summaryrefslogtreecommitdiffstats
path: root/wp-inst
diff options
context:
space:
mode:
authordonncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36>2006-03-07 16:17:35 +0000
committerdonncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36>2006-03-07 16:17:35 +0000
commit359ec6f7109409ea4398b0b30f09a78ef2dac6e8 (patch)
tree2e53e6512aac3099f6c2ff36f6a5a3e4b7ab846c /wp-inst
parenta9ec45378b36673d89684ff2f99ce7856f88a10f (diff)
downloadwordpress-mu-359ec6f7109409ea4398b0b30f09a78ef2dac6e8.tar.gz
wordpress-mu-359ec6f7109409ea4398b0b30f09a78ef2dac6e8.tar.xz
wordpress-mu-359ec6f7109409ea4398b0b30f09a78ef2dac6e8.zip
WP Merge
git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@538 7be80a69-a1ef-0310-a953-fb0f7c49ff36
Diffstat (limited to 'wp-inst')
-rw-r--r--wp-inst/wp-admin/admin-functions.php19
-rw-r--r--wp-inst/wp-admin/admin.php2
-rw-r--r--wp-inst/wp-admin/moderation.php2
-rw-r--r--wp-inst/wp-admin/post-new.php6
-rw-r--r--wp-inst/wp-admin/post.php9
-rw-r--r--wp-inst/wp-admin/user-edit.php2
-rw-r--r--wp-inst/wp-includes/classes.php3
-rw-r--r--wp-inst/wp-includes/kses.php40
-rw-r--r--wp-inst/wp-register.php13
-rw-r--r--wp-inst/wp-settings.php1
-rw-r--r--wp-inst/wpmu-settings.php.dist2
11 files changed, 69 insertions, 30 deletions
diff --git a/wp-inst/wp-admin/admin-functions.php b/wp-inst/wp-admin/admin-functions.php
index aabf77e..b33f94e 100644
--- a/wp-inst/wp-admin/admin-functions.php
+++ b/wp-inst/wp-admin/admin-functions.php
@@ -105,12 +105,12 @@ function relocate_children($old_ID, $new_ID) {
function fix_attachment_links($post_ID) {
global $wp_rewrite;
- $post = & get_post($post_ID);
+ $post = & get_post($post_ID, ARRAY_A);
$search = "#<a[^>]+rel=('|\")[^'\"]*attachment[^>]*>#ie";
// See if we have any rel="attachment" links
- if ( 0 == preg_match_all($search, $post->post_content, $anchor_matches, PREG_PATTERN_ORDER) )
+ if ( 0 == preg_match_all($search, $post['post_content'], $anchor_matches, PREG_PATTERN_ORDER) )
return;
$i = 0;
@@ -122,9 +122,11 @@ function fix_attachment_links($post_ID) {
$id = $id_matches[2];
// While we have the attachment ID, let's adopt any orphans.
- $attachment = & get_post($id);
- if ( ! is_object(get_post($attachment->post_parent)) ) {
- $attachment->post_parent = $post_ID;
+ $attachment = & get_post($id, ARRAY_A);
+ if ( ! empty($attachment) && ! is_object(get_post($attachment['post_parent'])) ) {
+ $attachment['post_parent'] = $post_ID;
+ // Escape data pulled from DB.
+ $attachment = add_magic_quotes($attachment);
wp_update_post($attachment);
}
@@ -133,7 +135,10 @@ function fix_attachment_links($post_ID) {
++$i;
}
- $post->post_content = str_replace($post_search, $post_replace, $post->post_content);
+ $post['post_content'] = str_replace($post_search, $post_replace, $post['post_content']);
+
+ // Escape data pulled from DB.
