Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Use wp_unslash() instead of stripslashes() and stripslashes_deep(). U…

…se wp_slash() instead of add_magic_quotes().

see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23563 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information...
commit 5f809d1d2264475e8f54939060648105ad8de635 1 parent 0f3a60a
Ryan Boren authored

Showing 28 changed files with 88 additions and 88 deletions. Show diff stats Hide diff stats

  1. +2 2 wp-admin/admin.php
  2. +5 5 wp-admin/edit-comments.php
  3. +1 1  wp-admin/edit-form-advanced.php
  4. +1 1  wp-admin/edit-form-comment.php
  5. +2 2 wp-admin/edit-tags.php
  6. +1 1  wp-admin/edit.php
  7. +12 12 wp-admin/includes/ajax-actions.php
  8. +4 4 wp-admin/includes/bookmark.php
  9. +1 1  wp-admin/includes/class-wp-comments-list-table.php
  10. +1 1  wp-admin/includes/class-wp-ms-sites-list-table.php
  11. +1 1  wp-admin/includes/class-wp-ms-themes-list-table.php
  12. +3 3 wp-admin/includes/class-wp-ms-users-list-table.php
  13. +3 3 wp-admin/includes/class-wp-plugin-install-list-table.php
  14. +2 2 wp-admin/includes/class-wp-plugins-list-table.php
  15. +3 3 wp-admin/includes/class-wp-terms-list-table.php
  16. +2 2 wp-admin/includes/class-wp-theme-install-list-table.php
  17. +2 2 wp-admin/includes/class-wp-themes-list-table.php
  18. +1 1  wp-admin/includes/class-wp-upgrader.php
  19. +1 1  wp-admin/includes/class-wp-users-list-table.php
  20. +1 1  wp-admin/includes/dashboard.php
  21. +2 2 wp-admin/includes/deprecated.php
  22. +7 7 wp-admin/includes/file.php
  23. +2 2 wp-admin/includes/image-edit.php
  24. +6 6 wp-admin/includes/media.php
  25. +1 1  wp-admin/includes/misc.php
  26. +6 6 wp-admin/includes/plugin-install.php
  27. +14 14 wp-admin/includes/post.php
  28. +1 1  wp-admin/includes/taxonomy.php
4 wp-admin/admin.php
@@ -43,7 +43,7 @@
43 43 do_action('after_db_upgrade');
44 44 } elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) {
45 45 if ( !is_multisite() ) {
46   - wp_redirect(admin_url('upgrade.php?_wp_http_referer=' . urlencode(stripslashes($_SERVER['REQUEST_URI']))));
  46 + wp_redirect( admin_url( 'upgrade.php?_wp_http_referer=' . urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
47 47 exit;
48 48 } elseif ( apply_filters( 'do_mu_upgrade', true ) ) {
49 49 /**
@@ -82,7 +82,7 @@
82 82 $editing = false;
83 83
84 84 if ( isset($_GET['page']) ) {
85   - $plugin_page = stripslashes($_GET['page']);
  85 + $plugin_page = wp_unslash( $_GET['page'] );
86 86 $plugin_page = plugin_basename($plugin_page);
87 87 }
88 88
10 wp-admin/edit-comments.php
@@ -20,9 +20,9 @@
20 20 check_admin_referer( 'bulk-comments' );
21 21
22 22 if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
23   - $comment_status = $wpdb->escape( $_REQUEST['comment_status'] );
24   - $delete_time = $wpdb->escape( $_REQUEST['pagegen_timestamp'] );
25   - $comment_ids = $wpdb->get_col( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = '$comment_status' AND '$delete_time' > comment_date_gmt" );
  23 + $comment_status = $_REQUEST['comment_status'];
  24 + $delete_time = $_REQUEST['pagegen_timestamp'];
  25 + $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
26 26 $doaction = 'delete';
27 27 } elseif ( isset( $_REQUEST['delete_comments'] ) ) {
28 28 $comment_ids = $_REQUEST['delete_comments'];
@@ -95,7 +95,7 @@
95 95 wp_safe_redirect( $redirect_to );
96 96 exit;
97 97 } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
98   - wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
  98 + wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
99 99 exit;
100 100 }
101 101
@@ -153,7 +153,7 @@
153 153 echo __('Comments');
154 154
155 155 if ( isset($_REQUEST['s']) && $_REQUEST['s'] )
156   - printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( stripslashes( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?>
  156 + printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?>
157 157 </h2>
