Commit ba0f4013 authored by ryan's avatar ryan

bookmark sanitizer funcs and default filter cleanup. see #4546

git-svn-id: http://svn.automattic.com/wordpress/trunk@5906 1a063a9b-81f0-0310-95a4-ce76da25c4cd
parent 7bacf89b
......@@ -60,23 +60,17 @@ function wp_get_link_cats($link_id = 0) {
}
function get_link_to_edit( $link_id ) {
$link = get_link( $link_id );
$link->link_url = clean_url($link->link_url);
$link->link_name = attribute_escape($link->link_name);
$link->link_image = attribute_escape($link->link_image);
$link->link_description = attribute_escape($link->link_description);
$link->link_rss = clean_url($link->link_rss);
$link->link_rel = attribute_escape($link->link_rel);
$link->link_notes = wp_specialchars($link->link_notes);
$link->post_category = $link->link_category;
return $link;
return get_link( $link_id, OBJECT, 'edit' );
}
function wp_insert_link($linkdata) {
global $wpdb, $current_user;
$defaults = array('link_id' => 0, 'link_name' => '', 'link_url' => '', 'link_rating' => 0 );
$linkdata = wp_parse_args($linkdata, $defaults);
$linkdata = sanitize_bookmark($linkdata, 'db');
extract($linkdata, EXTR_SKIP);
$update = false;
......@@ -84,53 +78,38 @@ function wp_insert_link($linkdata) {
if ( !empty($link_id) )
$update = true;
$link_id = (int) $link_id;
if( trim( $link_name ) == '' )
if ( trim( $link_name ) == '' )
return 0;
$link_name = apply_filters('pre_link_name', $link_name);
if( trim( $link_url ) == '' )
if ( trim( $link_url ) == '' )
return 0;
$link_url = apply_filters('pre_link_url', $link_url);
if ( empty($link_rating) )
$link_rating = 0;
else
$link_rating = (int) $link_rating;
if ( empty($link_image) )
$link_image = '';
$link_image = apply_filters('pre_link_image', $link_image);
if ( empty($link_target) )
$link_target = '';
$link_target = apply_filters('pre_link_target', $link_target);
if ( empty($link_visible) )
$link_visible = 'Y';
$link_visibile = preg_replace('/[^YNyn]/', '', $link_visible);
if ( empty($link_owner) )
$link_owner = $current_user->id;
else
$link_owner = (int) $link_owner;
if ( empty($link_notes) )
$link_notes = '';
$link_notes = apply_filters('pre_link_notes', $link_notes);
if ( empty($link_description) )
$link_description = '';
$link_description = apply_filters('pre_link_description', $link_description);
if ( empty($link_rss) )
$link_rss = '';
$link_rss = apply_filters('pre_link_rss', $link_rss);
if ( empty($link_rel) )
$link_rel = '';
$link_rel = apply_filters('pre_link_rel', $link_rel);
// Make sure we set a valid category
if (0 == count($link_category) || !is_array($link_category)) {
......
......@@ -80,7 +80,7 @@ $categories = get_terms('link_category', "hide_empty=1");
$select_cat = "<select name=\"cat_id\">\n";
$select_cat .= '<option value="all"' . (($cat_id == 'all') ? " selected='selected'" : '') . '>' . __('All') . "</option>\n";
foreach ((array) $categories as $cat)
$select_cat .= '<option value="' . $cat->term_id . '"' . (($cat->term_id == $cat_id) ? " selected='selected'" : '') . '>' . wp_specialchars(apply_filters('link_category', $cat->name)) . "</option>\n";
$select_cat .= '<option value="' . $cat->term_id . '"' . (($cat->term_id == $cat_id) ? " selected='selected'" : '') . '>' . sanitize_term_field('name', $cat->name, $cat->term_id, 'link_category', 'display') . "</option>\n";
$select_cat .= "</select>\n";
$select_order = "<select name=\"order_by\">\n";
......@@ -131,9 +131,8 @@ if ( $links ) {
<tbody id="the-list">
<?php
foreach ($links as $link) {
$link->link_name = attribute_escape(apply_filters('link_title', $link->link_name));
$link->link_description = wp_specialchars(apply_filters('link_description', $link->link_description));
$link->link_url = clean_url($link->link_url);
$link = sanitize_bookmark($link);
$link->link_name = attribute_escape($link->link_name);
$link->link_category = wp_get_link_cats($link->link_id);
$short_url = str_replace('http://', '', $link->link_url);
$short_url = str_replace('www.', '', $short_url);
......@@ -159,8 +158,8 @@ if ( $links ) {
?><td><?php
$cat_names = array();
foreach ($link->link_category as $category) {
$cat = get_term($category, 'link_category');
$cat_name = wp_specialchars(apply_filters('link_category', $cat->name));
$cat = get_term($category, 'link_category', OBJECT, 'display');
$cat_name = $cat->name;
if ( $cat_id != $category )
$cat_name = "<a href='link-manager.php?cat_id=$category'>$cat_name</a>";
$cat_names[] = $cat_name;
......