+ $post = add_magic_quotes($post);
return wp_update_post($post);
}
@@ -491,6 +496,8 @@ function get_default_link_to_edit() {
else
$link->link_name = '';
+ $link->link_visible = 'Y';
+
return $link;
}
diff --git a/wp-inst/wp-admin/admin.php b/wp-inst/wp-admin/admin.php
index 37894ca..4cedbbe 100644
--- a/wp-inst/wp-admin/admin.php
+++ b/wp-inst/wp-admin/admin.php
@@ -61,7 +61,7 @@ if (isset($_GET['page'])) {
}
if (! file_exists(ABSPATH . "wp-content/plugins/$plugin_page") && ! file_exists(ABSPATH . "wp-content/mu-plugins/$plugin_page"))
- die(sprintf(__('Cannot load %s.'), $plugin_page));
+ die(sprintf(__('Cannot load %s.'), htmlentities($plugin_page)));
if (! isset($_GET['noheader']))
require_once(ABSPATH . '/wp-admin/admin-header.php');
diff --git a/wp-inst/wp-admin/moderation.php b/wp-inst/wp-admin/moderation.php
index 9166536..c684f6e 100644
--- a/wp-inst/wp-admin/moderation.php
+++ b/wp-inst/wp-admin/moderation.php
@@ -145,7 +145,7 @@ $i = 0;
<p><strong><?php _e('Name:') ?></strong> <?php comment_author_link() ?> <?php if ($comment->comment_author_email) { ?>| <strong><?php _e('E-mail:') ?></strong> <?php comment_author_email_link() ?> <?php } if ($comment->comment_author_url && 'http://' != $comment->comment_author_url) { ?> | <strong><?php _e('URI:') ?></strong> <?php comment_author_url_link() ?> <?php } ?>| <strong><?php _e('IP:') ?></strong> <a href="http://ws.arin.net/cgi-bin/whois.pl?queryinput=<?php comment_author_IP() ?>"><?php comment_author_IP() ?></a> | <strong><?php _e('Date:') ?></strong> <?php comment_date(); ?></p>
<?php comment_text() ?>
<p><?php
-echo '<a href="post.php?action=editcomment&amp;comment='.$comment->comment_ID.'">' . __('Edit') . '</a> | ';?>
+echo '<a href="comment.php?action=editcomment&amp;comment='.$comment->comment_ID.'">' . __('Edit') . '</a> | ';?>
<a href="<?php echo get_permalink($comment->comment_post_ID); ?>"><?php _e('View Post') ?></a> |
<?php
echo " <a href=\"post.php?action=deletecomment&amp;p=".$comment->comment_post_ID."&amp;comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment', $comment->comment_ID, '" . sprintf(__("You are about to delete this comment by &quot;%s&quot;.\\n&quot;Cancel&quot; to stop, &quot;OK&quot; to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete just this comment') . "</a> | "; ?> <?php _e('Bulk action:') ?>
diff --git a/wp-inst/wp-admin/post-new.php b/wp-inst/wp-admin/post-new.php
index b0dc1b6..76713cd 100644
--- a/wp-inst/wp-admin/post-new.php
+++ b/wp-inst/wp-admin/post-new.php
@@ -58,11 +58,11 @@ include('edit-form-advanced.php');
<?php
if ($is_NS4 || $is_gecko) {
?>
-<a href="javascript:if(navigator.userAgent.indexOf('Safari') >= 0){Q=getSelection();}else{Q=document.selection?document.selection.createRange().text:document.getSelection();}location.href='<?php echo get_settings('siteurl') ?>/wp-admin/post.php?text='+encodeURIComponent(Q)+'&amp;popupurl='+encodeURIComponent(location.href)+'&amp;popuptitle='+encodeURIComponent(document.title);"><?php printf(__('Press It - %s'), wp_specialchars(get_settings('blogname'))); ?></a>
+<a href="javascript:if(navigator.userAgent.indexOf('Safari') >= 0){Q=getSelection();}else{Q=document.selection?document.selection.createRange().text:document.getSelection();}location.href='<?php echo get_settings('siteurl') ?>/wp-admin/post-new.php?text='+encodeURIComponent(Q)+'&amp;popupurl='+encodeURIComponent(location.href)+'&amp;popuptitle='+encodeURIComponent(document.title);"><?php printf(__('Press It - %s'), wp_specialchars(get_settings('blogname'))); ?></a>
<?php
} else if ($is_winIE) {
?>
-<a href="javascript:Q='';if(top.frames.length==0)Q=document.selection.createRange().text;location.href='<?php echo get_settings('siteurl') ?>/wp-admin/post.php?text='+encodeURIComponent(Q)+'&amp;popupurl='+encodeURIComponent(location.href)+'&amp;popuptitle='+encodeURIComponent(document.title);"><?php printf(__('Press it - %s'), get_settings('blogname')); ?></a>
+<a href="javascript:Q='';if(top.frames.length==0)Q=document.selection.createRange().text;location.href='<?php echo get_settings('siteurl') ?>/wp-admin/post-new.php?text='+encodeURIComponent(Q)+'&amp;popupurl='+encodeURIComponent(location.href)+'&amp;popuptitle='+encodeURIComponent(document.title);"><?php printf(__('Press it - %s'), get_settings('blogname')); ?></a>
<script type="text/javascript">
<!--
function oneclickbookmarklet(blah) {
@@ -77,7 +77,7 @@ window.open ("profile.php?action=IErightclick", "oneclickbookmarklet", "width=50
<?php
} else if ($is_opera) {
?>
-<a href="javascript:location.href='<?php echo get_settings('siteurl'); ?>/wp-admin/post.php?popupurl='+escape(location.href)+'&popuptitle='+escape(document.title);"><?php printf(__('Press it - %s'), get_settings('blogname')); ?></a>
+<a href="javascript:location.href='<?php echo get_settings('siteurl'); ?>/wp-admin/post-new.php?popupurl='+escape(location.href)+'&popuptitle='+escape(document.title);"><?php printf(__('Press it - %s'), get_settings('blogname')); ?></a>
<?php
} else if ($is_macIE) {
?>
diff --git a/wp-inst/wp-admin/post.php b/wp-inst/wp-admin/post.php
index 9139584..0ea17be 100644
--- a/wp-inst/wp-admin/post.php
+++ b/wp-inst/wp-admin/post.php
@@ -23,7 +23,8 @@ $action = "delete";
switch($action) {
case 'post':
-
+ check_admin_referer();
+
$post_ID = write_post();
// Redirect.