158 158
159 159 <?php
2  wp-admin/edit-form-advanced.php
@@ -314,7 +314,7 @@
314 314 <input type="hidden" id="post_author" name="post_author" value="<?php echo esc_attr( $post->post_author ); ?>" />
315 315 <input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr( $post_type ) ?>" />
316 316 <input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr( $post->post_status) ?>" />
317   -<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
  317 +<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url(wp_unslash(wp_get_referer())); ?>" />
318 318 <?php if ( ! empty( $active_post_lock ) ) { ?>
319 319 <input type="hidden" id="active_post_lock" value="<?php echo esc_attr( implode( ':', $active_post_lock ) ); ?>" />
320 320 <?php
2  wp-admin/edit-form-comment.php
@@ -132,7 +132,7 @@
132 132
133 133 <input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID) ?>" />
134 134 <input type="hidden" name="p" value="<?php echo esc_attr($comment->comment_post_ID) ?>" />
135   -<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
  135 +<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(wp_unslash(wp_get_referer())); ?>" />
136 136 <?php wp_original_referer_field(true, 'previous'); ?>
137 137 <input type="hidden" name="noredir" value="1" />
138 138
4 wp-admin/edit-tags.php
@@ -164,7 +164,7 @@
164 164
165 165 default:
166 166 if ( ! empty($_REQUEST['_wp_http_referer']) ) {
167   - $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) );
  167 + $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) );
168 168
169 169 if ( ! empty( $_REQUEST['paged'] ) )
170 170 $location = add_query_arg( 'paged', (int) $_REQUEST['paged'] );
@@ -265,7 +265,7 @@
265 265 <?php screen_icon(); ?>
266 266 <h2><?php echo esc_html( $title );
267 267 if ( !empty($_REQUEST['s']) )
268   - printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?>
  268 + printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( wp_unslash($_REQUEST['s']) ) ); ?>
269 269 </h2>
270 270
271 271 <?php if ( isset($_REQUEST['message']) && ( $msg = (int) $_REQUEST['message'] ) ) : ?>
2  wp-admin/edit.php
@@ -138,7 +138,7 @@
138 138 wp_redirect($sendback);
139 139 exit();
140 140 } elseif ( ! empty($_REQUEST['_wp_http_referer']) ) {
141   - wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ) );
  141 + wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) ) );
142 142 exit;
143 143 }
144 144
24 wp-admin/includes/ajax-actions.php
@@ -59,7 +59,7 @@ function wp_ajax_ajax_tag_search() {
59 59 wp_die( 0 );
60 60 }
61 61
62   - $s = stripslashes( $_GET['q'] );
  62 + $s = wp_unslash( $_GET['q'] );
63 63
64 64 $comma = _x( ',', 'tag delimiter' );
65 65 if ( ',' !== $comma )
@@ -572,7 +572,7 @@ function wp_ajax_add_link_category( $action ) {
572 572 continue;
573 573 else if ( is_array( $cat_id ) )
574 574 $cat_id = $cat_id['term_id'];
575   - $cat_name = esc_html(stripslashes($cat_name));
  575 + $cat_name = esc_html(wp_unslash($cat_name));
576 576 $x->add( array(
577 577 'what' => 'link-category',
578 578 'id' => $cat_id,
@@ -957,8 +957,8 @@ function wp_ajax_add_meta() {
957 957 ) );
958 958 } else { // Update?
959 959 $mid = (int) key( $_POST['meta'] );
960   - $key = stripslashes( $_POST['meta'][$mid]['key'] );
961   - $value = stripslashes( $_POST['meta'][$mid]['value'] );
  960 + $key = wp_unslash( $_POST['meta'][$mid]['key'] );
  961 + $value = wp_unslash( $_POST['meta'][$mid]['value'] );
962 962 if ( '' == trim($key) )
963 963 wp_die( __( 'Please provide a custom field name.' ) );
964 964 if ( '' == trim($value) )
@@ -1227,7 +1227,7 @@ function wp_ajax_wp_link_ajax() {
1227 1227 $args = array();
1228 1228
1229 1229 if ( isset( $_POST['search'] ) )
1230   - $args['s'] = stripslashes( $_POST['search'] );
  1230 + $args['s'] = wp_unslash( $_POST['search'] );
1231 1231 $args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1;
1232 1232
1233 1233 require(ABSPATH . WPINC . '/class-wp-editor.php');
@@ -1328,7 +1328,7 @@ function wp_ajax_inline_save() {
