<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><style type="text/css"><!--
#msg dl { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fc0 solid; padding: 6px; }
#msg ul, pre { overflow: auto; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<title>[13673] trunk/wp-includes: make *_option(), *_transient()
functions consistently expect unslashed data.</title>
</head>
<body>
<div id="msg">
<dl>
<dt>Revision</dt> <dd><a href="http://trac.wordpress.org/changeset/13673">13673</a></dd>
<dt>Author</dt> <dd>ryan</dd>
<dt>Date</dt> <dd>2010-03-11 21:49:56 +0000 (Thu, 11 Mar 2010)</dd>
</dl>
<h3>Log Message</h3>
<pre>make *_option(), *_transient() functions consistently expect unslashed data. Props Denis-de-Bernardy. see <a href="http://trac.wordpress.org/ticket/12416">#12416</a></pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkwpincludesformattingphp">trunk/wp-includes/formatting.php</a></li>
<li><a href="#trunkwpincludesfunctionsphp">trunk/wp-includes/functions.php</a></li>
<li><a href="#trunkwpincludesthemephp">trunk/wp-includes/theme.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkwpincludesformattingphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/formatting.php (13672 => 13673)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/formatting.php        2010-03-11 21:34:53 UTC (rev 13672)
+++ trunk/wp-includes/formatting.php        2010-03-11 21:49:56 UTC (rev 13673)
</span><span class="lines">@@ -2441,8 +2441,7 @@
</span><span class="cx">
</span><span class="cx">                 case 'siteurl':
</span><span class="cx">                 case 'home':
</span><del>-                        $value = stripslashes($value);
-                        $value = esc_url($value);
</del><ins>+                        $value = esc_url_raw($value);
</ins><span class="cx">                         break;
</span><span class="cx">                 default :
</span><span class="cx">                         $value = apply_filters("sanitize_option_{$option}", $value, $option);
</span></span></pre></div>
<a id="trunkwpincludesfunctionsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/functions.php (13672 => 13673)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/functions.php        2010-03-11 21:34:53 UTC (rev 13672)
+++ trunk/wp-includes/functions.php        2010-03-11 21:49:56 UTC (rev 13673)
</span><span class="lines">@@ -307,7 +307,7 @@
</span><span class="cx"> * @uses apply_filters() Calls 'option_$option', after checking the option, with
</span><span class="cx"> *         the option value.
</span><span class="cx"> *
</span><del>- * @param string $option Name of option to retrieve. Should already be SQL-escaped
</del><ins>+ * @param string $option Name of option to retrieve. Expected to not be SQL-escaped.
</ins><span class="cx"> * @return mixed Value set for the option.
</span><span class="cx"> */
</span><span class="cx"> function get_option( $option, $default = false ) {
</span><span class="lines">@@ -339,8 +339,7 @@
</span><span class="cx">                 if ( false === $value ) {
</span><span class="cx">                         if ( defined( 'WP_INSTALLING' ) )
</span><span class="cx">                                 $suppress = $wpdb->suppress_errors();
</span><del>-                        // expected_slashed ($option)
-                        $row = $wpdb->get_row( "SELECT option_value FROM $wpdb->options WHERE option_name = '$option' LIMIT 1" );
</del><ins>+                        $row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = '%s' LIMIT 1", $option ) );
</ins><span class="cx">                         if ( defined( 'WP_INSTALLING' ) )
</span><span class="cx">                                 $wpdb->suppress_errors( $suppress );
</span><span class="cx">
</span><span class="lines">@@ -482,8 +481,8 @@
</span><span class="cx"> * @uses do_action() Calls 'update_option' hook before updating the option.
</span><span class="cx"> * @uses do_action() Calls 'update_option_$option' and 'updated_option' hooks on success.
</span><span class="cx"> *
</span><del>- * @param string $option Option name. Expected to not be SQL-escaped
- * @param mixed $newvalue Option value.
</del><ins>+ * @param string $option Option name. Expected to not be SQL-escaped.
+ * @param mixed $newvalue Option value. Expected to not be SQL-escaped.
</ins><span class="cx"> * @return bool False if value was not updated and true if value was updated.
