diff options
| author | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2006-03-07 16:17:35 +0000 |
|---|---|---|
| committer | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2006-03-07 16:17:35 +0000 |
| commit | 359ec6f7109409ea4398b0b30f09a78ef2dac6e8 (patch) | |
| tree | 2e53e6512aac3099f6c2ff36f6a5a3e4b7ab846c /wp-inst | |
| parent | a9ec45378b36673d89684ff2f99ce7856f88a10f (diff) | |
| download | wordpress-mu-359ec6f7109409ea4398b0b30f09a78ef2dac6e8.tar.gz wordpress-mu-359ec6f7109409ea4398b0b30f09a78ef2dac6e8.tar.xz wordpress-mu-359ec6f7109409ea4398b0b30f09a78ef2dac6e8.zip | |
WP Merge
git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@538 7be80a69-a1ef-0310-a953-fb0f7c49ff36
Diffstat (limited to 'wp-inst')
| -rw-r--r-- | wp-inst/wp-admin/admin-functions.php | 19 | ||||
| -rw-r--r-- | wp-inst/wp-admin/admin.php | 2 | ||||
| -rw-r--r-- | wp-inst/wp-admin/moderation.php | 2 | ||||
| -rw-r--r-- | wp-inst/wp-admin/post-new.php | 6 | ||||
| -rw-r--r-- | wp-inst/wp-admin/post.php | 9 | ||||
| -rw-r--r-- | wp-inst/wp-admin/user-edit.php | 2 | ||||
| -rw-r--r-- | wp-inst/wp-includes/classes.php | 3 | ||||
| -rw-r--r-- | wp-inst/wp-includes/kses.php | 40 | ||||
| -rw-r--r-- | wp-inst/wp-register.php | 13 | ||||
| -rw-r--r-- | wp-inst/wp-settings.php | 1 | ||||
| -rw-r--r-- | wp-inst/wpmu-settings.php.dist | 2 |
11 files changed, 69 insertions, 30 deletions
diff --git a/wp-inst/wp-admin/admin-functions.php b/wp-inst/wp-admin/admin-functions.php index aabf77e..b33f94e 100644 --- a/wp-inst/wp-admin/admin-functions.php +++ b/wp-inst/wp-admin/admin-functions.php @@ -105,12 +105,12 @@ function relocate_children($old_ID, $new_ID) { function fix_attachment_links($post_ID) { global $wp_rewrite; - $post = & get_post($post_ID); + $post = & get_post($post_ID, ARRAY_A); $search = "#<a[^>]+rel=('|\")[^'\"]*attachment[^>]*>#ie"; // See if we have any rel="attachment" links - if ( 0 == preg_match_all($search, $post->post_content, $anchor_matches, PREG_PATTERN_ORDER) ) + if ( 0 == preg_match_all($search, $post['post_content'], $anchor_matches, PREG_PATTERN_ORDER) ) return; $i = 0; @@ -122,9 +122,11 @@ function fix_attachment_links($post_ID) { $id = $id_matches[2]; // While we have the attachment ID, let's adopt any orphans. - $attachment = & get_post($id); - if ( ! is_object(get_post($attachment->post_parent)) ) { - $attachment->post_parent = $post_ID; + $attachment = & get_post($id, ARRAY_A); + if ( ! empty($attachment) && ! is_object(get_post($attachment['post_parent'])) ) { + $attachment['post_parent'] = $post_ID; + // Escape data pulled from DB. + $attachment = add_magic_quotes($attachment); wp_update_post($attachment); } @@ -133,7 +135,10 @@ function fix_attachment_links($post_ID) { ++$i; } - $post->post_content = str_replace($post_search, $post_replace, $post->post_content); + $post['post_content'] = str_replace($post_search, $post_replace, $post['post_content']); + + // Escape data pulled from DB. + $post = add_magic_quotes($post); return wp_update_post($post); } @@ -491,6 +496,8 @@ function get_default_link_to_edit() { else $link->link_name = ''; + $link->link_visible = 'Y'; + return $link; } diff --git a/wp-inst/wp-admin/admin.php b/wp-inst/wp-admin/admin.php index 37894ca..4cedbbe 100644 --- a/wp-inst/wp-admin/admin.php +++ b/wp-inst/wp-admin/admin.php @@ -61,7 +61,7 @@ if (isset($_GET['page'])) { } if (! file_exists(ABSPATH . "wp-content/plugins/$plugin_page") && ! file_exists(ABSPATH . "wp-content/mu-plugins/$plugin_page")) - die(sprintf(__('Cannot load %s.'), $plugin_page)); + die(sprintf(__('Cannot load %s.'), htmlentities($plugin_page))); if (! isset($_GET['noheader'])) require_once(ABSPATH . '/wp-admin/admin-header.php'); diff --git a/wp-inst/wp-admin/moderation.php b/wp-inst/wp-admin/moderation.php index 9166536..c684f6e 100644 --- a/wp-inst/wp-admin/moderation.php +++ b/wp-inst/wp-admin/moderation.php @@ -145,7 +145,7 @@ $i = 0; <p><strong><?php _e('Name:') ?