1328 1328 $data = &$_POST;
1329 1329
1330 1330 $post = get_post( $post_ID, ARRAY_A );
1331   - $post = add_magic_quotes($post); //since it is from db
  1331 + $post = wp_slash($post); //since it is from db
1332 1332
1333 1333 $data['content'] = $post['post_content'];
1334 1334 $data['excerpt'] = $post['post_excerpt'];
@@ -1425,7 +1425,7 @@ function wp_ajax_find_posts() {
1425 1425 $post_types = get_post_types( array( 'public' => true ), 'objects' );
1426 1426 unset( $post_types['attachment'] );
1427 1427
1428   - $s = stripslashes( $_POST['ps'] );
  1428 + $s = wp_unslash( $_POST['ps'] );
1429 1429 $searchand = $search = '';
1430 1430 $args = array(
1431 1431 'post_type' => array_keys( $post_types ),
@@ -1890,7 +1890,7 @@ function wp_ajax_save_attachment() {
1890 1890
1891 1891 if ( isset( $changes['alt'] ) ) {
1892 1892 $alt = get_post_meta( $id, '_wp_attachment_image_alt', true );
1893   - $new_alt = stripslashes( $changes['alt'] );
  1893 + $new_alt = wp_unslash( $changes['alt'] );
1894 1894 if ( $alt != $new_alt ) {
1895 1895 $new_alt = wp_strip_all_tags( $new_alt, true );
1896 1896 update_post_meta( $id, '_wp_attachment_image_alt', addslashes( $new_alt ) );
@@ -1990,7 +1990,7 @@ function wp_ajax_save_attachment_order() {
1990 1990 function wp_ajax_send_attachment_to_editor() {
1991 1991 check_ajax_referer( 'media-send-to-editor', 'nonce' );
1992 1992
1993   - $attachment = stripslashes_deep( $_POST['attachment'] );
  1993 + $attachment = wp_unslash( $_POST['attachment'] );
1994 1994
1995 1995 $id = intval( $attachment['id'] );
1996 1996
@@ -2045,7 +2045,7 @@ function wp_ajax_send_attachment_to_editor() {
2045 2045 function wp_ajax_send_link_to_editor() {
2046 2046 check_ajax_referer( 'media-send-to-editor', 'nonce' );
2047 2047
2048   - if ( ! $src = stripslashes( $_POST['src'] ) )
  2048 + if ( ! $src = wp_unslash( $_POST['src'] ) )
2049 2049 wp_send_json_error();
2050 2050
2051 2051 if ( ! strpos( $src, '://' ) )
@@ -2054,7 +2054,7 @@ function wp_ajax_send_link_to_editor() {
2054 2054 if ( ! $src = esc_url_raw( $src ) )
2055 2055 wp_send_json_error();
2056 2056
2057   - if ( ! $title = trim( stripslashes( $_POST['title'] ) ) )
  2057 + if ( ! $title = trim( wp_unslash( $_POST['title'] ) ) )
2058 2058 $title = wp_basename( $src );
2059 2059
2060 2060 $html = '';
@@ -2114,7 +2114,7 @@ function wp_ajax_nopriv_heartbeat() {
2114 2114 $screen_id = 'site';
2115 2115
2116 2116 if ( ! empty($_POST['data']) ) {
2117   - $data = stripslashes_deep( (array) $_POST['data'] );
  2117 + $data = wp_unslash( (array) $_POST['data'] );
2118 2118 $response = apply_filters( 'heartbeat_nopriv_received', $response, $data, $screen_id );
2119 2119 }
2120 2120
8 wp-admin/includes/bookmark.php
@@ -55,12 +55,12 @@ function edit_link( $link_id = 0 ) {
55 55 function get_default_link_to_edit() {
56 56 $link = new stdClass;
57 57 if ( isset( $_GET['linkurl'] ) )
58   - $link->link_url = esc_url( $_GET['linkurl'] );
  58 + $link->link_url = esc_url( wp_unslash( $_GET['linkurl'] ) );
59 59 else
60 60 $link->link_url = '';
61 61
62 62 if ( isset( $_GET['name'] ) )
63   - $link->link_name = esc_attr( $_GET['name'] );
  63 + $link->link_name = esc_attr( wp_unslash( $_GET['name'] ) );
64 64 else
65 65 $link->link_name = '';
66 66
@@ -137,7 +137,7 @@ function wp_insert_link( $linkdata, $wp_error = false ) {
137 137 $linkdata = wp_parse_args( $linkdata, $defaults );
138 138 $linkdata = sanitize_bookmark( $linkdata, 'db' );
139 139
140   - extract( stripslashes_deep( $linkdata ), EXTR_SKIP );
  140 + extract( wp_unslash( $linkdata ), EXTR_SKIP );
141 141
142 142 $update = false;
143 143
@@ -251,7 +251,7 @@ function wp_update_link( $linkdata ) {
251 251 $link = get_bookmark( $link_id, ARRAY_A );
252 252
253 253 // Escape data pulled from DB.
254   - $link = add_magic_quotes( $link );
  254 + $link = wp_slash( $link );
255 255
256 256 // Passed link category list overwrites existing category list if not empty.