@@ -76,6 +77,8 @@ case 'edit':
break;
case 'editattachment':
+ check_admin_referer();
+
$post_id = (int) $_POST['post_ID'];
// Don't let these be changed
@@ -92,6 +95,8 @@ case 'editattachment':
add_post_meta($post_id, '_wp_attachment_metadata', $newmeta);
case 'editpost':
+ check_admin_referer();
+
$post_ID = edit_post();
if ($_POST['save']) {
@@ -107,7 +112,7 @@ case 'editpost':
} elseif ($action == 'editattachment') {
$location = 'attachments.php';
} else {
- $location = 'post.php';
+ $location = 'post-new.php';
}
header ('Location: ' . $location); // Send user on their way while we keep working
diff --git a/wp-inst/wp-admin/user-edit.php b/wp-inst/wp-admin/user-edit.php
index ebb6cfd..5966f1a 100644
--- a/wp-inst/wp-admin/user-edit.php
+++ b/wp-inst/wp-admin/user-edit.php
@@ -38,6 +38,8 @@ break;
case 'update':
+check_admin_referer();
+
$errors = array();
if (!current_user_can('edit_users'))
diff --git a/wp-inst/wp-includes/classes.php b/wp-inst/wp-includes/classes.php
index ba7988a..03d74bb 100644
--- a/wp-inst/wp-includes/classes.php
+++ b/wp-inst/wp-includes/classes.php
@@ -635,7 +635,7 @@ class WP_Query {
$this->posts = $wpdb->get_results($this->request);
// Check post status to determine if post should be displayed.
- if ($this->is_single || $this->is_page) {
+ if ( !empty($this->posts) && ($this->is_single || $this->is_page) ) {
$status = get_post_status($this->posts[0]);
//$type = get_post_type($this->posts[0]);
if ( ('publish' != $status) ) {
@@ -1587,7 +1587,6 @@ class WP {
}
function send_headers() {
- global $current_user;
@header('X-Pingback: '. get_bloginfo('pingback_url'));
if ( is_user_logged_in() )
nocache_headers();
diff --git a/wp-inst/wp-includes/kses.php b/wp-inst/wp-includes/kses.php
index b371c0f..5b34efe 100644
--- a/wp-inst/wp-includes/kses.php
+++ b/wp-inst/wp-includes/kses.php
@@ -44,6 +44,10 @@ if (!CUSTOM_TAGS) {
'value' => array ()),
'caption' => array (
'align' => array ()),
+ 'cite' => array (
+ 'dir' => array(),
+ 'lang' => array(),
+ 'title' => array ()),
'code' => array (),
'col' => array (
'align' => array (),
@@ -767,7 +771,7 @@ function wp_kses_decode_entities($string)
function wp_filter_kses($data) {
global $allowedtags;
- return wp_kses($data, $allowedtags);
+ return addslashes( wp_kses(stripslashes( $data ), $allowedtags) );
}
function wp_filter_post_kses($data) {
@@ -775,21 +779,41 @@ function wp_filter_post_kses($data) {
return addslashes ( wp_kses(stripslashes( $data ), $allowedposttags) );
}
+function wp_filter_nohtml_kses($data) {
+ return addslashes ( wp_kses(stripslashes( $data ), array()) );
+}
+
function kses_init_filters() {
- add_filter('pre_comment_author', 'wp_filter_kses');
- add_filter('pre_comment_content', 'wp_filter_kses');
- add_filter('content_save_pre', 'wp_filter_post_kses');
- add_filter('title_save_pre', 'wp_filter_kses');
- add_action('admin_notices', 'wp_kses_show_message');
+ // Normal filtering.
+ add_filter('pre_comment_content', 'wp_filter_kses');
+ add_filter('title_save_pre', 'wp_filter_kses');
+
+ // Post filtering
+ add_filter('content_save_pre', 'wp_filter_post_kses');
+ add_filter('pre_comment_author', 'wp_filter_kses');
+ add_action('admin_notices', 'wp_kses_show_message');
}
+
+function kses_remove_filters() {
+ // Normal filtering.
