Skip to content

Commit a6c8efa

Browse files
ryanborenryanboren
committed
Change all core API to expect unslashed rather than slashed arguments.
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now. Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet. Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed. Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary. Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core. Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests. Plugins should use wp_unslash() on data being passed to core API. Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer. Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data. Remove many no longer necessary calls to $wpdb->escape() and esc_sql(). In wp_get_referer() and wp_get_original_referer(), return unslashed data. Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget. Switch several queries over to prepare(). Expect something to break. Props alexkingorg see #21767 git-svn-id: https://develop.svn.wordpress.org/trunk@23416 602fd350-edb4-49c9-b593-d223f7449a82
1 parent 4ca366a commit a6c8efa

86 files changed

Lines changed: 532 additions & 652 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

wp-admin/admin.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@
4343
do_action('after_db_upgrade');
4444
} elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) {
4545
if ( !is_multisite() ) {
46-
wp_redirect(admin_url('upgrade.php?_wp_http_referer=' . urlencode(stripslashes($_SERVER['REQUEST_URI']))));
46+
wp_redirect( admin_url( 'upgrade.php?_wp_http_referer=' . urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
4747
exit;
4848
} elseif ( apply_filters( 'do_mu_upgrade', true ) ) {
4949
/**
@@ -84,7 +84,7 @@
8484
$editing = false;
8585

8686
if ( isset($_GET['page']) ) {
87-
$plugin_page = stripslashes($_GET['page']);
87+
$plugin_page = wp_unslash( $_GET['page'] );
8888
$plugin_page = plugin_basename($plugin_page);
8989
}
9090

wp-admin/custom-background.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -378,7 +378,7 @@ function handle_upload() {
378378

379379
// Add the meta-data
380380
wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) );
381-
update_post_meta( $id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) );
381+
wp_update_post_meta( $id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) );
382382

383383
set_theme_mod('background_image', esc_url_raw($url));
384384

@@ -415,7 +415,7 @@ public function wp_set_background_image() {
415415
if ( in_array( $_POST['size'], $sizes ) )
416416
$size = esc_attr( $_POST['size'] );
417417

418-
update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) );
418+
wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) );
419419
$url = wp_get_attachment_image_src( $attachment_id, $size );
420420
$thumbnail = wp_get_attachment_image_src( $attachment_id, 'thumbnail' );
421421
set_theme_mod( 'background_image', esc_url_raw( $url[0] ) );

wp-admin/custom-header.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -948,7 +948,7 @@ final public function set_header_image( $choice ) {
948948
'width' => $choice['width'],
949949
);
950950

951-
update_post_meta( $choice['attachment_id'], '_wp_attachment_is_custom_header', get_stylesheet() );
951+
wp_update_post_meta( $choice['attachment_id'], '_wp_attachment_is_custom_header', get_stylesheet() );
952952
set_theme_mod( 'header_image', $choice['url'] );
953953
set_theme_mod( 'header_image_data', $header_image_data );
954954
return;

wp-admin/edit-comments.php

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -20,9 +20,9 @@
2020
check_admin_referer( 'bulk-comments' );
2121

2222
if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
23-
$comment_status = $wpdb->escape( $_REQUEST['comment_status'] );
24-
$delete_time = $wpdb->escape( $_REQUEST['pagegen_timestamp'] );
25-
$comment_ids = $wpdb->get_col( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = '$comment_status' AND '$delete_time' > comment_date_gmt" );
23+
$comment_status = $_REQUEST['comment_status'];
24+
$delete_time = $_REQUEST['pagegen_timestamp'];
25+
$comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
2626
$doaction = 'delete';
2727
} elseif ( isset( $_REQUEST['delete_comments'] ) ) {
2828
$comment_ids = $_REQUEST['delete_comments'];
@@ -95,7 +95,7 @@
9595
wp_safe_redirect( $redirect_to );
9696
exit;
9797
} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
98-
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
98+
wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
9999
exit;
100100
}
101101