257 257 if ( isset( $linkdata['link_category'] ) && is_array( $linkdata['link_category'] )
2  wp-admin/includes/class-wp-comments-list-table.php
@@ -170,7 +170,7 @@ function get_views() {
170 170 /*
171 171 // I toyed with this, but decided against it. Leaving it in here in case anyone thinks it is a good idea. ~ Mark
172 172 if ( !empty( $_REQUEST['s'] ) )
173   - $link = add_query_arg( 's', esc_attr( stripslashes( $_REQUEST['s'] ) ), $link );
  173 + $link = add_query_arg( 's', esc_attr( wp_unslash( $_REQUEST['s'] ) ), $link );
174 174 */
175 175 $status_links[$status] = "<a href='$link'$class>" . sprintf(
176 176 translate_nooped_plural( $label, $num_comments->$status ),
2  wp-admin/includes/class-wp-ms-sites-list-table.php
@@ -29,7 +29,7 @@ function prepare_items() {
29 29
30 30 $pagenum = $this->get_pagenum();
31 31
32   - $s = isset( $_REQUEST['s'] ) ? stripslashes( trim( $_REQUEST[ 's' ] ) ) : '';
  32 + $s = isset( $_REQUEST['s'] ) ? wp_unslash( trim( $_REQUEST[ 's' ] ) ) : '';
33 33 $wild = '';
34 34 if ( false !== strpos($s, '*') ) {
35 35 $wild = '%';
2  wp-admin/includes/class-wp-ms-themes-list-table.php
@@ -126,7 +126,7 @@ function prepare_items() {
126 126 function _search_callback( $theme ) {
127 127 static $term;
128 128 if ( is_null( $term ) )
129   - $term = stripslashes( $_REQUEST['s'] );
  129 + $term = wp_unslash( $_REQUEST['s'] );
130 130
131 131 foreach ( array( 'Name', 'Description', 'Author', 'Author', 'AuthorURI' ) as $field ) {
132 132 // Don't mark up; Do translate.
6 wp-admin/includes/class-wp-ms-users-list-table.php
@@ -173,10 +173,10 @@ function display_rows() {
173 173
174 174 case 'username':
175 175 $avatar = get_avatar( $user->user_email, 32 );
176   - $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) );
  176 + $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) );
177 177
178 178 echo "<td $attributes>"; ?>
179   - <?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo stripslashes( $user->user_login ); ?></a><?php
  179 + <?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo $user->user_login; ?></a><?php
180 180 if ( in_array( $user->user_login, $super_admins ) )
181 181 echo ' - ' . __( 'Super Admin' );
182 182 ?></strong>
@@ -186,7 +186,7 @@ function display_rows() {
186 186 $actions['edit'] = '<a href="' . $edit_link . '">' . __( 'Edit' ) . '</a>';
187 187
188 188 if ( current_user_can( 'delete_user', $user->ID ) && ! in_array( $user->user_login, $super_admins ) ) {
189   - $actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>';
  189 + $actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>';
190 190 }
191 191
192 192 $actions = apply_filters( 'ms_user_row_actions', $actions, $user );
6 wp-admin/includes/class-wp-plugin-install-list-table.php
@@ -48,8 +48,8 @@ function prepare_items() {
48 48
49 49 switch ( $tab ) {
50 50 case 'search':
51   - $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
52   - $term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : '';
  51 + $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
  52 + $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : '';
53 53
54 54 switch ( $type ) {
55 55 case 'tag':
@@ -73,7 +73,7 @@ function prepare_items() {
73 73 break;
74 74
75 75 case 'favorites':
76   - $user = isset( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
  76 + $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
77 77 update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
78 78 if ( $user )
79 79 $args['user'] = $user;
4 wp-admin/includes/class-wp-plugins-list-table.php
@@ -22,7 +22,7 @@ function __construct( $args = array() ) {
22 22 $status = $_REQUEST['plugin_status'];
23 23
24 24 if ( isset($_REQUEST['s']) )
25   - $_SERVER['REQUEST_URI'] = add_query_arg('s', stripslashes($_REQUEST['s']) );
  25 + $_SERVER['REQUEST_URI'] = add_query_arg('s', wp_unslash($_REQUEST['s']) );
26 26
27 27 $page = $this->get_pagenum();
28 28 }
@@ -140,7 +140,7 @@ function prepare_items() {
140 140 function _search_callback( $plugin ) {
141 141 static $term;
142 142 if ( is_null( $term ) )
143   - $term = stripslashes( $_REQUEST['s'] );
  143 + $term = wp_unslash( $_REQUEST['s'] );
144 144
145 145 foreach ( $plugin as $value )
146 146 if ( stripos( $value, $term ) !== false )
6 wp-admin/includes/class-wp-terms-list-table.php
@@ -52,7 +52,7 @@ function prepare_items() {
52 52 $tags_per_page = apply_filters( 'edit_categories_per_page', $tags_per_page ); // Old filter
53 53 }
54 54
55   - $search = !empty( $_REQUEST['s'] ) ? trim( stripslashes( $_REQUEST['s'] ) ) : '';