<?php
function get_bookmark($bookmark_id, $output = OBJECT) {
function get_bookmark($bookmark_id, $output = OBJECT, $filter = 'raw') {
global $wpdb;
$bookmark_id = (int) $bookmark_id;
$link = $wpdb->get_row("SELECT * FROM $wpdb->links WHERE link_id = '$bookmark_id'");
$link->link_category = wp_get_link_cats($bookmark_id);
$link = sanitize_bookmark($link, $filter);
if ( $output == OBJECT ) {
return $link;
} elseif ( $output == ARRAY_A ) {
......@@ -18,6 +20,22 @@ function get_bookmark($bookmark_id, $output = OBJECT) {
}
}
function get_bookmark_field( $field, $bookmark, $context = 'display' ) {
$bookmark = (int) $bookmark;
$bookmark = get_bookmark( $bookmark );
if ( is_wp_error($bookmark) )
return $bookmark;
if ( !is_object($bookmark) )
return '';
if ( !isset($bookmark->$field) )
return '';
return sanitize_bookmark_field($field, $bookmark->$field, $bookmark->link_id, $context);
}
// Deprecate
function get_link($bookmark_id, $output = OBJECT) {
return get_bookmark($bookmark_id, $output);
......@@ -142,6 +160,67 @@ function get_bookmarks($args = '') {
return apply_filters('get_bookmarks', $results, $r);
}
function sanitize_bookmark($bookmark, $context = 'display') {
$fields = array('link_id', 'link_url', 'link_name', 'link_image', 'link_target', 'link_category',
'link_description', 'link_visible', 'link_owner', 'link_rating', 'link_updated',
'link_rel', 'link_notes', 'link_rss', );
$do_object = false;
if ( is_object($bookmark) )
$do_object = true;
foreach ( $fields as $field ) {
if ( $do_object )
$bookmark->$field = sanitize_bookmark_field($field, $bookmark->$field, $bookmark->link_id, $context);
else
$bookmark[$field] = sanitize_bookmark_field($field, $bookmark[$field], $bookmark['link_id'], $context);
}
return $bookmark;
}
function sanitize_bookmark_field($field, $value, $bookmark_id, $context) {
$int_fields = array('link_id', 'link_rating');
if ( in_array($field, $int_fields) )
$value = (int) $value;
$yesno = array('link_visible');
if ( in_array($field, $yesno) )
$value = preg_replace('/[^YNyn]/', '', $value);
if ( 'link_target' == $field ) {
$targets = array('_top', '_blank');
if ( ! in_array($value, $targets) )
$value = '';
}
if ( 'raw' == $context )
return $value;
if ( 'edit' == $context ) {
$format_to_edit = array('link_notes');
$value = apply_filters("edit_$field", $value, $bookmark_id);
if ( in_array($field, $format_to_edit) ) {
$value = format_to_edit($value);
} else {
$value = attribute_escape($value);
}
} else if ( 'db' == $context ) {
$value = apply_filters("pre_$field", $value);
} else {
// Use display filters by default.
$value = apply_filters($field, $value, $bookmark_id, $context);
}
if ( 'attribute' == $context )
$value = attribute_escape($value);
else if ( 'js' == $context )
$value = js_escape($value);
return $value;
}
function delete_get_bookmark_cache() {
wp_cache_delete( 'get_bookmarks', 'bookmark' );
}
......