</span><span class="cx"> */
</span><span class="cx"> function update_option( $option, $newvalue ) {
</span><span class="lines">@@ -491,9 +490,8 @@
</span><span class="cx">
</span><span class="cx">         wp_protect_special_option( $option );
</span><span class="cx">
</span><del>-        $safe_option = esc_sql( $option );
</del><span class="cx">         $newvalue = sanitize_option( $option, $newvalue );
</span><del>-        $oldvalue = get_option( $safe_option );
</del><ins>+        $oldvalue = get_option( $option );
</ins><span class="cx">         $newvalue = apply_filters( 'pre_update_option_' . $option, $newvalue, $oldvalue );
</span><span class="cx">
</span><span class="cx">         // If the new and old values are the same, no need to update.
</span><span class="lines">@@ -516,10 +514,10 @@
</span><span class="cx">         if ( ! defined( 'WP_INSTALLING' ) ) {
</span><span class="cx">                 $alloptions = wp_load_alloptions();
</span><span class="cx">                 if ( isset( $alloptions[$option] ) ) {
</span><del>-                        $alloptions[$option] = $newvalue;
-                        wp_cache_set( 'alloptions', $alloptions, 'options' );
</del><ins>+                        $alloptions[$option] = $_newvalue;
+                        wp_cache_set( 'alloptions', $_alloptions, 'options' );
</ins><span class="cx">                 } else {
</span><del>-                        wp_cache_set( $option, $newvalue, 'options' );
</del><ins>+                        wp_cache_set( $option, $_newvalue, 'options' );
</ins><span class="cx">                 }
</span><span class="cx">         }
</span><span class="cx">
</span><span class="lines">@@ -554,8 +552,8 @@
</span><span class="cx"> * @uses do_action() Calls 'add_option' hook before adding the option.
</span><span class="cx"> * @uses do_action() Calls 'add_option_$option' and 'added_option' hooks on success.
</span><span class="cx"> *
</span><del>- * @param string $option Name of option to add. Expects to NOT be SQL escaped.
- * @param mixed $value Optional. Option value, can be anything.
</del><ins>+ * @param string $option Name of option to add. Expected to not be SQL-escaped.
+ * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped.
</ins><span class="cx"> * @param mixed $deprecated Optional. Description. Not used anymore.
</span><span class="cx"> * @param bool $autoload Optional. Default is enabled. Whether to load the option when WordPress starts up.
</span><span class="cx"> * @return null returns when finished.
</span><span class="lines">@@ -567,13 +565,12 @@
</span><span class="cx">         global $wpdb;
</span><span class="cx">
</span><span class="cx">         wp_protect_special_option( $option );
</span><del>-        $safe_option = esc_sql( $option );
</del><span class="cx">         $value = sanitize_option( $option, $value );
</span><span class="cx">
</span><span class="cx">         // Make sure the option doesn't already exist. We can check the 'notoptions' cache before we ask for a db query
</span><span class="cx">         $notoptions = wp_cache_get( 'notoptions', 'options' );
</span><span class="cx">         if ( !is_array( $notoptions ) || !isset( $notoptions[$option] ) )
</span><del>-                if ( false !== get_option( $safe_option ) )
</del><ins>+                if ( false !== get_option( $option ) )
</ins><span class="cx">                         return;
</span><span class="cx">
</span><span class="cx">         $_value = $value;
</span><span class="lines">@@ -617,7 +614,7 @@
</span><span class="cx"> * @uses do_action() Calls 'delete_option' hook before option is deleted.
</span><span class="cx"> * @uses do_action() Calls 'deleted_option' and 'delete_option_$option' hooks on success.
</span><span class="cx"> *
</span><del>- * @param string $option Name of option to remove.
</del><ins>+ * @param string $option Name of option to remove. Expected to not be SQL-escaped.
</ins><span class="cx"> * @return bool True, if option is successfully deleted. False on failure.