  55 + $search = !empty( $_REQUEST['s'] ) ? trim( wp_unslash( $_REQUEST['s'] ) ) : '';
56 56
57 57 $args = array(
58 58 'search' => $search,
@@ -61,10 +61,10 @@ function prepare_items() {
61 61 );
62 62
63 63 if ( !empty( $_REQUEST['orderby'] ) )
64   - $args['orderby'] = trim( stripslashes( $_REQUEST['orderby'] ) );
  64 + $args['orderby'] = trim( wp_unslash( $_REQUEST['orderby'] ) );
65 65
66 66 if ( !empty( $_REQUEST['order'] ) )
67   - $args['order'] = trim( stripslashes( $_REQUEST['order'] ) );
  67 + $args['order'] = trim( wp_unslash( $_REQUEST['order'] ) );
68 68
69 69 $this->callback_args = $args;
70 70
4 wp-admin/includes/class-wp-theme-install-list-table.php
@@ -24,7 +24,7 @@ function prepare_items() {
24 24 $search_terms = array();
25 25 $search_string = '';
26 26 if ( ! empty( $_REQUEST['s'] ) ){
27   - $search_string = strtolower( stripslashes( $_REQUEST['s'] ) );
  27 + $search_string = strtolower( wp_unslash( $_REQUEST['s'] ) );
28 28 $search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', $search_string ) ) ) );
29 29 }
30 30
@@ -59,7 +59,7 @@ function prepare_items() {
59 59
60 60 switch ( $tab ) {
61 61 case 'search':
62   - $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
  62 + $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
63 63 switch ( $type ) {
64 64 case 'tag':
65 65 $args['tag'] = array_map( 'sanitize_key', $search_terms );
4 wp-admin/includes/class-wp-themes-list-table.php
@@ -28,7 +28,7 @@ function prepare_items() {
28 28 $themes = wp_get_themes( array( 'allowed' => true ) );
29 29
30 30 if ( ! empty( $_REQUEST['s'] ) )
31   - $this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( stripslashes( $_REQUEST['s'] ) ) ) ) ) );
  31 + $this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( wp_unslash( $_REQUEST['s'] ) ) ) ) ) );
32 32
33 33 if ( ! empty( $_REQUEST['features'] ) )
34 34 $this->features = $_REQUEST['features'];
@@ -235,7 +235,7 @@ function search_theme( $theme ) {
235 235 * @uses _pagination_args['total_pages']
236 236 */
237 237 function _js_vars( $extra_args = array() ) {
238   - $search_string = isset( $_REQUEST['s'] ) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : '';
  238 + $search_string = isset( $_REQUEST['s'] ) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : '';
239 239
240 240 $args = array(
241 241 'search' => $search_string,
2  wp-admin/includes/class-wp-upgrader.php
@@ -1427,7 +1427,7 @@ function after() {
1427 1427
1428 1428 $install_actions = array();
1429 1429
1430   - $from = isset($_GET['from']) ? stripslashes($_GET['from']) : 'plugins';
  1430 + $from = isset($_GET['from']) ? wp_unslash( $_GET['from'] ) : 'plugins';
1431 1431
1432 1432 if ( 'import' == $from )
1433 1433 $install_actions['activate_plugin'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;from=import&amp;plugin=' . $plugin_file, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" target="_parent">' . __('Activate Plugin &amp; Run Importer') . '</a>';
2  wp-admin/includes/class-wp-users-list-table.php
@@ -241,7 +241,7 @@ function single_row( $user_object, $style = '', $role = '', $numposts = 0 ) {
241 241 // Check if the user for this row is editable
242 242 if ( current_user_can( 'list_users' ) ) {
243 243 // Set up the user editing link
244   - $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) );
  244 + $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) );
245 245
246 246 // Set up the hover actions for this user
247 247 $actions = array();
2  wp-admin/includes/dashboard.php
@@ -1093,7 +1093,7 @@ function wp_dashboard_rss_control( $widget_id, $form_inputs = array() ) {
1093 1093 $widget_options[$widget_id]['number'] = $number;
1094 1094
1095 1095 if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset($_POST['widget-rss'][$number]) ) {
1096   - $_POST['widget-rss'][$number] = stripslashes_deep( $_POST['widget-rss'][$number] );
  1096 + $_POST['widget-rss'][$number] = wp_unslash( $_POST['widget-rss'][$number] );
1097 1097 $widget_options[$widget_id] = wp_widget_rss_process( $_POST['widget-rss'][$number] );
1098 1098 // title is optional. If black, fill it if possible
1099 1099 if ( !$widget_options[$widget_id]['title'] && isset($_POST['widget-rss'][$number]['title']) ) {
4 wp-admin/includes/deprecated.php
@@ -472,7 +472,7 @@ class WP_User_Search {
472 472 function WP_User_Search ($search_term = '', $page = '', $role = '') {
473 473 _deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' );
474 474
475   - $this->search_term = stripslashes( $search_term );
