Changeset 3577

Show
Ignore:
Timestamp:
02/28/06 09:49:06 (3 years ago)
Author:
ryan
Message:

More comment cookie sanitation.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/wp-comments-post.php

    r3574 r3577  
    5555    setcookie('comment_author_' . COOKIEHASH, $comment->comment_author, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); 
    5656    setcookie('comment_author_email_' . COOKIEHASH, $comment->comment_author_email, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); 
    57     setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->$comment_author_url), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); 
     57    setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->comment_author_url), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); 
    5858endif; 
    5959 

  • trunk/wp-includes/comment-functions.php

    r3566 r3577  
    88    if ( is_single() || is_page() || $withcomments ) : 
    99        $req = get_settings('require_name_email'); 
    10         $comment_author = isset($_COOKIE['comment_author_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_'.COOKIEHASH])) : ''; 
    11         $comment_author_email = isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_email_'.COOKIEHASH])) : ''; 
    12         $comment_author_url = isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_url_'.COOKIEHASH])) : ''; 
     10        $comment_author = ''; 
     11        if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) { 
     12            $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]); 
     13            $comment_author = stripslashes($comment_author); 
     14            $comment_author = wp_specialchars($comment_author, true); 
     15        } 
     16        $comment_author_email = ''; 
     17        if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) { 
     18            $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]); 
     19            $comment_author_email = stripslashes($comment_author_email); 
     20            $comment_author_email = wp_specialchars($comment_author_email, true);        
     21        } 
     22        $comment_author_url = ''; 
     23        if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) { 
     24            $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]); 
     25            $comment_author_url = stripslashes($comment_author_url); 
     26            $comment_author_url = wp_specialchars($comment_author_url, true);        
     27        } 
     28 
    1329    if ( empty($comment_author) ) { 
    1430        $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date"); 

  • trunk/wp-includes/default-filters.php

    r3561 r3577  
    2525add_filter('pre_comment_author_url', 'clean_url'); 
    2626 
    27 add_filter('pre_comment_content', 'stripslashes', 1); 
    2827add_filter('pre_comment_content', 'wp_rel_nofollow', 15); 
    2928add_filter('pre_comment_content', 'balanceTags', 30); 
    30 add_filter('pre_comment_content', 'addslashes', 50); 
    3129 
    3230add_filter('pre_comment_author_name', 'wp_filter_kses'); 

  • trunk/wp-includes/functions-formatting.php

    r3517 r3577  
    580580 
    581581function wp_rel_nofollow( $text ) { 
     582    global $wpdb; 
     583    // This is a pre save filter, so text is already escaped. 
     584    $text = stripslashes($text); 
    582585    $text = preg_replace('|<a (.+?)>|i', '<a $1 rel="nofollow">', $text); 
     586    $text = $wpdb->escape($text); 
    583587    return $text; 
    584588} 

  • trunk/wp-includes/kses.php

    r3574 r3577  
    532532    // Post filtering 
    533533    add_filter('content_save_pre', 'wp_filter_post_kses'); 
    534  
    535     // Strip all html. 
    536     add_filter('pre_comment_author_name', 'wp_filter_nohtml_kses'); 
    537     add_filter('pre_comment_author_url', 'wp_filter_nohtml_kses'); 
    538     add_filter('pre_comment_author_email', 'wp_filter_nohtml_kses'); 
    539     add_filter('pre_comment_user_ip', 'wp_filter_nohtml_kses'); 
    540     add_filter('pre_comment_user_agent', 'wp_filter_nohtml_kses'); 
    541     add_filter('pre_user_id', 'wp_filter_nohtml_kses'); 
    542534} 
    543535 
     
    549541    // Post filtering 
    550542    remove_filter('content_save_pre', 'wp_filter_post_kses'); 
    551  
    552     // Strip all html. 
    553     remove_filter('pre_comment_author_name', 'wp_filter_nohtml_kses'); 
    554     remove_filter('pre_comment_author_url', 'wp_filter_nohtml_kses'); 
    555     remove_filter('pre_comment_author_email', 'wp_filter_nohtml_kses'); 
    556     remove_filter('pre_comment_user_ip', 'wp_filter_nohtml_kses'); 
    557     remove_filter('pre_comment_user_agent', 'wp_filter_nohtml_kses'); 
    558     remove_filter('pre_user_id', 'wp_filter_nohtml_kses'); 
    559543} 
    560544