</span><span class="cx"> */
</span><span class="cx"> function delete_option( $option ) {
</span><span class="lines">@@ -626,13 +623,11 @@
</span><span class="cx">         wp_protect_special_option( $option );
</span><span class="cx">
</span><span class="cx">         // Get the ID, if no ID then return
</span><del>-        // expected_slashed ($option)
-        $row = $wpdb->get_row( "SELECT autoload FROM $wpdb->options WHERE option_name = '$option'" );
</del><ins>+        $row = $wpdb->get_row( $wpdb->prepare( "SELECT autoload FROM $wpdb->options WHERE option_name = '%s'", $option ) );
</ins><span class="cx">         if ( is_null( $row ) )
</span><span class="cx">                 return false;
</span><span class="cx">         do_action( 'delete_option', $option );
</span><del>-        // expected_slashed ($option)
-        $result = $wpdb->query( "DELETE FROM $wpdb->options WHERE option_name = '$option'" );
</del><ins>+        $result = $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->options WHERE option_name = '%s'", $option) );
</ins><span class="cx">         if ( ! defined( 'WP_INSTALLING' ) ) {
</span><span class="cx">                 if ( 'yes' == $row->autoload ) {
</span><span class="cx">                         $alloptions = wp_load_alloptions();
</span><span class="lines">@@ -662,7 +657,7 @@
</span><span class="cx"> * @uses do_action() Calls 'delete_transient_$transient' hook before transient is deleted.
</span><span class="cx"> * @uses do_action() Calls 'deleted_transient' hook on success.
</span><span class="cx"> *
</span><del>- * @param string $transient Transient name. Expected to not be SQL-escaped
</del><ins>+ * @param string $transient Transient name. Expected to not be SQL-escaped.
</ins><span class="cx"> * @return bool true if successful, false otherwise
</span><span class="cx"> */
</span><span class="cx"> function delete_transient( $transient ) {
</span><span class="lines">@@ -673,7 +668,7 @@
</span><span class="cx">         if ( $_wp_using_ext_object_cache ) {
</span><span class="cx">                 $result = wp_cache_delete( $transient, 'transient' );
</span><span class="cx">         } else {
</span><del>-                $option = '_transient_' . esc_sql( $transient );
</del><ins>+                $option = '_transient_' . $transient;
</ins><span class="cx">                 $result = delete_option( $option );
</span><span class="cx">         }
</span><span class="cx">
</span><span class="lines">@@ -711,13 +706,12 @@
</span><span class="cx">         if ( $_wp_using_ext_object_cache ) {
</span><span class="cx">                 $value = wp_cache_get( $transient, 'transient' );
</span><span class="cx">         } else {
</span><del>-                $safe_transient = esc_sql( $transient );
-                $transient_option = '_transient_' . $safe_transient;
</del><ins>+                $transient_option = '_transient_' . $transient;
</ins><span class="cx">                 if ( ! defined( 'WP_INSTALLING' ) ) {
</span><span class="cx">                         // If option is not in alloptions, it is not autoloaded and thus has a timeout
</span><span class="cx">                         $alloptions = wp_load_alloptions();
</span><span class="cx">                         if ( !isset( $alloptions[$transient_option] ) ) {
</span><del>-                                $transient_timeout = '_transient_timeout_' . $safe_transient;
</del><ins>+                                $transient_timeout = '_transient_timeout_' . $transient;
</ins><span class="cx">                                 if ( get_option( $transient_timeout ) < time() ) {
</span><span class="cx">                                         delete_option( $transient_option );
</span><span class="cx">                                         delete_option( $transient_timeout );
</span><span class="lines">@@ -746,8 +740,8 @@
</span><span class="cx"> *         transient value to be stored.
</span><span class="cx"> * @uses do_action() Calls 'set_transient_$transient' and 'setted_transient' hooks on success.
</span><span class="cx"> *
</span><del>- * @param string $transient Transient name. Expected to not be SQL-escaped
- * @param mixed $value Transient value.
</del><ins>+ * @param string $transient Transient name. Expected to not be SQL-escaped.
+ * @param mixed $value Transient value. Expected to not be SQL-escaped.
</ins><span class="cx"> * @param int $expiration Time until expiration in seconds, default 0
</span><span class="cx"> * @return bool False if value was not set and true if value was set.