  475 + $this->search_term = wp_unslash( $search_term );
476 476 $this->raw_page = ( '' == $page ) ? false : (int) $page;
477 477 $this->page = (int) ( '' == $page ) ? 1 : $page;
478 478 $this->role = $role;
@@ -551,7 +551,7 @@ function query() {
551 551 * @access public
552 552 */
553 553 function prepare_vars_for_template_usage() {
554   - $this->search_term = stripslashes($this->search_term); // done with DB, from now on we want slashes gone
  554 + $this->search_term = wp_unslash($this->search_term); // done with DB, from now on we want slashes gone
555 555 }
556 556
557 557 /**
14 wp-admin/includes/file.php
@@ -901,13 +901,13 @@ function request_filesystem_credentials($form_post, $type = '', $error = false,
901 901 $credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => ''));
902 902
903 903 // If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option)
904   - $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? stripslashes($_POST['hostname']) : $credentials['hostname']);
905   - $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? stripslashes($_POST['username']) : $credentials['username']);
906   - $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? stripslashes($_POST['password']) : '');
  904 + $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? wp_unslash( $_POST['hostname'] ) : $credentials['hostname']);
  905 + $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? wp_unslash( $_POST['username'] ) : $credentials['username']);
  906 + $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? wp_unslash( $_POST['password'] ) : '');
907 907
908 908 // Check to see if we are setting the public/private keys for ssh
909   - $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? stripslashes($_POST['public_key']) : '');
910   - $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? stripslashes($_POST['private_key']) : '');
  909 + $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? wp_unslash( $_POST['public_key'] ) : '');
  910 + $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? wp_unslash( $_POST['private_key'] ) : '');
911 911
912 912 //sanitize the hostname, Some people might pass in odd-data:
913 913 $credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off
@@ -925,7 +925,7 @@ function request_filesystem_credentials($form_post, $type = '', $error = false,
925 925 else if ( (defined('FTP_SSL') && FTP_SSL) && 'ftpext' == $type ) //Only the FTP Extension understands SSL
926 926 $credentials['connection_type'] = 'ftps';
927 927 else if ( !empty($_POST['connection_type']) )
928   - $credentials['connection_type'] = stripslashes($_POST['connection_type']);
  928 + $credentials['connection_type'] = wp_unslash( $_POST['connection_type'] );
929 929 else if ( !isset($credentials['connection_type']) ) //All else fails (And it's not defaulted to something else saved), Default to FTP
930 930 $credentials['connection_type'] = 'ftp';
931 931
@@ -1050,7 +1050,7 @@ function request_filesystem_credentials($form_post, $type = '', $error = false,
1050 1050 <?php
1051 1051 foreach ( (array) $extra_fields as $field ) {
1052 1052 if ( isset( $_POST[ $field ] ) )
1053   - echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( stripslashes( $_POST[ $field ] ) ) . '" />';
  1053 + echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( wp_unslash( $_POST[ $field ] ) ) . '" />';
1054 1054 }
1055 1055 submit_button( __( 'Proceed' ), 'button', 'upgrade' );
1056 1056 ?>
4 wp-admin/includes/image-edit.php
@@ -454,7 +454,7 @@ function stream_preview_image( $post_id ) {
454 454 if ( is_wp_error( $img ) )
455 455 return false;
456 456
457   - $changes = !empty($_REQUEST['history']) ? json_decode( stripslashes($_REQUEST['history']) ) : null;
  457 + $changes = !empty($_REQUEST['history']) ? json_decode( wp_unslash($_REQUEST['history']) ) : null;
458 458 if ( $changes )
459 459 $img = image_edit_apply_changes( $img, $changes );
460 460
@@ -587,7 +587,7 @@ function wp_save_image( $post_id ) {
587 587 return $return;
588 588 }
589 589 } elseif ( !empty($_REQUEST['history']) ) {
590   - $changes = json_decode( stripslashes($_REQUEST['history']) );
  590 + $changes = json_decode( wp_unslash($_REQUEST['history']) );
591 591 if ( $changes )
592 592 $img = image_edit_apply_changes($img, $changes);
593 593 } else {
12 wp-admin/includes/media.php
@@ -468,8 +468,8 @@ function media_upload_form_handler() {
468 468
469 469 if ( isset($attachment['image_alt']) ) {
470 470 $image_alt = get_post_meta($attachment_id, '_wp_attachment_image_alt', true);
