Changeset 5541

Timestamp:

05/25/07 02:22:30 (1 year ago)

Author:

ryan

Message:

Make sure sanitize_option() is always called when updating options.

Files:

• trunk/wp-admin/options.php (modified) (2 diffs)
• trunk/wp-includes/formatting.php (modified) (1 diff)
• trunk/wp-includes/functions.php (modified) (1 diff)

trunk/wp-admin/options.php

@@ -10 +10 @@
-if ( !current_user_can('manage_options') )
-    wp_die(__('Cheatin’ uh?'));
-
-function sanitize_option($option, $value) { // Remember to call stripslashes!
-
-    switch ($option) {
-        case 'admin_email':
-            $value = stripslashes($value);
-            $value = sanitize_email($value);
-            break;
-
-        case 'default_post_edit_rows':
-        case 'mailserver_port':
-        case 'comment_max_links':
-            $value = stripslashes($value);
-            $value = abs((int) $value);
-            break;
-
-        case 'posts_per_page':
-        case 'posts_per_rss':
-            $value = stripslashes($value);
-            $value = (int) $value;
-            if ( empty($value) ) $value = 1;
-            if ( $value < -1 ) $value = abs($value);
-            break;
-
-        case 'default_ping_status':
-        case 'default_comment_status':
-            $value = stripslashes($value);
-            // Options that if not there have 0 value but need to be something like "closed"
-            if ( $value == '0' || $value == '')
-                $value = 'closed';
-            break;
-
-        case 'blogdescription':
-        case 'blogname':
-            if (current_user_can('unfiltered_html') == false)
-                $value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
-            $value = stripslashes($value);
-            break;
-
-        case 'blog_charset':
-            $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes
-            break;
-
-        case 'date_format':
-        case 'time_format':
-        case 'mailserver_url':
-        case 'mailserver_login':
-        case 'mailserver_pass':
-        case 'ping_sites':
-        case 'upload_path':
-            $value = strip_tags($value);
-            $value = wp_filter_kses($value); // calls stripslashes then addslashes
-            $value = stripslashes($value);
-            break;
-
-        case 'gmt_offset':
-            $value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes
-            break;
-
-        case 'siteurl':
-        case 'home':
-            $value = stripslashes($value);
-            $value = clean_url($value);
-            break;
-        default :
-            $value = stripslashes($value);
-            break;
-    }
-
-    return $value;
-}
-
-switch($action) {
@@ -102 +31 @@
-            $option = trim($option);
-            $value = trim($_POST[$option]);
-anitize_option($option, $value); // This does stripslashes on those that need it
+tripslashes($value);
-            update_option($option, $value);
-        }

trunk/wp-includes/formatting.php

@@ -1119 +1119 @@
-}
-
+function sanitize_option($option, $value) { // Remember to call stripslashes!
+
+    switch ($option) {
+        case 'admin_email':
+            $value = sanitize_email($value);
+            break;
+
+        case 'default_post_edit_rows':
+        case 'mailserver_port':
+        case 'comment_max_links':
+            $value = abs((int) $value);
+            break;
+
+        case 'posts_per_page':
+        case 'posts_per_rss':
+            $value = (int) $value;
+            if ( empty($value) ) $value = 1;
+            if ( $value < -1 ) $value = abs($value);
+            break;
+
+        case 'default_ping_status':
+        case 'default_comment_status':
+            // Options that if not there have 0 value but need to be something like "closed"
+            if ( $value == '0' || $value == '')
+                $value = 'closed';
+            break;
+
+        case 'blogdescription':
+        case 'blogname':
+            $value = addslashes($value);
+            $value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
+            $value = stripslashes($value);
+            $value = wp_specialchars( $value );
+            break;
+
+        case 'blog_charset':
+            $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes
+            break;
+
+        case 'date_format':
+        case 'time_format':
+        case 'mailserver_url':
+        case 'mailserver_login':
+        case 'mailserver_pass':
+        case 'ping_sites':
+        case 'upload_path':
+            $value = strip_tags($value);
+            $value = addslashes($value);
+            $value = wp_filter_kses($value); // calls stripslashes then addslashes
+            $value = stripslashes($value);
+            break;
+
+        case 'gmt_offset':
+            $value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes
+            break;
+
+        case 'siteurl':
+        case 'home':
+            $value = stripslashes($value);
+            $value = clean_url($value);
+            break;
+        default :
+            break;
+    }
+
+    return $value;
+}
+
-?>

trunk/wp-includes/functions.php

@@ -315 +315 @@
-
-    wp_protect_special_option($option_name);
+
+    $newvalue = sanitize_option($option_name, $newvalue);
-
-    if ( is_string($newvalue) )