Changeset 5652

Timestamp:

06/05/07 00:57:23 (1 year ago)

Author:

ryan

Message:

Term sanitization. see #4189

Files:

• trunk/wp-includes/default-filters.php (modified) (2 diffs)
• trunk/wp-includes/taxonomy.php (modified) (8 diffs)

trunk/wp-includes/default-filters.php

@@ -3 +3 @@
-// Some default filters
-add_filter('bloginfo','wp_specialchars');
+add_filter('term_description', 'wptexturize');
-add_filter('category_description', 'wptexturize');
-add_filter('list_cats', 'wptexturize');
@@ -52 +53 @@
-
-add_filter('comment_excerpt', 'convert_chars');
+
+// Terms
+add_filter('pre_term_name', 'strip_tags');
+add_filter('pre_term_name', 'trim');
+add_filter('pre_term_name', 'wp_filter_kses');
+add_filter('pre_term_name', 'wp_specialchars', 30);
+add_filter('pre_term_description', 'wp_filter_kses');
-
-// Categories

trunk/wp-includes/taxonomy.php

@@ -68 +68 @@
-    $defaults = array( 'alias_of' => '', 'description' => '', 'parent' => 0, 'slug' => '');
-    $args = wp_parse_args($args, $defaults);
+    $args['name'] = $term;
+    $args = sanitize_term($args, $taxonomy, 'db');
-    extract($args);
-
-    $name = $term;
-    $parent = (int) $parent;
-
-    if ( empty($slug) )
@@ -206 +205 @@
-    $term = get_term ($term_id, $taxonomy, ARRAY_A);
-
+    $term = sanitize_term($term, $taxonomy, 'db');
+
-    // Escape data pulled from DB.
-    $term = add_magic_quotes($term);
@@ -223 +224 @@
-        $slug = sanitize_title($slug);
-
-    $term_group = 0;    
-    if ( $alias_of ) {
-        $alias = $wpdb->fetch_row("SELECT term_id, term_group FROM $wpdb->terms WHERE slug = '$alias_of'");
@@ -231 +231 @@
-        } else {
-            // The alias isn't in a group, so let's create a new one and firstly add the alias term to it.
-) term_group
+term_group)
-            $wpdb->query("UPDATE $wpdb->terms SET term_group = $term_group WHERE term_id = $alias->term_id");
-        }
@@ -245 +245 @@
-    $tt_id = $wpdb->get_var("SELECT tt.term_taxonomy_id FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = '$taxonomy' AND t.term_id = $term_id");
-
-, count = 0
+
-
-    do_action("edit_term", $term_id, $tt_id);
@@ -709 +709 @@
-}
-
+function get_term_field( $field, $term, $taxonomy, $context = 'display' ) {
+    $term = (int) $term;
+    $term = get_term( $term, $taxonomy );
+
+    if ( !is_object($term) )
+        return '';
+
+    if ( !isset($term->$field) )
+        return '';
+
+    return sanitize_term_field($field, $term->$field, $term->term_id, $taxonomy, $context);
+}
+
+function get_term_to_edit( $id, $taxonomy ) {
+    $term = get_term( $id, $taxonomy );
+
+    if ( !is_object($term) )
+        return '';
+
+    return sanitize_term($term, $taxonomy, 'edit');
+}
+
+function sanitize_term($term, $taxonomy, $context = 'display') {
+    $fields = array('term_id', 'name', 'description', 'slug', 'count', 'term_group');
+
+    $do_object = false;
+    if ( is_object($term) )
+        $do_object = true;
+
+    foreach ( $fields as $field ) {
+        if ( $do_object )
+            $term->$field = sanitize_term_field($field, $term->$field, $term->term_id, $taxonomy, $context);
+        else
+            $term[$field] = sanitize_term_field($field, $term[$field], $term['term_id'], $taxonomy, $context);  
+    }
+
+    return $term;
+}
+
+function sanitize_term_field($field, $value, $term_id, $taxonomy, $context) {
+    if ( 'parent' == $field  || 'term_id' == $field || 'count' == $field
+        || 'term_group' == $field )
+        $value = (int) $value;
+
+    if ( 'edit' == $context ) {
+        $value = apply_filters("edit_term_$field", $value, $term_id, $taxonomy);
+        $value = apply_filters("edit_${taxonomy}_$field", $value, $term_id);
+        if ( 'description' == $field )
+            $value = format_to_edit($value);
+        else
+            $value = attribute_escape($value);
+    } else if ( 'db' == $context ) {
+        $value = apply_filters("pre_term_$field", $value, $taxonomy);
+        $value = apply_filters("pre_${taxonomy}_$field", $value);   
+    } else {
+        // Use display filters by default.
+        $value = apply_filters("term_$field", $value, $term_id, $taxonomy, $context);
+        $value = apply_filters("${taxonomy}_$field", $value, $term_id, $context);
+    }
+
+    // TODO: attribute is usually done in an edit context, so display filters probably
+    // not appropriate.
+    if ( 'attribute' == $context )
+        $value = attribute_escape($value);
+    else if ( 'js' == $context )
+        $value = js_escape($value);
+
+    return $value;
+}
+
+//
+// Cache
+//
+
+function clean_term_cache($ids, $taxonomy) {
+    if ( !is_array($ids) )
+        $ids = array($ids);
+
+    foreach ( $ids as $id ) {
+        wp_cache_delete($id, $taxonomy);
+    }
+
+    wp_cache_delete('all_ids', $taxonomy);
+    wp_cache_delete('get', $taxonomy);
+    delete_option("{$taxonomy}_children");
+    wp_cache_delete('get_terms', 'terms');
+}
+
-function update_term_cache($terms, $taxonomy = '') {
-    foreach ( $terms as $term ) {
@@ -717 +805 @@
-        wp_cache_add($term->term_id, $term, $term_taxonomy);
-    }
-}
-
-function clean_term_cache($ids, $taxonomy) {
-    if ( !is_array($ids) )
-        $ids = array($ids);
-
-    foreach ( $ids as $id ) {
-        wp_cache_delete($id, $taxonomy);
-    }
-
-    wp_cache_delete('all_ids', $taxonomy);
-    wp_cache_delete('get', $taxonomy);
-    delete_option("{$taxonomy}_children");
-    wp_cache_delete('get_terms', 'terms');
-}
-
@@ -796 +870 @@
-}
-
+//
+// Private
+//
+
-function _get_term_hierarchy($taxonomy) {
-    // TODO Make sure taxonomy is hierarchical