<?php
// Some default filters
add_filter('bloginfo','wp_specialchars');
add_filter('term_description', 'wptexturize');
add_filter('category_description', 'wptexturize');
add_filter('list_cats', 'wptexturize');
add_filter('comment_author', 'wptexturize');
add_filter('comment_text', 'wptexturize');
add_filter('single_post_title', 'wptexturize');
add_filter('the_title', 'wptexturize');
add_filter('the_content', 'wptexturize');
add_filter('the_excerpt', 'wptexturize');
add_filter('bloginfo', 'wptexturize');
add_filter('pre_kses', 'wp_pre_kses_less_than');
// Comments, trackbacks, pingbacks
add_filter('pre_comment_author_name', 'strip_tags');
add_filter('pre_comment_author_name', 'trim');
add_filter('pre_comment_author_name', 'wp_specialchars', 30);
add_filter('pre_comment_author_email', 'trim');
add_filter('pre_comment_author_email', 'sanitize_email');
add_filter('pre_comment_author_url', 'strip_tags');
add_filter('pre_comment_author_url', 'trim');
add_filter('pre_comment_author_url', 'clean_url');
add_filter('pre_comment_content', 'wp_rel_nofollow', 15);
add_filter('pre_comment_content', 'balanceTags', 30);
add_filter('pre_comment_author_name', 'wp_filter_kses');
add_filter('pre_comment_author_email', 'wp_filter_kses');
add_filter('pre_comment_author_url', 'wp_filter_kses');
add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');
// Default filters for these functions
add_filter('comment_author', 'wptexturize');
add_filter('comment_author', 'convert_chars');
add_filter('comment_author', 'wp_specialchars');
add_filter('comment_email', 'antispambot');
add_filter('comment_flood_filter', 'wp_throttle_comment_flood', 10, 3);
add_filter('comment_url', 'clean_url');
add_filter('comment_text', 'convert_chars');
add_filter('comment_text', 'make_clickable', 9);
add_filter('comment_text', 'force_balance_tags', 25);
add_filter('comment_text', 'wpautop', 30);
add_filter('comment_text', 'convert_smilies', 20);
add_filter('comment_excerpt', 'convert_chars');
// Terms
add_filter('pre_term_name', 'strip_tags');
add_filter('pre_term_name', 'trim');
add_filter('pre_term_name', 'wp_filter_kses');
add_filter('pre_term_name', 'wp_specialchars', 30);
add_filter('pre_term_description', 'wp_filter_kses');
// Categories
add_filter('pre_category_name', 'strip_tags');
add_filter('pre_category_name', 'trim');
add_filter('pre_category_name', 'wp_filter_kses');
add_filter('pre_category_name', 'wp_specialchars', 30);
add_filter('pre_category_description', 'wp_filter_kses');
//Links
add_filter('pre_link_name', 'strip_tags');
add_filter('pre_link_name', 'trim');
add_filter('pre_link_name', 'wp_filter_kses');
add_filter('pre_link_name', 'wp_specialchars', 30);
add_filter('pre_link_description', 'wp_filter_kses');
add_filter('pre_link_notes', 'wp_filter_kses');
add_filter('pre_link_url', 'strip_tags');
add_filter('pre_link_url', 'trim');
add_filter('pre_link_url', 'clean_url');
add_filter('pre_link_image', 'strip_tags');
add_filter('pre_link_image', 'trim');
add_filter('pre_link_image', 'clean_url');
add_filter('pre_link_rss', 'strip_tags');
add_filter('pre_link_rss', 'trim');