471   - if ( $image_alt != stripslashes($attachment['image_alt']) ) {
472   - $image_alt = wp_strip_all_tags( stripslashes($attachment['image_alt']), true );
  471 + if ( $image_alt != wp_unslash($attachment['image_alt']) ) {
  472 + $image_alt = wp_strip_all_tags( wp_unslash($attachment['image_alt']), true );
473 473 // update_meta expects slashed
474 474 update_post_meta( $attachment_id, '_wp_attachment_image_alt', addslashes($image_alt) );
475 475 }
@@ -501,7 +501,7 @@ function media_upload_form_handler() {
501 501 }
502 502
503 503 if ( isset($send_id) ) {
504   - $attachment = stripslashes_deep( $_POST['attachments'][$send_id] );
  504 + $attachment = wp_unslash( $_POST['attachments'][$send_id] );
505 505
506 506 $html = isset( $attachment['post_title'] ) ? $attachment['post_title'] : '';
507 507 if ( !empty($attachment['url']) ) {
@@ -546,7 +546,7 @@ function wp_media_upload_handler() {
546 546 $src = "http://$src";
547 547
548 548 if ( isset( $_POST['media_type'] ) && 'image' != $_POST['media_type'] ) {
549   - $title = esc_html( stripslashes( $_POST['title'] ) );
  549 + $title = esc_html( wp_unslash( $_POST['title'] ) );
550 550 if ( empty( $title ) )
551 551 $title = esc_html( basename( $src ) );
552 552
@@ -561,9 +561,9 @@ function wp_media_upload_handler() {
561 561 $html = apply_filters( $type . '_send_to_editor_url', $html, esc_url_raw( $src ), $title );
562 562 } else {
563 563 $align = '';
564   - $alt = esc_attr( stripslashes( $_POST['alt'] ) );
  564 + $alt = esc_attr( wp_unslash( $_POST['alt'] ) );
565 565 if ( isset($_POST['align']) ) {
566   - $align = esc_attr( stripslashes( $_POST['align'] ) );
  566 + $align = esc_attr( wp_unslash( $_POST['align'] ) );
567 567 $class = " class='align$align'";
568 568 }
569 569 if ( !empty($src) )
2  wp-admin/includes/misc.php
@@ -220,7 +220,7 @@ function update_home_siteurl( $old_value, $value ) {
220 220 * @return string
221 221 */
222 222 function url_shorten( $url ) {
223   - $short_url = str_replace( 'http://', '', stripslashes( $url ));
  223 + $short_url = str_replace( 'http://', '', wp_unslash( $url ));
224 224 $short_url = str_replace( 'www.', '', $short_url );
225 225 $short_url = untrailingslashit( $short_url );
226 226 if ( strlen( $short_url ) > 35 )
12 wp-admin/includes/plugin-install.php
@@ -116,8 +116,8 @@ function install_dashboard() {
116 116 * @since 2.7.0
117 117 */
118 118 function install_search_form( $type_selector = true ) {
119   - $type = isset($_REQUEST['type']) ? stripslashes( $_REQUEST['type'] ) : 'term';
120   - $term = isset($_REQUEST['s']) ? stripslashes( $_REQUEST['s'] ) : '';
  119 + $type = isset($_REQUEST['type']) ? wp_unslash( $_REQUEST['type'] ) : 'term';
  120 + $term = isset($_REQUEST['s']) ? wp_unslash( $_REQUEST['s'] ) : '';
121 121
122 122 ?><form id="search-plugins" method="get" action="">
123 123 <input type="hidden" name="tab" value="search" />
@@ -160,7 +160,7 @@ function install_plugins_upload( $page = 1 ) {
160 160 *
161 161 */
162 162 function install_plugins_favorites_form() {
163   - $user = ! empty( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
  163 + $user = ! empty( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
164 164 ?>
165 165 <p class="install-help"><?php _e( 'If you have marked plugins as favorites on WordPress.org, you can browse them here.' ); ?></p>
166 166 <form method="get" action="">
@@ -251,7 +251,7 @@ function install_plugin_install_status($api, $loop = false) {
251 251 }
252 252 }
253 253 if ( isset($_GET['from']) )
254   - $url .= '&amp;from=' . urlencode(stripslashes($_GET['from']));
  254 + $url .= '&amp;from=' . urlencode( wp_unslash( $_GET['from'] ) );
255 255
256 256 return compact('status', 'url', 'version');
257 257 }
@@ -264,7 +264,7 @@ function install_plugin_install_status($api, $loop = false) {
264 264 function install_plugin_information() {
265 265 global $tab;
266 266
267   - $api = plugins_api('plugin_information', array('slug' => stripslashes( $_REQUEST['plugin'] ) ));
  267 + $api = plugins_api('plugin_information', array('slug' => wp_unslash( $_REQUEST['plugin'] ) ));
268 268
269 269 if ( is_wp_error($api) )
270 270 wp_die($api);
@@ -295,7 +295,7 @@ function install_plugin_information() {
295 295 $api->$key = wp_kses( $api->$key, $plugins_allowedtags );
296 296 }
297 297
298   - $section = isset($_REQUEST['section']) ? stripslashes( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English.
  298 + $section = isset($_REQUEST['section']) ? wp_unslash( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English.