></strong> <?php comment_author_link() ?> <?php if ($comment->comment_author_email) { ?>| <strong><?php _e('E-mail:') ?></strong> <?php comment_author_email_link() ?> <?php } if ($comment->comment_author_url && 'http://' != $comment->comment_author_url) { ?> | <strong><?php _e('URI:') ?></strong> <?php comment_author_url_link() ?> <?php } ?>| <strong><?php _e('IP:') ?></strong> <a href="http://ws.arin.net/cgi-bin/whois.pl?queryinput=<?php comment_author_IP() ?>"><?php comment_author_IP() ?></a> | <strong><?php _e('Date:') ?></strong> <?php comment_date(); ?></p> <?php comment_text() ?> <p><?php -echo '<a href="post.php?action=editcomment&comment='.$comment->comment_ID.'">' . __('Edit') . '</a> | ';?> +echo '<a href="comment.php?action=editcomment&comment='.$comment->comment_ID.'">' . __('Edit') . '</a> | ';?> <a href="<?php echo get_permalink($comment->comment_post_ID); ?>"><?php _e('View Post') ?></a> | <?php echo " <a href=\"post.php?action=deletecomment&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment', $comment->comment_ID, '" . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete just this comment') . "</a> | "; ?> <?php _e('Bulk action:') ?> diff --git a/wp-inst/wp-admin/post-new.php b/wp-inst/wp-admin/post-new.php index b0dc1b6..76713cd 100644 --- a/wp-inst/wp-admin/post-new.php +++ b/wp-inst/wp-admin/post-new.php @@ -58,11 +58,11 @@ include('edit-form-advanced.php'); <?php if ($is_NS4 || $is_gecko) { ?> -<a href="javascript:if(navigator.userAgent.indexOf('Safari') >= 0){Q=getSelection();}else{Q=document.selection?document.selection.createRange().text:document.getSelection();}location.href='<?php echo get_settings('siteurl') ?>/wp-admin/post.php?text='+encodeURIComponent(Q)+'&popupurl='+encodeURIComponent(location.href)+'&popuptitle='+encodeURIComponent(document.title);"><?php printf(__('Press It - %s'), wp_specialchars(get_settings('blogname'))); ?></a> +<a href="javascript:if(navigator.userAgent.indexOf('Safari') >= 0){Q=getSelection();}else{Q=document.selection?document.selection.createRange().text:document.getSelection();}location.href='<?php echo get_settings('siteurl') ?>/wp-admin/post-new.php?text='+encodeURIComponent(Q)+'&popupurl='+encodeURIComponent(location.href)+'&popuptitle='+encodeURIComponent(document.title);"><?php printf(__('Press It - %s'), wp_specialchars(get_settings('blogname'))); ?></a> <?php } else if ($is_winIE) { ?> -<a href="javascript:Q='';if(top.frames.length==0)Q=document.selection.createRange().text;location.href='<?php echo get_settings('siteurl') ?>/wp-admin/post.php?text='+encodeURIComponent(Q)+'&popupurl='+encodeURIComponent(location.href)+'&popuptitle='+encodeURIComponent(document.title);"><?php printf(__('Press it - %s'), get_settings('blogname')); ?></a> +<a href="javascript:Q='';if(top.frames.length==0)Q=document.selection.createRange().text;location.href='<?php echo get_settings('siteurl') ?>/wp-admin/post-new.php?text='+encodeURIComponent(Q)+'&popupurl='+encodeURIComponent(location.href)+'&popuptitle='+encodeURIComponent(document.title);"><?php printf(__('Press it - %s'), get_settings('blogname')); ?></a> <script type="text/javascript"> <!-- function oneclickbookmarklet(blah) { @@ -77,7 +77,7 @@ window.open ("profile.php?action=IErightclick", "oneclickbookmarklet", "width=50 <?php } else if ($is_opera) { ?> -<a href="javascript:location.href='<?php echo get_settings('siteurl'); ?>/wp-admin/post.php?popupurl='+escape(location.href)+'&popuptitle='+escape(document.title);"><?php printf(__('Press it - %s'), get_settings('blogname')); ?></a> +<a href="javascript:location.href='<?php echo get_settings('siteurl'); ?