-svn-id: https://develop.svn.wordpress.org/trunk@21795 602fd350-edb4-49c9-b593-d223f7449a82
2012-09-10 17:53:46 +00:00
Ryan Boren 0cef59e4c0 * Introduce wp_kses_allowed_html() which accepts a context string and returns an array of allowed tags.
* Remove explicit declarations of class, id, style, and title from $allowedposttags
 * Dynamicallly add global attributes to every tag for the 'post' context
 * No longer calls wp_kses_array_lc() every time wp_kses() runs. Instead it runs once if CUSTOM_TAGS is true. Plugins directly passing a custom allowed_html array will no longer get the lc treatment. Keep an eye out for problems with this.
 * wp_kses_data() and wp_filter_kses() pass current_filter() for the $allowed_html argument to wp_kses().
 * wp_kses_allowed_html() handles being passed a filter name for a context. If the filter is not a recognized one it defaults to using $allowedtags as was done before for wp_kses_data() and wp_filter_kses().
 * wp_kses_allowed_html() recognizes user_description and pre_user_description out of the box. For these it takes $allowedtags and inserts rel attribute support.
 * wp_kses_allowed_html() allows plugins to override the return values for the default contexts and support arbitrary contexts via a wp_kses_allowed_html filter.
 * wp_kses_hook() can now pass a string context for $allowed_html to the pre_kses filter. We might have to pass the result of wp_kses_allowed_html() instead if it turns out that plugins are digging in $allowed_html.

fixes #17977
see #20210


git-svn-id: https://develop.svn.wordpress.org/trunk@21790 602fd350-edb4-49c9-b593-d223f7449a82
2012-09-10 16:19:54 +00:00
Mark Jaquith addb19400a Add <small> to KSES, to hang out with its <big> brother. props SergeyBiryukov. fixes #18573
git-svn-id: https://develop.svn.wordpress.org/trunk@21777 602fd350-edb4-49c9-b593-d223f7449a82
2012-09-06 19:08:42 +00:00
Ryan Boren daf2f84da0 Don't allow unfiltered HTML comments from a frame. Props nacin. fixes #20812
git-svn-id: https://develop.svn.wordpress.org/trunk@20974 602fd350-edb4-49c9-b593-d223f7449a82
2012-06-01 20:47:08 +00:00
Andrew Nacin f3d77695cb Handle multiple feed: schemes.
git-svn-id: https://develop.svn.wordpress.org/trunk@20540 602fd350-edb4-49c9-b593-d223f7449a82
2012-04-19 21:48:12 +00:00
Jon Cave 770361f4e3 Reduce memory usage in wp-includes/kses.php by switching unnecessary empty arrays to boolean. Fixes #20017.
safecss_filter_attr() block for style tags must be moved out of the is_array() only branch of wp_kses_attr() to accommodate for this.


git-svn-id: https://develop.svn.wordpress.org/trunk@19976 602fd350-edb4-49c9-b593-d223f7449a82
2012-02-21 20:33:44 +00:00
Jon Cave 156048ca52 split was deprecated in PHP 5.3.0, so use explode instead. Props garyc40. Fixes #16325.
git-svn-id: https://develop.svn.wordpress.org/trunk@19726 602fd350-edb4-49c9-b593-d223f7449a82
2012-01-09 21:20:51 +00:00
Ryan Boren a8d77cbae9 User lowercase true, false, null instead of uppercase. Props c3mdigital, mfields. fixes #16302
git-svn-id: https://develop.svn.wordpress.org/trunk@19687 602fd350-edb4-49c9-b593-d223f7449a82
2012-01-05 20:50:54 +00:00
Ryan Boren 676ba7043e Use one space, not two, after trailing punctuation. fixes #19537
git-svn-id: https://develop.svn.wordpress.org/trunk@19593 602fd350-edb4-49c9-b593-d223f7449a82
2011-12-13 23:45:31 +00:00
Ryan Boren 3985ff6af3 Don't use wp_parse_args() on non associative array. Props SergeyBiryukov. see #18268
git-svn-id: https://develop.svn.wordpress.org/trunk@18856 602fd350-edb4-49c9-b593-d223f7449a82
2011-10-01 15:54:52 +00:00
Ryan Boren 4e081d3171 phpdoc typo and readability fixes. Props SergeyBiryukov. fixes #18560
git-svn-id: https://develop.svn.wordpress.org/trunk@18827 602fd350-edb4-49c9-b593-d223f7449a82
2011-09-29 22:57:43 +00:00
Jon Cave 9f6d53a66f Introduce wp_allowed_protocols() for use in wp_kses() and esc_url(). See #18268.
This allows plugins to filter the list of protocols used for esc_url() too, and helps us keep the list of protocols in sync.