add_filter('pre_link_rss', 'clean_url');
add_filter('pre_link_target', 'strip_tags');
add_filter('pre_link_target', 'trim');
add_filter('pre_link_target', 'wp_filter_kses');
add_filter('pre_link_target', 'wp_specialchars', 30);
add_filter('pre_link_rel', 'strip_tags');
add_filter('pre_link_rel', 'trim');
add_filter('pre_link_rel', 'wp_filter_kses');
add_filter('pre_link_rel', 'wp_specialchars', 30);
// Users
add_filter('pre_user_display_name', 'strip_tags');
add_filter('pre_user_display_name', 'trim');
add_filter('pre_user_display_name', 'wp_filter_kses');
add_filter('pre_user_display_name', 'wp_specialchars', 30);
add_filter('pre_user_first_name', 'strip_tags');
add_filter('pre_user_first_name', 'trim');
add_filter('pre_user_first_name', 'wp_filter_kses');
add_filter('pre_user_first_name', 'wp_specialchars', 30);
add_filter('pre_user_last_name', 'strip_tags');
add_filter('pre_user_last_name', 'trim');
add_filter('pre_user_last_name', 'wp_filter_kses');
add_filter('pre_user_last_name', 'wp_specialchars', 30);
add_filter('pre_user_nickname', 'strip_tags');
add_filter('pre_user_nickname', 'trim');
add_filter('pre_user_nickname', 'wp_filter_kses');
add_filter('pre_user_nickname', 'wp_specialchars', 30);
add_filter('pre_user_description', 'trim');
add_filter('pre_user_description', 'wp_filter_kses');
add_filter('pre_user_url', 'strip_tags');
add_filter('pre_user_url', 'trim');
add_filter('pre_user_url', 'clean_url');
add_filter('pre_user_email', 'trim');
add_filter('pre_user_email', 'sanitize_email');
// Strip, trim, kses, special chars for string saves
$filters = array('pre_term_name', 'pre_comment_author_name', 'pre_link_name', 'pre_link_target',
'pre_link_rel', 'pre_user_display_name', 'pre_user_first_name', 'pre_user_last_name',
'pre_user_nickname');
foreach ( $filters as $filter ) {
add_filter($filter, 'strip_tags');
add_filter($filter, 'trim');
add_filter($filter, 'wp_filter_kses');
add_filter($filter, 'wp_specialchars', 30);
}
// Kses only for textarea saves
$filters = array('pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description');
foreach ( $filters as $filter ) {
add_filter($filter, 'wp_filter_kses');
}
// Email
$filters = array('pre_comment_author_email', 'pre_user_email');
foreach ( $filters as $filter ) {
add_filter($filter, 'trim');
add_filter($filter, 'sanitize_email');
add_filter($filter, 'wp_filter_kses');
}
// URL
$filters = array('pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
'pre_link_rss', 'comment_url');
foreach ( $filters as $filter ) {
add_filter($filter, 'strip_tags');
add_filter($filter, 'trim');
add_filter($filter, 'clean_url');
add_filter($filter, 'wp_filter_kses');
}
// Places to balance tags on input
add_filter('content_save_pre', 'balanceTags', 50);
add_filter('excerpt_save_pre', 'balanceTags', 50);
add_filter('comment_save_pre', 'balanceTags', 50);
// Misc. title, content, and excerpt filters
$filters = array('content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content');
foreach ( $filters as $filter ) {
add_filter( $filter, 'balanceTags', 50);
}
// Format strings for display.