>/wp-admin/post-new.php?popupurl='+escape(location.href)+'&popuptitle='+escape(document.title);"><?php printf(__('Press it - %s'), get_settings('blogname')); ?></a> <?php } else if ($is_macIE) { ?> diff --git a/wp-inst/wp-admin/post.php b/wp-inst/wp-admin/post.php index 9139584..0ea17be 100644 --- a/wp-inst/wp-admin/post.php +++ b/wp-inst/wp-admin/post.php @@ -23,7 +23,8 @@ $action = "delete"; switch($action) { case 'post': - + check_admin_referer(); + $post_ID = write_post(); // Redirect. @@ -76,6 +77,8 @@ case 'edit': break; case 'editattachment': + check_admin_referer(); + $post_id = (int) $_POST['post_ID']; // Don't let these be changed @@ -92,6 +95,8 @@ case 'editattachment': add_post_meta($post_id, '_wp_attachment_metadata', $newmeta); case 'editpost': + check_admin_referer(); + $post_ID = edit_post(); if ($_POST['save']) { @@ -107,7 +112,7 @@ case 'editpost': } elseif ($action == 'editattachment') { $location = 'attachments.php'; } else { - $location = 'post.php'; + $location = 'post-new.php'; } header ('Location: ' . $location); // Send user on their way while we keep working diff --git a/wp-inst/wp-admin/user-edit.php b/wp-inst/wp-admin/user-edit.php index ebb6cfd..5966f1a 100644 --- a/wp-inst/wp-admin/user-edit.php +++ b/wp-inst/wp-admin/user-edit.php @@ -38,6 +38,8 @@ break; case 'update': +check_admin_referer(); + $errors = array(); if (!current_user_can('edit_users')) diff --git a/wp-inst/wp-includes/classes.php b/wp-inst/wp-includes/classes.php index ba7988a..03d74bb 100644 --- a/wp-inst/wp-includes/classes.php +++ b/wp-inst/wp-includes/classes.php @@ -635,7 +635,7 @@ class WP_Query { $this->posts = $wpdb->get_results($this->request); // Check post status to determine if post should be displayed. - if ($this->is_single || $this->is_page) { + if ( !empty($this->posts) && ($this->is_single || $this->is_page) ) { $status = get_post_status($this->posts[0]); //$type = get_post_type($this->posts[0]); if ( ('publish' != $status) ) { @@ -1587,7 +1587,6 @@ class WP { } function send_headers() { - global $current_user; @header('X-Pingback: '. get_bloginfo('pingback_url')); if ( is_user_logged_in() ) nocache_headers(); diff --git a/wp-inst/wp-includes/kses.php b/wp-inst/wp-includes/kses.php index b371c0f..5b34efe 100644 --- a/wp-inst/wp-includes/kses.php +++ b/wp-inst/wp-includes/kses.php @@ -44,6 +44,10 @@ if (!CUSTOM_TAGS) { 'value' => array ()), 'caption' => array ( 'align' => array ()), + 'cite' => array ( + 'dir' => array(), + 'lang' => array(), + 'title' => array ()), 'code' => array (), 'col' => array ( 'align' => array (), @@ -767,7 +771,7 @@ function wp_kses_decode_entities($string) function wp_filter_kses($data) { global $allowedtags; - return wp_kses($data, $allowedtags); + return addslashes( wp_kses(stripslashes( $data ), $allowedtags) ); } function wp_filter_post_kses($data) { @@ -775,21 +779,41 @@ function wp_filter_post_kses($data) { return addslashes ( wp_kses(stripslashes( $data ), $allowedposttags) ); } +function wp_filter_nohtml_kses($data) { + return addslashes ( wp_kses(stripslashes( $data ), array()) ); +} + function kses_init_filters() { - add_filter('pre_comment_author', 'wp_filter_kses'); - add_filter('pre_comment_content', 'wp_filter_kses'); - add_filter('content_save_pre', 'wp_filter_post_kses'); - add_filter('title_save_pre', 'wp_filter_kses'); - add_action('admin_notices', 'wp_kses_show_message'); + // Normal filtering. + add_filter('pre_comment_content', 'wp_filter_kses'); + add_filter('title_save_pre', 'wp_filter_kses'); + + // Post filtering + add_filter('content_save_pre', 'wp_filter_post_kses'); + add_filter('pre_comment_author', 'wp_filter_kses'); + add_action('admin_notices', 'wp_kses_show_message'); } + +function kses_remove_filters() { + // Normal filtering. + remove_filter('pre_comment_content', 'wp_filter_kses'); + remove_filter('title_save_pre', 'wp_filter_kses'); + + // Post filtering + remove_filter('content_save_pre', 'wp_filter_post_kses'); +} + function wp_filter_post_display_kses($data) { global $allowedposttags; - return wp_kses( $data, $allowedposttags); + return addslashes( wp_kses(stripslashes( $data ), $allowedtags) ); } function kses_init() { + kses_remove_filters(); - kses_init_filters(); + kses_init_filters(); } + add_action('init', 'kses_init'); +add_action('set_current_user', 'kses_init'); ?