Changeset 6185

Show
Ignore:
Timestamp:
10/03/07 16:27:07 (1 year ago)
Author:
ryan
Message:

Add page sanitization. Props xknown. fixes #5135 for trunk

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/wp-admin/includes/template.php

    r6089 r6185  
    494494                $current = ''; 
    495495 
    496             echo "\n\t<option value='$item->ID'$current>$pad $item->post_title</option>"; 
     496            echo "\n\t<option value='$item->ID'$current>$pad " . wp_specialchars($item->post_title) . "</option>"; 
    497497            parent_dropdown( $default, $item->ID, $level +1 ); 
    498498        } 

  • trunk/wp-includes/post.php

    r6180 r6185  
    103103    } elseif ( is_object($post) ) { 
    104104        if ( 'page' == $post->post_type ) 
    105             return get_page($post, $output); 
     105            return get_page($post, $output, $filter); 
    106106        if ( !isset($post_cache[$blog_id][$post->ID]) ) 
    107107            $post_cache[$blog_id][$post->ID] = &$post; 
     
    112112            $_post = & $post_cache[$blog_id][$post]; 
    113113        elseif ( $_post = wp_cache_get($post, 'pages') ) 
    114             return get_page($_post, $output); 
     114            return get_page($_post, $output, $filter); 
    115115        else { 
    116116            $_post = & $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d LIMIT 1", $post)); 
    117117            if ( 'page' == $_post->post_type ) 
    118                 return get_page($_post, $output); 
     118                return get_page($_post, $output, $filter); 
    119119            $post_cache[$blog_id][$post] = & $_post; 
    120120        } 
     
    980980// Retrieves page data given a page ID or page object. 
    981981// Handles page caching. 
    982 function &get_page(&$page, $output = OBJECT) { 
     982function &get_page(&$page, $output = OBJECT, $filter = 'raw') { 
    983983    global $wpdb, $blog_id; 
    984984 
     
    993993    } elseif ( is_object($page) ) { 
    994994        if ( 'post' == $page->post_type ) 
    995             return get_post($page, $output); 
     995            return get_post($page, $output, $filter); 
    996996        wp_cache_add($page->ID, $page, 'pages'); 
    997997        $_page = $page; 
     
    10061006                wp_cache_add($_page->ID, $_page, 'pages'); 
    10071007            } elseif ( isset($GLOBALS['post_cache'][$blog_id][$page]) ) { // it's actually a page, and is cached 
    1008                 return get_post($page, $output); 
     1008                return get_post($page, $output, $filter); 
    10091009            } else { // it's not in any caches, so off to the DB we go 
    10101010                // Why are we using assignment for this query? 
    10111011                $_page = & $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE ID= %d LIMIT 1", $page )); 
    10121012                if ( 'post' == $_page->post_type ) 
    1013                     return get_post($_page, $output); 
     1013                    return get_post($_page, $output, $filter); 
    10141014                // Potential issue: we're not checking to see if the post_type = 'page' 
    10151015                // So all non-'post' posts will get cached as pages. 
     
    10181018        } 
    10191019    } 
     1020 
     1021    $_page = sanitize_post($_page, $filter); 
    10201022 
    10211023    // at this point, one way or another, $_post contains the page object