299 299 if ( empty($section) || ! isset($api->sections[ $section ]) )
300 300 $section = array_shift( $section_titles = array_keys((array)$api->sections) );
301 301
28 wp-admin/includes/post.php
@@ -197,7 +197,7 @@ function edit_post( $post_data = null ) {
197 197 }
198 198
199 199 if ( isset( $post_data[ '_wp_format_url' ] ) ) {
200   - update_post_meta( $post_ID, '_wp_format_url', addslashes( esc_url_raw( stripslashes( $post_data['_wp_format_url'] ) ) ) );
  200 + update_post_meta( $post_ID, '_wp_format_url', addslashes( esc_url_raw( wp_unslash( $post_data['_wp_format_url'] ) ) ) );
201 201 }
202 202
203 203 $format_keys = array( 'quote', 'quote_source', 'image', 'gallery', 'media' );
@@ -236,8 +236,8 @@ function edit_post( $post_data = null ) {
236 236 if ( 'attachment' == $post_data['post_type'] ) {
237 237 if ( isset( $post_data[ '_wp_attachment_image_alt' ] ) ) {
238 238 $image_alt = get_post_meta( $post_ID, '_wp_attachment_image_alt', true );
239   - if ( $image_alt != stripslashes( $post_data['_wp_attachment_image_alt'] ) ) {
240   - $image_alt = wp_strip_all_tags( stripslashes( $post_data['_wp_attachment_image_alt'] ), true );
  239 + if ( $image_alt != wp_unslash( $post_data['_wp_attachment_image_alt'] ) ) {
  240 + $image_alt = wp_strip_all_tags( wp_unslash( $post_data['_wp_attachment_image_alt'] ), true );
241 241 // update_meta expects slashed
242 242 update_post_meta( $post_ID, '_wp_attachment_image_alt', addslashes( $image_alt ) );
243 243 }
@@ -430,15 +430,15 @@ function get_default_post_to_edit( $post_type = 'post', $create_in_db = false )
430 430
431 431 $post_title = '';
432 432 if ( !empty( $_REQUEST['post_title'] ) )
433   - $post_title = esc_html( stripslashes( $_REQUEST['post_title'] ));
  433 + $post_title = esc_html( wp_unslash( $_REQUEST['post_title'] ));
434 434
435 435 $post_content = '';
436 436 if ( !empty( $_REQUEST['content'] ) )
437   - $post_content = esc_html( stripslashes( $_REQUEST['content'] ));
  437 + $post_content = esc_html( wp_unslash( $_REQUEST['content'] ));
438 438
439 439 $post_excerpt = '';
440 440 if ( !empty( $_REQUEST['excerpt'] ) )
441   - $post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] ));
  441 + $post_excerpt = esc_html( wp_unslash( $_REQUEST['excerpt'] ));
442 442
443 443 if ( $create_in_db ) {
444 444 $post_id = wp_insert_post( array( 'post_title' => __( 'Auto Draft' ), 'post_type' => $post_type, 'post_status' => 'auto-draft' ) );
@@ -487,9 +487,9 @@ function get_default_post_to_edit( $post_type = 'post', $create_in_db = false )
487 487 function post_exists($title, $content = '', $date = '') {
488 488 global $wpdb;
489 489
490   - $post_title = stripslashes( sanitize_post_field( 'post_title', $title, 0, 'db' ) );
491   - $post_content = stripslashes( sanitize_post_field( 'post_content', $content, 0, 'db' ) );
492   - $post_date = stripslashes( sanitize_post_field( 'post_date', $date, 0, 'db' ) );
  490 + $post_title = wp_unslash( sanitize_post_field( 'post_title', $title, 0, 'db' ) );
  491 + $post_content = wp_unslash( sanitize_post_field( 'post_content', $content, 0, 'db' ) );
  492 + $post_date = wp_unslash( sanitize_post_field( 'post_date', $date, 0, 'db' ) );
493 493
494 494 $query = "SELECT ID FROM $wpdb->posts WHERE 1=1";
495 495 $args = array();
@@ -620,8 +620,8 @@ function add_meta( $post_ID ) {
620 620 global $wpdb;
621 621 $post_ID = (int) $post_ID;
622 622
623   - $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
624   - $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
  623 + $metakeyselect = isset($_POST['metakeyselect']) ? wp_unslash( trim( $_POST['metakeyselect'] ) ) : '';
  624 + $metakeyinput = isset($_POST['metakeyinput']) ? wp_unslash( trim( $_POST['metakeyinput'] ) ) : '';
625 625 $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : '';
626 626 if ( is_string( $metavalue ) )
627 627 $metavalue = trim( $metavalue );
@@ -719,8 +719,8 @@ function has_meta( $postid ) {
719 719 * @return unknown
720 720 */
721 721 function update_meta( $meta_id, $meta_key, $meta_value ) {
722   - $meta_key = stripslashes( $meta_key );
723   - $meta_value = stripslashes_deep( $meta_value );
  722 + $meta_key = wp_unslash( $meta_key );
  723 + $meta_value = wp_unslash( $meta_value );
724 724
725 725 return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key );
726 726 }
@@ -1245,7 +1245,7 @@ function wp_create_post_autosave( $post_id ) {
1245 1245 }
1246 1246
1247 1247 // _wp_put_post_revision() expects unescaped.
1248   - $_POST = stripslashes_deep($_POST);
  1248 + $_POST = wp_unslash($_POST);
1249 1249
1250 1250 // Otherwise create the new autosave as a special post revision
1251 1251 return _wp_put_post_revision( $_POST, true );
2  wp-admin/includes/taxonomy.php
@@ -158,7 +158,7 @@ function wp_update_category($catarr) {
158 158 $category = get_category($cat_ID, ARRAY_A);
159 159
160 160 // Escape data pulled from DB.
161   - $category = add_magic_quotes($category);
  161 + $category = wp_slash($category);
162 162
163 163 // Merge old and new fields with new fields overwriting old ones.
164 164 $catarr = array_merge($category, $catarr);

0 comments on commit 5f809d1

Please sign in to comment.
Something went wrong with that request. Please try again.