+ remove_filter('pre_comment_content', 'wp_filter_kses');
+ remove_filter('title_save_pre', 'wp_filter_kses');
+
+ // Post filtering
+ remove_filter('content_save_pre', 'wp_filter_post_kses');
+}
+
function wp_filter_post_display_kses($data) {
global $allowedposttags;
- return wp_kses( $data, $allowedposttags);
+ return addslashes( wp_kses(stripslashes( $data ), $allowedtags) );
}
function kses_init() {
+ kses_remove_filters();
- kses_init_filters();
+ kses_init_filters();
}
+
add_action('init', 'kses_init');
+add_action('set_current_user', 'kses_init');
?>
diff --git a/wp-inst/wp-register.php b/wp-inst/wp-register.php
index e0c6c04..1a4dc78 100644
--- a/wp-inst/wp-register.php
+++ b/wp-inst/wp-register.php
@@ -25,10 +25,13 @@ case 'register':
$errors['user_email'] = __('<strong>ERROR</strong>: Please type your e-mail address.');
} else if (!is_email($user_email)) {
$errors['user_email'] = __('<strong>ERROR</strong>: The email address isn&#8217;t correct.');
+ $user_email = '';
}
- if ( ! validate_username($user_login) )
+ if ( ! validate_username($user_login) ) {
$errors['user_login'] = __('<strong>ERROR</strong>: This username is invalid. Please enter a valid username.');
+ $user_login = '';
+ }
if ( username_exists( $user_login ) )
$errors['user_login'] = __('<strong>ERROR</strong>: This username is already registered, please choose another one.');
@@ -65,9 +68,9 @@ case 'register':
<div id="login">
<h2><?php _e('Registration Complete') ?></h2>
- <p><?php printf(__('Username: %s'), "<strong>$user_login</strong>") ?><br />
+ <p><?php printf(__('Username: %s'), "<strong>" . wp_specialchars($user_login) . "</strong>") ?><br />
<?php printf(__('Password: %s'), '<strong>' . __('emailed to you') . '</strong>') ?> <br />
- <?php printf(__('E-mail: %s'), "<strong>$user_email</strong>") ?></p>
+ <?php printf(__('E-mail: %s'), "<strong>" . wp_specialchars($user_email) . "</strong>") ?></p>
<p class="submit"><a href="wp-login.php"><?php _e('Login &raquo;'); ?></a></p>
</div>
</body>
@@ -108,8 +111,8 @@ default:
<?php endif; ?>
<form method="post" action="wp-register.php" id="registerform">
<p><input type="hidden" name="action" value="register" />
- <label for="user_login"><?php _e('Username:') ?></label><br /> <input type="text" name="user_login" id="user_login" size="20" maxlength="20" value="<?php echo $user_login; ?>" /><br /></p>
- <p><label for="user_email"><?php _e('E-mail:') ?></label><br /> <input type="text" name="user_email" id="user_email" size="25" maxlength="100" value="<?php echo $user_email; ?>" /></p>
+ <label for="user_login"><?php _e('Username:') ?></label><br /> <input type="text" name="user_login" id="user_login" size="20" maxlength="20" value="<?php echo wp_specialchars($user_login); ?>" /><br /></p>
+ <p><label for="user_email"><?php _e('E-mail:') ?></label><br /> <input type="text" name="user_email" id="user_email" size="25" maxlength="100" value="<?php echo wp_specialchars($user_email); ?>" /></p>
<p><?php _e('A password will be emailed to you.') ?></p>
<p class="submit"><input type="submit" value="<?php _e('Register &raquo;') ?>" id="submit" name="submit" /></p>
</form>
diff --git a/wp-inst/wp-settings.php b/wp-inst/wp-settings.php
index c908c4d..ea85ae9 100644
--- a/wp-inst/wp-settings.php
+++ b/wp-inst/wp-settings.php
@@ -348,7 +348,6 @@ if ( get_magic_quotes_gpc() ) {
$_GET = stripslashes_deep($_GET );
$_POST = stripslashes_deep($_POST );
$_COOKIE = stripslashes_deep($_COOKIE);
- $_SERVER = stripslashes_deep($_SERVER);
}
// Escape with wpdb.
diff --git a/wp-inst/wpmu-settings.php.dist b/wp-inst/wpmu-settings.php.dist
index 1dd9c1d..1e2e37e 100644
--- a/wp-inst/wpmu-settings.php.dist
+++ b/wp-inst/wpmu-settings.php.dist
@@ -4,7 +4,7 @@ if( defined( 'ABSPATH' ) == false )
$base="BASE";
-if( isset( $_REQUEST[ 'wpblog' ] ) ) $wpblog = $_REQUEST[ 'wpblog' ];
+if( isset( $_REQUEST[ 'wpblog' ] ) ) $wpblog = addslashes( $_REQUEST[ 'wpblog' ] );
if( isset( $wpblog ) == false )
{