@@ -153,7 +153,7 @@
153153
echo __('Comments');
154154

155155
if ( isset($_REQUEST['s']) && $_REQUEST['s'] )
156-
printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( stripslashes( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?>
156+
printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?>
157157
</h2>
158158

159159
<?php

wp-admin/edit-form-advanced.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -304,7 +304,7 @@
304304
<input type="hidden" id="post_author" name="post_author" value="<?php echo esc_attr( $post->post_author ); ?>" />
305305
<input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr( $post_type ) ?>" />
306306
<input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr( $post->post_status) ?>" />
307-
<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
307+
<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url( wp_get_referer() ); ?>" />
308308
<?php if ( ! empty( $active_post_lock ) ) { ?>
309309
<input type="hidden" id="active_post_lock" value="<?php echo esc_attr( implode( ':', $active_post_lock ) ); ?>" />
310310
<?php

wp-admin/edit-form-comment.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -132,7 +132,7 @@
132132

133133
<input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID) ?>" />
134134
<input type="hidden" name="p" value="<?php echo esc_attr($comment->comment_post_ID) ?>" />
135-
<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
135+
<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url( wp_get_referer() ); ?>" />
136136
<?php wp_original_referer_field(true, 'previous'); ?>
137137
<input type="hidden" name="noredir" value="1" />
138138

wp-admin/edit-tags.php

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,9 @@
4747
if ( !current_user_can( $tax->cap->edit_terms ) )
4848
wp_die( __( 'Cheatin&#8217; uh?' ) );
4949

50-
$ret = wp_insert_term( $_POST['tag-name'], $taxonomy, $_POST );
50+
$post_data = wp_unslash( $_POST );
51+
52+
$ret = wp_insert_term( $post_data['tag-name'], $taxonomy, $post_data );
5153
$location = 'edit-tags.php?taxonomy=' . $taxonomy;
5254
if ( 'post' != $post_type )
5355
$location .= '&post_type=' . $post_type;
@@ -132,7 +134,10 @@
132134
break;
133135

134136
case 'editedtag':
135-
$tag_ID = (int) $_POST['tag_ID'];
137+
138+
$post_data = wp_unslash( $_POST );
139+
140+
$tag_ID = (int) $post_data['tag_ID'];
136141
check_admin_referer( 'update-tag_' . $tag_ID );
137142

138143
if ( !current_user_can( $tax->cap->edit_terms ) )
@@ -142,7 +147,7 @@
142147
if ( ! $tag )
143148
wp_die( __( 'You attempted to edit an item that doesn&#8217;t exist. Perhaps it was deleted?' ) );
144149

145-
$ret = wp_update_term( $tag_ID, $taxonomy, $_POST );
150+
$ret = wp_update_term( $tag_ID, $taxonomy, $post_data );
146151

147152
$location = 'edit-tags.php?taxonomy=' . $taxonomy;
148153
if ( 'post' != $post_type )
@@ -164,7 +169,7 @@
164169

165170
default:
166171
if ( ! empty($_REQUEST['_wp_http_referer']) ) {
167-
$location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) );
172+
$location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) );
168173

169174
if ( ! empty( $_REQUEST['paged'] ) )
170175
$location = add_query_arg( 'paged', (int) $_REQUEST['paged'] );
@@ -264,8 +269,8 @@
264269
<div class="wrap nosubsub">
265270
<?php screen_icon(); ?>
266271
<h2><?php echo esc_html( $title );
267-
if ( !empty($_REQUEST['s']) )
268-
printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?>
272+
if ( ! empty($_REQUEST['s']) )
273+
printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( wp_unslash( $_REQUEST['s'] ) ) ); ?>
269274
</h2>
270275

271276
<?php if ( isset($_REQUEST['message']) && ( $msg = (int) $_REQUEST['message'] ) ) : ?>

wp-admin/edit.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -138,7 +138,7 @@
138138
wp_redirect($sendback);
139139
exit();
140140
} elseif ( ! empty($_REQUEST['_wp_http_referer']) ) {
141-
wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ) );
141+
wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
142142
exit;
143143
}
144144

0 commit comments

Comments
 (0)