git-svn-id: https://develop.svn.wordpress.org/trunk@18826 602fd350-edb4-49c9-b593-d223f7449a82
2011-09-29 22:33:51 +00:00
Andrew Nacin de1dcae9d1 i before e except after c. props trepmal, fixes #17730.
git-svn-id: https://develop.svn.wordpress.org/trunk@18208 602fd350-edb4-49c9-b593-d223f7449a82
2011-06-09 09:13:00 +00:00
Andrew Nacin 2ac4a87b89 Upddate FSF address in kses. props mcepl, fixes #14967.
git-svn-id: https://develop.svn.wordpress.org/trunk@18052 602fd350-edb4-49c9-b593-d223f7449a82
2011-05-25 22:15:12 +00:00
Ryan Boren a035b3c7e9 kses optimizations. Props duck_. fixes #17045
git-svn-id: https://develop.svn.wordpress.org/trunk@17730 602fd350-edb4-49c9-b593-d223f7449a82
2011-04-27 21:50:39 +00:00
Ryan Boren eba71eb7c0 Bring out the shears.
git-svn-id: https://develop.svn.wordpress.org/trunk@17228 602fd350-edb4-49c9-b593-d223f7449a82
2011-01-06 04:11:14 +00:00
Ryan Boren 2c35e7b475 Update @author tag contact info. Props hakre. see #16039
git-svn-id: https://develop.svn.wordpress.org/trunk@17185 602fd350-edb4-49c9-b593-d223f7449a82
2010-12-30 20:07:12 +00:00
Ryan Boren 97c77ba912 Add Copyright Statement, Licensing Information and Disclaimer to kses. Props hakre. Thanks Ulf Harnhammar. fixes #16039
git-svn-id: https://develop.svn.wordpress.org/trunk@17181 602fd350-edb4-49c9-b593-d223f7449a82
2010-12-30 18:37:18 +00:00
Ryan Boren 2bc1d7f588 Don't be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url(). Props Mauro Gentile, duck_, miqrogroove
git-svn-id: https://develop.svn.wordpress.org/trunk@17171 602fd350-edb4-49c9-b593-d223f7449a82
2010-12-29 20:45:37 +00:00
Ryan Boren cd4f625268 Don't be so sensitive.
git-svn-id: https://develop.svn.wordpress.org/trunk@17119 602fd350-edb4-49c9-b593-d223f7449a82
2010-12-23 15:26:49 +00:00
Andrew Nacin d8c91db1f4 Remove more create_function calls. props huichen, see #14424.
git-svn-id: https://develop.svn.wordpress.org/trunk@16313 602fd350-edb4-49c9-b593-d223f7449a82
2010-11-11 22:50:36 +00:00
Ryan Boren 8d9d4817a3 Add equal sign to blacklist. Props Pádraic Brady. for 3.1
git-svn-id: https://develop.svn.wordpress.org/trunk@15383 602fd350-edb4-49c9-b593-d223f7449a82
2010-07-12 14:30:39 +00:00
Ryan Boren c6f385ea6a Don't use deprecated function. Blacklist curlies.
git-svn-id: https://develop.svn.wordpress.org/trunk@15356 602fd350-edb4-49c9-b593-d223f7449a82
2010-06-30 17:46:37 +00:00
Mark Jaquith fb6501cae0 Add some new protocols for KSES. Make the list of protocols filterable. Start esc_url() with the same list. fixes #10914. props technosailor
git-svn-id: https://develop.svn.wordpress.org/trunk@14412 602fd350-edb4-49c9-b593-d223f7449a82
2010-05-03 21:20:20 +00:00
Andrew Nacin b974013f7c Add HTML 5 elements to kses, first pass. props rmccue. see #12835.
git-svn-id: https://develop.svn.wordpress.org/trunk@14406 602fd350-edb4-49c9-b593-d223f7449a82
2010-05-03 20:34:49 +00:00
Andrew Nacin dd306def81 Remove redundant isset() and empty() checks.
git-svn-id: https://develop.svn.wordpress.org/trunk@13770 602fd350-edb4-49c9-b593-d223f7449a82
2010-03-19 21:29:21 +00:00
Ryan Boren f8a2a5ca31 Fix numeric entity logic in kses. Props miqrogroove. see #12284
git-svn-id: https://develop.svn.wordpress.org/trunk@13648 602fd350-edb4-49c9-b593-d223f7449a82
2010-03-10 18:45:28 +00:00
Peter Westwood 64dce47ade Improve kses handling of attributes in valid XHTML self closed img tags. Fixes #12394 props dougal.
git-svn-id: https://develop.svn.wordpress.org/trunk@13561 602fd350-edb4-49c9-b593-d223f7449a82
2010-03-02 22:11:08 +00:00
Andrew Nacin c9dfb91763 Spelling and grammar fun. Fixes #11875 props cnorris23
git-svn-id: https://develop.svn.wordpress.org/trunk@13382 602fd350-edb4-49c9-b593-d223f7449a82
2010-02-24 20:13:23 +00:00
Andrew Nacin e6b37271cd Coil the kses entities whitelist. See #12284
git-svn-id: https://develop.svn.wordpress.org/trunk@13363 602fd350-edb4-49c9-b593-d223f7449a82
2010-02-24 07:33:14 +00:00
Ryan Boren 096ea9990a Whitelist entities. Props miqrogroove. see #12284
git-svn-id: https://develop.svn.wordpress.org/trunk@13358 602fd350-edb4-49c9-b593-d223f7449a82
2010-02-24 05:37:20 +00:00
Peter Westwood 2e2ad12171 Add missing version numbers to _deprecated_argument() calls.
Remove deprecated argument from xfn_check() calls.
Pass version number to deprecated_file_included, deprecated_function_run and deprecated_argument_run actions.
Fixes #11386 props nacin.

