Wordpress/wp-admin/upload.php
Ryan Boren a6c8efadb9 Change all core API to expect unslashed rather than slashed arguments.
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.

Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.

Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.

Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.

Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.

Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.

Plugins should use wp_unslash() on data being passed to core API.

Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.

Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.

Remove many no longer necessary calls to $wpdb->escape() and esc_sql().

In wp_get_referer() and wp_get_original_referer(), return unslashed data.

Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.

Switch several queries over to prepare().

Expect something to break.

Props alexkingorg
see #21767


git-svn-id: https://develop.svn.wordpress.org/trunk@23416 602fd350-edb4-49c9-b593-d223f7449a82
2013-02-14 22:51:06 +00:00

251 lines
9.3 KiB
PHP

<?php
/**
* Media Library administration panel.
*
* @package WordPress
* @subpackage Administration
*/
/** WordPress Administration Bootstrap */
require_once( './admin.php' );
if ( !current_user_can('upload_files') )
wp_die( __( 'You do not have permission to upload files.' ) );
$wp_list_table = _get_list_table('WP_Media_List_Table');
$pagenum = $wp_list_table->get_pagenum();
// Handle bulk actions
$doaction = $wp_list_table->current_action();
if ( $doaction ) {
check_admin_referer('bulk-media');
if ( 'delete_all' == $doaction ) {
$post_ids = $wpdb->get_col( "SELECT ID FROM $wpdb->posts WHERE post_type='attachment' AND post_status = 'trash'" );
$doaction = 'delete';
} elseif ( isset( $_REQUEST['media'] ) ) {
$post_ids = $_REQUEST['media'];
} elseif ( isset( $_REQUEST['ids'] ) ) {
$post_ids = explode( ',', $_REQUEST['ids'] );
}
$location = 'upload.php';
if ( $referer = wp_get_referer() ) {
if ( false !== strpos( $referer, 'upload.php' ) )
$location = remove_query_arg( array( 'trashed', 'untrashed', 'deleted', 'message', 'ids', 'posted' ), $referer );
}
switch ( $doaction ) {
case 'find_detached':
if ( !current_user_can('edit_posts') )
wp_die( __('You are not allowed to scan for lost attachments.') );
$lost = $wpdb->get_col( "
SELECT ID FROM $wpdb->posts
WHERE post_type = 'attachment' AND post_parent > '0'
AND post_parent NOT IN (
SELECT ID FROM $wpdb->posts
WHERE post_type NOT IN ( 'attachment', '" . join( "', '", get_post_types( array( 'public' => false ) ) ) . "' )
)
" );
$_REQUEST['detached'] = 1;
break;
case 'attach':
$parent_id = (int) $_REQUEST['found_post_id'];
if ( !$parent_id )
return;
$parent = get_post( $parent_id );
if ( !current_user_can( 'edit_post', $parent_id ) )
wp_die( __( 'You are not allowed to edit this post.' ) );
$attach = array();
foreach ( (array) $_REQUEST['media'] as $att_id ) {
$att_id = (int) $att_id;
if ( !current_user_can( 'edit_post', $att_id ) )
continue;
$attach[] = $att_id;
}
if ( ! empty( $attach ) ) {
$attach_string = implode( ',', $attach );
$attached = $wpdb->query( $wpdb->prepare( "UPDATE $wpdb->posts SET post_parent = %d WHERE post_type = 'attachment' AND ID IN ( $attach_string )", $parent_id ) );
foreach ( $attach as $att_id ) {
clean_attachment_cache( $att_id );
}
}
if ( isset( $attached ) ) {
$location = 'upload.php';
if ( $referer = wp_get_referer() ) {
if ( false !== strpos( $referer, 'upload.php' ) )
$location = $referer;
}
$location = add_query_arg( array( 'attached' => $attached ) , $location );
wp_redirect( $location );
exit;
}
break;
case 'trash':
if ( !isset( $post_ids ) )
break;
foreach ( (array) $post_ids as $post_id ) {
if ( !current_user_can( 'delete_post', $post_id ) )
wp_die( __( 'You are not allowed to move this post to the trash.' ) );
if ( !wp_trash_post( $post_id ) )
wp_die( __( 'Error in moving to trash...' ) );
}
$location = add_query_arg( array( 'trashed' => count( $post_ids ), 'ids' => join( ',', $post_ids ) ), $location );
break;
case 'untrash':
if ( !isset( $post_ids ) )
break;
foreach ( (array) $post_ids as $post_id ) {
if ( !current_user_can( 'delete_post', $post_id ) )
wp_die( __( 'You are not allowed to move this post out of the trash.' ) );
if ( !wp_untrash_post( $post_id ) )
wp_die( __( 'Error in restoring from trash...' ) );
}
$location = add_query_arg( 'untrashed', count( $post_ids ), $location );
break;
case 'delete':
if ( !isset( $post_ids ) )
break;
foreach ( (array) $post_ids as $post_id_del ) {
if ( !current_user_can( 'delete_post', $post_id_del ) )
wp_die( __( 'You are not allowed to delete this post.' ) );
if ( !wp_delete_attachment( $post_id_del ) )
wp_die( __( 'Error in deleting...' ) );
}
$location = add_query_arg( 'deleted', count( $post_ids ), $location );
break;
}
wp_redirect( $location );
exit;
} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
exit;
}
$wp_list_table->prepare_items();
$title = __('Media Library');
$parent_file = 'upload.php';
wp_enqueue_script( 'wp-ajax-response' );