$filters = array('comment_author', 'term_name', 'term_description', 'link_name', 'link_description',
'link_notes', 'bloginfo');
foreach ( $filters as $filter ) {
add_filter($filter, 'wptexturize');
add_filter($filter, 'convert_chars');
add_filter($filter, 'wp_specialchars');
}
// Display filters
add_filter('the_title', 'wptexturize');
add_filter('the_title', 'convert_chars');
add_filter('the_title', 'trim');
add_filter('the_content', 'wptexturize');
add_filter('the_content', 'convert_smilies');
add_filter('the_content', 'convert_chars');
add_filter('the_content', 'wpautop');
add_filter('the_excerpt', 'wptexturize');
add_filter('the_excerpt', 'convert_smilies');
add_filter('the_excerpt', 'convert_chars');
add_filter('the_excerpt', 'wpautop');
add_filter('get_the_excerpt', 'wp_trim_excerpt');
add_filter('sanitize_title', 'sanitize_title_with_dashes');
add_filter('comment_text', 'wptexturize');
add_filter('comment_text', 'convert_chars');
add_filter('comment_text', 'make_clickable', 9);
add_filter('comment_text', 'force_balance_tags', 25);
add_filter('comment_text', 'convert_smilies', 20);
add_filter('comment_text', 'wpautop', 30);
add_filter('comment_excerpt', 'convert_chars');
add_filter('list_cats', 'wptexturize');
add_filter('single_post_title', 'wptexturize');
// RSS filters
add_filter('the_title_rss', 'strip_tags');
......@@ -146,8 +86,8 @@ add_filter('the_content_rss', 'ent2ncr', 8);
add_filter('the_excerpt_rss', 'convert_chars');
add_filter('the_excerpt_rss', 'ent2ncr', 8);
add_filter('comment_author_rss', 'ent2ncr', 8);
add_filter('comment_text_rss', 'wp_specialchars');
add_filter('comment_text_rss', 'ent2ncr', 8);
add_filter('comment_text_rss', 'wp_specialchars');
add_filter('bloginfo_rss', 'ent2ncr', 8);
add_filter('the_author', 'ent2ncr', 8);
......@@ -158,11 +98,11 @@ add_filter('option_home', '_config_wp_home');
add_filter('option_siteurl', '_config_wp_siteurl');
add_filter('mce_plugins', '_mce_load_rtl_plugin');
add_filter('mce_buttons', '_mce_add_direction_buttons');
// Redirect Old Slugs
add_action('template_redirect', 'wp_old_slug_redirect');
add_action('edit_post', 'wp_check_for_changed_slugs');
add_action('edit_form_advanced', 'wp_remember_old_slug');
add_filter('pre_kses', 'wp_pre_kses_less_than');
add_filter('sanitize_title', 'sanitize_title_with_dashes');
add_filter('comment_flood_filter', 'wp_throttle_comment_flood', 10, 3);
add_filter('pre_comment_content', 'wp_rel_nofollow', 15);
add_filter('comment_email', 'antispambot');
// Actions
add_action('wp_head', 'rsd_link');
......@@ -189,5 +129,10 @@ add_action('future_post', '_future_post_hook', 5, 2);
add_action('future_page', '_future_post_hook', 5, 2);
add_action('save_post', '_save_post_hook', 5, 2);
add_action('transition_post_status', '_transition_post_status', 5, 3);
add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');
// Redirect Old Slugs
add_action('template_redirect', 'wp_old_slug_redirect');
add_action('edit_post', 'wp_check_for_changed_slugs');
add_action('edit_form_advanced', 'wp_remember_old_slug');
?>
\ No newline at end of file
......@@ -477,7 +477,10 @@ function sanitize_post_field($field, $value, $post_id, $context) {
}
} else {
// Use display filters by default.
$value = apply_filters("post_$field", $value, $post_id, $context);
if ( $prefixed )
$value = apply_filters($field, $value, $post_id, $context);
else
$value = apply_filters("post_$field", $value, $post_id, $context);
}
if ( 'attribute' == $context )
......
......@@ -229,7 +229,7 @@ function get_objects_in_term( $terms, $taxonomies, $args = array() ) {
* This won't appear but just a note to say that this is all conjecture and parts or whole
* might be inaccurate or wrong.
*/
function &get_term(&$term, $taxonomy, $output = OBJECT) {
function &get_term(&$term, $taxonomy, $output = OBJECT, $filter = 'raw') {
global $wpdb;
if ( empty($term) )
......@@ -251,6 +251,7 @@ function &get_term(&$term, $taxonomy, $output = OBJECT) {
$_term = apply_filters('get_term', $_term, $taxonomy);
$_term = apply_filters("get_$taxonomy", $_term, $taxonomy);
$_term = sanitize_term($_term, $taxonomy, $filter);
if ( $output == OBJECT ) {
return $_term;
......@@ -559,7 +560,7 @@ function is_term($term, $taxonomy = '') {
}
function sanitize_term($term, $taxonomy, $context = 'display') {
$fields = array('term_id', 'name', 'description', 'slug', 'count', 'term_group');
$fields = array('term_id', 'name', 'description', 'slug', 'count', 'parent', 'term_group');
$do_object = false;
if ( is_object($term) )
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment