diff options
| author | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2007-01-05 10:50:39 +0000 |
|---|---|---|
| committer | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2007-01-05 10:50:39 +0000 |
| commit | 11571c1befd735bd1d69caea2b093164215b4fee (patch) | |
| tree | 39838b47fd31c93fefcf79e9db725c917ac0c51b /wp-trackback.php | |
| parent | 861bd9122e6d9ee710df2b6fc0a1222a8a8965cf (diff) | |
| download | wordpress-mu-11571c1befd735bd1d69caea2b093164215b4fee.tar.gz wordpress-mu-11571c1befd735bd1d69caea2b093164215b4fee.tar.xz wordpress-mu-11571c1befd735bd1d69caea2b093164215b4fee.zip | |
WP merge to 4681
git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@831 7be80a69-a1ef-0310-a953-fb0f7c49ff36
Diffstat (limited to 'wp-trackback.php')
| -rw-r--r-- | wp-trackback.php | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/wp-trackback.php b/wp-trackback.php index 0d1813a..7322862 100644 --- a/wp-trackback.php +++ b/wp-trackback.php @@ -30,11 +30,13 @@ if ( !$_GET['tb_id'] ) { $tb_id = intval( $tb_id[ count($tb_id) - 1 ] ); } -$tb_url = $_POST['url']; -$title = $_POST['title']; -$excerpt = $_POST['excerpt']; -$blog_name = $_POST['blog_name']; -$charset = $_POST['charset']; +$tb_url = $_POST['url']; +$charset = $_POST['charset']; + +// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding() +$title = stripslashes($_POST['title']); +$excerpt = stripslashes($_POST['excerpt']); +$blog_name = stripslashes($_POST['blog_name']); if ($charset) $charset = strtoupper( trim($charset) ); @@ -47,6 +49,11 @@ if ( function_exists('mb_convert_encoding') ) { // For international trackbacks $blog_name = mb_convert_encoding($blog_name, get_option('blog_charset'), $charset); } +// Now that mb_convert_encoding() has been given a swing, we need to escape these three +$title = $wpdb->escape($title); +$excerpt = $wpdb->escape($excerpt); +$blog_name = $wpdb->escape($blog_name); + if ( is_single() || is_page() ) $tb_id = $posts[0]->ID; |