git-svn-id: https://develop.svn.wordpress.org/trunk@12680 602fd350-edb4-49c9-b593-d223f7449a82
2010-01-09 10:03:55 +00:00
Peter Westwood a752e6b561 Updates and improvements to _depreceated_argument. See #11386 props nacin.
git-svn-id: https://develop.svn.wordpress.org/trunk@12584 602fd350-edb4-49c9-b593-d223f7449a82
2009-12-30 16:23:39 +00:00
Ryan Boren 56989f4f5c Allow 0xAD in URI attributes. Props nbachiyski. fixes #9823 #10859
git-svn-id: https://develop.svn.wordpress.org/trunk@12199 602fd350-edb4-49c9-b593-d223f7449a82
2009-11-17 20:18:48 +00:00
Ryan Boren 486efbd69f Introduce wp_kses_post() and wp_kses_data() for filtering unescaped data. Fixes slashing of displayed fields. fixes #10949
git-svn-id: https://develop.svn.wordpress.org/trunk@12125 602fd350-edb4-49c9-b593-d223f7449a82
2009-10-29 17:15:58 +00:00
Ryan Boren 43c201d458 Remove trailing whitespace
git-svn-id: https://develop.svn.wordpress.org/trunk@11930 602fd350-edb4-49c9-b593-d223f7449a82
2009-09-14 14:03:32 +00:00
Andrew Ozz 5d667146b8 Do not use lambda functions in wp_kses_decode_entities(), props mdawaffe, fixes #10623
git-svn-id: https://develop.svn.wordpress.org/trunk@11828 602fd350-edb4-49c9-b593-d223f7449a82
2009-08-16 05:58:39 +00:00
Andrew Ozz 43770b1234 Fix deprecated arg. in safecss_filter_attr(), for trunk
git-svn-id: https://develop.svn.wordpress.org/trunk@11699 602fd350-edb4-49c9-b593-d223f7449a82
2009-07-08 09:54:34 +00:00
Ryan Boren 7af7514cf0 Allow class, id, and style on headers. Props matt.
git-svn-id: https://develop.svn.wordpress.org/trunk@11692 602fd350-edb4-49c9-b593-d223f7449a82
2009-07-06 14:37:48 +00:00
Andrew Ozz 81c8791b9d Inline CSS filter for kses, for trunk, fixes #10336
git-svn-id: https://develop.svn.wordpress.org/trunk@11689 602fd350-edb4-49c9-b593-d223f7449a82
2009-07-04 04:49:39 +00:00
Ryan Boren 7f510a5bfb Revert accidental fxn rename
git-svn-id: https://develop.svn.wordpress.org/trunk@11212 602fd350-edb4-49c9-b593-d223f7449a82
2009-05-05 23:32:16 +00:00
Mark Jaquith c638e8d8de _a(), _ea(), _xa(), attr() are now esc_attr__(), esc_attr_e(), esc_attr_x(), esc_attr() -- still short, but less cryptic. see #9650
git-svn-id: https://develop.svn.wordpress.org/trunk@11204 602fd350-edb4-49c9-b593-d223f7449a82
2009-05-05 19:43:53 +00:00
Ryan Boren 2baa2f8e58 Use preg_replace_callback instead of preg_replace with eval. Props beaulebens. see #8689
git-svn-id: https://develop.svn.wordpress.org/trunk@10339 602fd350-edb4-49c9-b593-d223f7449a82
2009-01-09 19:29:35 +00:00
Ryan Boren baaaa352ba Strip trailing whitespace
git-svn-id: https://develop.svn.wordpress.org/trunk@10150 602fd350-edb4-49c9-b593-d223f7449a82
2008-12-09 18:03:31 +00:00
Peter Westwood 9618b0260a phpDoc corrections for KSES. Fixes #7550 props jacobsantos.
git-svn-id: https://develop.svn.wordpress.org/trunk@8837 602fd350-edb4-49c9-b593-d223f7449a82
2008-09-06 06:53:45 +00:00
Ryan Boren 35657e8988 Apply kses bad-protocol checks only to URI typed attributes. Props takayukister. fixes #5917 #6888 #6910 #7512
git-svn-id: https://develop.svn.wordpress.org/trunk@8671 602fd350-edb4-49c9-b593-d223f7449a82
2008-08-19 18:43:21 +00:00
Mark Jaquith 3cab99fbd2 Cast to array when using foreach(). Props santosj (and thanks for your perseverance!). fixes #2784
git-svn-id: https://develop.svn.wordpress.org/trunk@8572 602fd350-edb4-49c9-b593-d223f7449a82
2008-08-06 20:31:54 +00:00