</span><span class="cx"> */
</span><span class="lines">@@ -761,8 +755,7 @@
</span><span class="cx">         } else {
</span><span class="cx">                 $transient_timeout = '_transient_timeout_' . $transient;
</span><span class="cx">                 $transient = '_transient_' . $transient;
</span><del>-                $safe_transient = esc_sql( $transient );
-                if ( false === get_option( $safe_transient ) ) {
</del><ins>+                if ( false === get_option( $transient ) ) {
</ins><span class="cx">                         $autoload = 'yes';
</span><span class="cx">                         if ( $expiration ) {
</span><span class="cx">                                 $autoload = 'no';
</span><span class="lines">@@ -1000,12 +993,9 @@
</span><span class="cx"> * @return mixed A scalar data
</span><span class="cx"> */
</span><span class="cx"> function maybe_serialize( $data ) {
</span><del>-        if ( is_array( $data ) || is_object( $data ) )
</del><ins>+        if ( !is_scalar( $data ) )
</ins><span class="cx">                 return serialize( $data );
</span><span class="cx">
</span><del>-        if ( is_serialized( $data ) )
-                return serialize( $data );
-
</del><span class="cx">         return $data;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -3384,7 +3374,7 @@
</span><span class="cx"> * @uses apply_filters() Calls 'site_option_$option', after checking the option, with
</span><span class="cx"> *         the option value.
</span><span class="cx"> *
</span><del>- * @param string $option Name of option to retrieve. Should already be SQL-escaped
</del><ins>+ * @param string $option Name of option to retrieve. Expected to not be SQL-escaped.
</ins><span class="cx"> * @param mixed $default Optional value to return if option doesn't exist. Default false.
</span><span class="cx"> * @param bool $use_cache Whether to use cache. Multisite only. Default true.
</span><span class="cx"> * @return mixed Value set for the option.
</span><span class="lines">@@ -3431,8 +3421,8 @@
</span><span class="cx"> *         option value to be stored.
</span><span class="cx"> * @uses do_action() Calls 'add_site_option_$option' and 'add_site_option' hooks on success.
</span><span class="cx"> *
</span><del>- * @param string $option Name of option to add. Expects to not be SQL escaped.
- * @param mixed $value Optional. Option value, can be anything.
</del><ins>+ * @param string $option Name of option to add. Expected to not be SQL-escaped.
+ * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped.
</ins><span class="cx"> * @return bool False if option was not added and true if option was added.
</span><span class="cx"> */
</span><span class="cx"> function add_site_option( $option, $value ) {
</span><span class="lines">@@ -3475,7 +3465,7 @@
</span><span class="cx"> * @uses do_action() Calls 'delete_site_option' and 'delete_site_option_$option'
</span><span class="cx"> *         hooks on success.
</span><span class="cx"> *
</span><del>- * @param string $option Name of option to remove. Expected to be SQL-escaped.
</del><ins>+ * @param string $option Name of option to remove. Expected to not be SQL-escaped.
</ins><span class="cx"> * @return bool True, if succeed. False, if failure.
</span><span class="cx"> */
</span><span class="cx"> function delete_site_option( $option ) {
</span><span class="lines">@@ -3517,8 +3507,8 @@
</span><span class="cx"> *         option value to be stored.
</span><span class="cx"> * @uses do_action() Calls 'update_site_option_$option' and 'update_site_option' hooks on success.
</span><span class="cx"> *
</span><del>- * @param string $option Name of option. Expected to not be SQL-escaped
- * @param mixed $value Option value.
</del><ins>+ * @param string $option Name of option. Expected to not be SQL-escaped.
+ * @param mixed $value Option value. Expected to not be SQL-escaped.
</ins><span class="cx"> * @return bool False if value was not updated and true if value was updated.
</span><span class="cx"> */
</span><span class="cx"> function update_site_option( $option, $value ) {
</span><span class="lines">@@ -3564,7 +3554,7 @@
</span><span class="cx"> * @uses do_action() Calls 'delete_site_transient_$transient' hook before transient is deleted.
</span><span class="cx"> * @uses do_action() Calls 'deleted_site_transient' hook on success.
</span><span class="cx"> *
</span><del>- * @param string $transient Transient name. Expected to not be SQL-escaped
</del><ins>+ * @param string $transient Transient name. Expected to not be SQL-escaped.