wp_enqueue_script( 'jquery-ui-draggable' );
wp_enqueue_script( 'media' );
add_screen_option( 'per_page', array('label' => _x( 'Media items', 'items per page (screen options)' )) );
get_current_screen()->add_help_tab( array(
'id' => 'overview',
'title' => __('Overview'),
'content' =>
'<p>' . __( 'All the files you&#8217;ve uploaded are listed in the Media Library, with the most recent uploads listed first. You can use the Screen Options tab to customize the display of this screen.' ) . '</p>' .
'<p>' . __( 'You can narrow the list by file type/status using the text link filters at the top of the screen. You also can refine the list by date using the dropdown menu above the media table.' ) . '</p>'
) );
get_current_screen()->add_help_tab( array(
'id' => 'actions-links',
'title' => __('Available Actions'),
'content' =>
'<p>' . __( 'Hovering over a row reveals action links: Edit, Delete Permanently, and View. Clicking Edit or on the media file&#8217;s name displays a simple screen to edit that individual file&#8217;s metadata. Clicking Delete Permanently will delete the file from the media library (as well as from any posts to which it is currently attached). View will take you to the display page for that file.' ) . '</p>'
) );
get_current_screen()->add_help_tab( array(
'id' => 'attaching-files',
'title' => __('Attaching Files'),
'content' =>
'<p>' . __( 'If a media file has not been attached to any post, you will see that in the Attached To column, and can click on Attach File to launch a small popup that will allow you to search for a post and attach the file.' ) . '</p>'
) );
get_current_screen()->set_help_sidebar(
'<p><strong>' . __( 'For more information:' ) . '</strong></p>' .
'<p>' . __( '<a href="http://codex.wordpress.org/Media_Library_Screen" target="_blank">Documentation on Media Library</a>' ) . '</p>' .
'<p>' . __( '<a href="http://wordpress.org/support/" target="_blank">Support Forums</a>' ) . '</p>'
);
require_once('./admin-header.php');
?>
<div class="wrap">
<?php screen_icon(); ?>
<h2>
<?php
echo esc_html( $title );
if ( current_user_can( 'upload_files' ) ) { ?>
<a href="media-new.php" class="add-new-h2"><?php echo esc_html_x('Add New', 'file'); ?></a><?php
}
if ( ! empty( $_REQUEST['s'] ) )
printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', get_search_query() ); ?>
</h2>
<?php
$message = '';
if ( ! empty( $_GET['posted'] ) ) {
$message = __('Media attachment updated.');
$_SERVER['REQUEST_URI'] = remove_query_arg(array('posted'), $_SERVER['REQUEST_URI']);
}
if ( ! empty( $_GET['attached'] ) && $attached = absint( $_GET['attached'] ) ) {
$message = sprintf( _n('Reattached %d attachment.', 'Reattached %d attachments.', $attached), $attached );
$_SERVER['REQUEST_URI'] = remove_query_arg(array('attached'), $_SERVER['REQUEST_URI']);
}
if ( ! empty( $_GET['deleted'] ) && $deleted = absint( $_GET['deleted'] ) ) {
$message = sprintf( _n( 'Media attachment permanently deleted.', '%d media attachments permanently deleted.', $deleted ), number_format_i18n( $_GET['deleted'] ) );
$_SERVER['REQUEST_URI'] = remove_query_arg(array('deleted'), $_SERVER['REQUEST_URI']);
}
if ( ! empty( $_GET['trashed'] ) && $trashed = absint( $_GET['trashed'] ) ) {
$message = sprintf( _n( 'Media attachment moved to the trash.', '%d media attachments moved to the trash.', $trashed ), number_format_i18n( $_GET['trashed'] ) );
$message .= ' <a href="' . esc_url( wp_nonce_url( 'upload.php?doaction=undo&action=untrash&ids='.(isset($_GET['ids']) ? $_GET['ids'] : ''), "bulk-media" ) ) . '">' . __('Undo') . '</a>';
$_SERVER['REQUEST_URI'] = remove_query_arg(array('trashed'), $_SERVER['REQUEST_URI']);
}
if ( ! empty( $_GET['untrashed'] ) && $untrashed = absint( $_GET['untrashed'] ) ) {
$message = sprintf( _n( 'Media attachment restored from the trash.', '%d media attachments restored from the trash.', $untrashed ), number_format_i18n( $_GET['untrashed'] ) );
$_SERVER['REQUEST_URI'] = remove_query_arg(array('untrashed'), $_SERVER['REQUEST_URI']);
}
$messages[1] = __('Media attachment updated.');
$messages[2] = __('Media permanently deleted.');
$messages[3] = __('Error saving media attachment.');
$messages[4] = __('Media moved to the trash.') . ' <a href="' . esc_url( wp_nonce_url( 'upload.php?doaction=undo&action=untrash&ids='.(isset($_GET['ids']) ? $_GET['ids'] : ''), "bulk-media" ) ) . '">' . __('Undo') . '</a>';
$messages[5] = __('Media restored from the trash.');
if ( ! empty( $_GET['message'] ) && isset( $messages[ $_GET['message'] ] ) ) {
$message = $messages[ $_GET['message'] ];
$_SERVER['REQUEST_URI'] = remove_query_arg(array('message'), $_SERVER['REQUEST_URI']);
}
if ( !empty($message) ) { ?>
<div id="message" class="updated"><p><?php echo $message; ?></p></div>
<?php } ?>
<?php $wp_list_table->views(); ?>
<form id="posts-filter" action="" method="get">
<?php $wp_list_table->search_box( __( 'Search Media' ), 'media' ); ?>
<?php $wp_list_table->display(); ?>
<div id="ajax-response"></div>
<?php find_posts_div(); ?>
<br class="clear" />
</form>
</div>
<?php
include('./admin-footer.php');