> diff --git a/wp-inst/wp-register.php b/wp-inst/wp-register.php index e0c6c04..1a4dc78 100644 --- a/wp-inst/wp-register.php +++ b/wp-inst/wp-register.php @@ -25,10 +25,13 @@ case 'register': $errors['user_email'] = __('<strong>ERROR</strong>: Please type your e-mail address.'); } else if (!is_email($user_email)) { $errors['user_email'] = __('<strong>ERROR</strong>: The email address isn’t correct.'); + $user_email = ''; } - if ( ! validate_username($user_login) ) + if ( ! validate_username($user_login) ) { $errors['user_login'] = __('<strong>ERROR</strong>: This username is invalid. Please enter a valid username.'); + $user_login = ''; + } if ( username_exists( $user_login ) ) $errors['user_login'] = __('<strong>ERROR</strong>: This username is already registered, please choose another one.'); @@ -65,9 +68,9 @@ case 'register': <div id="login"> <h2><?php _e('Registration Complete') ?></h2> - <p><?php printf(__('Username: %s'), "<strong>$user_login</strong>") ?><br /> + <p><?php printf(__('Username: %s'), "<strong>" . wp_specialchars($user_login) . "</strong>") ?><br /> <?php printf(__('Password: %s'), '<strong>' . __('emailed to you') . '</strong>') ?> <br /> - <?php printf(__('E-mail: %s'), "<strong>$user_email</strong>") ?></p> + <?php printf(__('E-mail: %s'), "<strong>" . wp_specialchars($user_email) . "</strong>") ?></p> <p class="submit"><a href="wp-login.php"><?php _e('Login »'); ?></a></p> </div> </body> @@ -108,8 +111,8 @@ default: <?php endif; ?> <form method="post" action="wp-register.php" id="registerform"> <p><input type="hidden" name="action" value="register" /> - <label for="user_login"><?php _e('Username:') ?></label><br /> <input type="text" name="user_login" id="user_login" size="20" maxlength="20" value="<?php echo $user_login; ?>" /><br /></p> - <p><label for="user_email"><?php _e('E-mail:') ?></label><br /> <input type="text" name="user_email" id="user_email" size="25" maxlength="100" value="<?php echo $user_email; ?>" /></p> + <label for="user_login"><?php _e('Username:') ?></label><br /> <input type="text" name="user_login" id="user_login" size="20" maxlength="20" value="<?php echo wp_specialchars($user_login); ?>" /><br /></p> + <p><label for="user_email"><?php _e('E-mail:') ?></label><br /> <input type="text" name="user_email" id="user_email" size="25" maxlength="100" value="<?php echo wp_specialchars($user_email); ?>" /></p> <p><?php _e('A password will be emailed to you.') ?></p> <p class="submit"><input type="submit" value="<?php _e('Register »') ?>" id="submit" name="submit" /></p> </form> diff --git a/wp-inst/wp-settings.php b/wp-inst/wp-settings.php index c908c4d..ea85ae9 100644 --- a/wp-inst/wp-settings.php +++ b/wp-inst/wp-settings.php @@ -348,7 +348,6 @@ if ( get_magic_quotes_gpc() ) { $_GET = stripslashes_deep($_GET ); $_POST = stripslashes_deep($_POST ); $_COOKIE = stripslashes_deep($_COOKIE); - $_SERVER = stripslashes_deep($_SERVER); } // Escape with wpdb. diff --git a/wp-inst/wpmu-settings.php.dist b/wp-inst/wpmu-settings.php.dist index 1dd9c1d..1e2e37e 100644 --- a/wp-inst/wpmu-settings.php.dist +++ b/wp-inst/wpmu-settings.php.dist @@ -4,7 +4,7 @@ if( defined( 'ABSPATH' ) == false ) $base="BASE"; -if( isset( $_REQUEST[ 'wpblog' ] ) ) $wpblog = $_REQUEST[ 'wpblog' ]; +if( isset( $_REQUEST[ 'wpblog' ] ) ) $wpblog = addslashes( $_REQUEST[ 'wpblog' ] ); if( isset( $wpblog ) == false ) { |