From b764f60728be1d4e026f9d7ae618ab47e23322f8 Mon Sep 17 00:00:00 2001
From: donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36>
Date: Thu, 31 Aug 2006 14:55:29 +0000
Subject: WP Merge to rev #4147

git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@729 7be80a69-a1ef-0310-a953-fb0f7c49ff36
---
 wp-admin/options.php | 72 ++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 67 insertions(+), 5 deletions(-)

(limited to 'wp-admin/options.php')

diff --git a/wp-admin/options.php b/wp-admin/options.php
index b6a8c50..c521d54 100644
--- a/wp-admin/options.php
+++ b/wp-admin/options.php
@@ -10,6 +10,67 @@ wp_reset_vars(array('action'));
 if ( !current_user_can('manage_options') )
 	wp_die(__('Cheatin&#8217; uh?'));
 
+function sanitize_option($option, $value) {
+
+	switch ($option) {
+		case 'admin_email':
+			$value = sanitize_email($value);
+			break;
+
+		case 'default_post_edit_rows':
+		case 'mailserver_port':
+		case 'comment_max_links':
+			$value = abs((int) $value);
+			break;
+
+		case 'posts_per_page':
+		case 'posts_per_rss':
+			$value = (int) $value;
+			if ( empty($value) ) $value = 1;
+			if ( $value < -1 ) $value = abs($value);
+			break;
+
+		case 'default_ping_status':
+		case 'default_comment_status':
+			// Options that if not there have 0 value but need to be something like "closed"
+			if ( $value == '0' || $value == '')
+				$value = 'closed';
+			break;
+
+		case 'blogdescription':
+		case 'blogname':
+			if (current_user_can('unfiltered_html') == false)
+				$value = wp_filter_post_kses( $value );
+			break;
+
+		case 'blog_charset':
+			$value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value);
+			break;
+
+		case 'date_format':
+		case 'time_format':
+		case 'mailserver_url':
+		case 'mailserver_login':
+		case 'mailserver_pass':
+		case 'ping_sites':
+		case 'upload_path':
+			$value = strip_tags($value);
+			$value = wp_filter_kses($value);
+			break;
+
+		case 'gmt_offset':
+			$value = preg_replace('/[^0-9:.-]/', '', $value);
+			break;
+
+		case 'siteurl':
+		case 'home':
+			$value = clean_url($value);
+			break;
+	}
+
+	return $value;	
+}
+
 if( $_GET[ 'adminhash' ] ) {
 	$new_admin_details = get_option( 'new_admin_email' );
 	if( is_array( $new_admin_details ) && $new_admin_details[ 'hash' ] == $_GET[ 'adminhash' ] && $new_admin_details[ 'newemail' ] != '' ) {
@@ -36,8 +97,8 @@ case 'update':
 	}
 
 	// Save for later.
-	$old_siteurl = get_settings('siteurl');
-	$old_home = get_settings('home');
+	$old_siteurl = get_option('siteurl');
+	$old_home = get_option('home');
 
 	// HACK
 	// Options that if not there have 0 value but need to be something like "closed"
@@ -46,7 +107,8 @@ case 'update':
 		foreach ($options as $option) {
 			$option = trim($option);
 			$value = trim(stripslashes($_POST[$option]));
-				if( in_array($option, $nonbools) && ( $value == '0' || $value == '') )
+			$value = sanitize_option($option, $value);
+			if( in_array($option, $nonbools) && ( $value == '0' || $value == '') )
 				$value = 'closed';
 
 			if( $option == 'blogdescription' || $option == 'blogname' )
@@ -93,13 +155,13 @@ This email has been sent to '{$value}'
     
 	if ($any_changed) {
 			// If siteurl or home changed, reset cookies.
-			if ( get_settings('siteurl') != $old_siteurl || get_settings('home') != $old_home ) {
+			if ( get_option('siteurl') != $old_siteurl || get_option('home') != $old_home ) {
 				// If home changed, write rewrite rules to new location.
 				$wp_rewrite->flush_rules();
 				// Clear cookies for old paths.
 				wp_clearcookie();
 				// Set cookies for new paths.
-				wp_setcookie($user_login, $user_pass_md5, true, get_settings('home'), get_settings('siteurl'));
+				wp_setcookie($user_login, $user_pass_md5, true, get_option('home'), get_option('siteurl'));
 			}
 
 			//$message = sprintf(__('%d setting(s) saved... '), $any_changed);
-- 
cgit