</ins><span class="cx"> * @return bool True if successful, false otherwise
</span><span class="cx"> */
</span><span class="cx"> function delete_site_transient( $transient ) {
</span><span class="lines">@@ -3574,7 +3564,7 @@
</span><span class="cx">         if ( $_wp_using_ext_object_cache ) {
</span><span class="cx">                 $result = wp_cache_delete( $transient, 'site-transient' );
</span><span class="cx">         } else {
</span><del>-                $option = '_site_transient_' . esc_sql( $transient );
</del><ins>+                $option = '_site_transient_' . $transient;
</ins><span class="cx">                 $result = delete_site_option( $option );
</span><span class="cx">         }
</span><span class="cx">         if ( $result )
</span><span class="lines">@@ -3599,7 +3589,7 @@
</span><span class="cx"> * @uses apply_filters() Calls 'site_transient_$option' hook, after checking the transient, with
</span><span class="cx"> *         the transient value.
</span><span class="cx"> *
</span><del>- * @param string $transient Transient name. Expected to not be SQL-escaped
</del><ins>+ * @param string $transient Transient name. Expected to not be SQL-escaped.
</ins><span class="cx"> * @return mixed Value of transient
</span><span class="cx"> */
</span><span class="cx"> function get_site_transient( $transient ) {
</span><span class="lines">@@ -3614,9 +3604,9 @@
</span><span class="cx">         } else {
</span><span class="cx">                 // Core transients that do not have a timeout. Listed here so querying timeouts can be avoided.
</span><span class="cx">                 $no_timeout = array('update_core', 'update_plugins', 'update_themes');
</span><del>-                $transient_option = '_site_transient_' . esc_sql( $transient );
</del><ins>+                $transient_option = '_site_transient_' . $transient;
</ins><span class="cx">                 if ( ! in_array( $transient, $no_timeout ) ) {
</span><del>-                        $transient_timeout = '_site_transient_timeout_' . esc_sql( $transient );
</del><ins>+                        $transient_timeout = '_site_transient_timeout_' . $transient;
</ins><span class="cx">                         $timeout = get_site_option( $transient_timeout );
</span><span class="cx">                         if ( false !== $timeout && $timeout < time() ) {
</span><span class="cx">                                 delete_site_option( $transient_option );
</span><span class="lines">@@ -3646,8 +3636,8 @@
</span><span class="cx"> *         transient value to be stored.
</span><span class="cx"> * @uses do_action() Calls 'set_site_transient_$transient' and 'setted_site_transient' hooks on success.
</span><span class="cx"> *
</span><del>- * @param string $transient Transient name. Expected to not be SQL-escaped
- * @param mixed $value Transient value.
</del><ins>+ * @param string $transient Transient name. Expected to not be SQL-escaped.
+ * @param mixed $value Transient value. Expected to not be SQL-escaped.
</ins><span class="cx"> * @param int $expiration Time until expiration in seconds, default 0
</span><span class="cx"> * @return bool False if value was not set and true if value was set.
</span><span class="cx"> */
</span><span class="lines">@@ -3661,8 +3651,7 @@
</span><span class="cx">         } else {
</span><span class="cx">                 $transient_timeout = '_site_transient_timeout_' . $transient;
</span><span class="cx">                 $transient = '_site_transient_' . $transient;
</span><del>-                $safe_transient = esc_sql( $transient );
-                if ( false === get_site_option( $safe_transient ) ) {
</del><ins>+                if ( false === get_site_option( $transient ) ) {
</ins><span class="cx">                         if ( $expiration )
</span><span class="cx">                                 add_site_option( $transient_timeout, time() + $expiration );
</span><span class="cx">                         $result = add_site_option( $transient, $value );
</span></span></pre></div>
<a id="trunkwpincludesthemephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/theme.php (13672 => 13673)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/theme.php        2010-03-11 21:34:53 UTC (rev 13672)
+++ trunk/wp-includes/theme.php        2010-03-11 21:49:56 UTC (rev 13673)
</span><span class="lines">@@ -1200,7 +1200,7 @@
</span><span class="cx"> function get_theme_mod($name, $default = false) {
</span><span class="cx">         $theme = get_current_theme();
</span><span class="cx">
</span><del>-        $mods = get_option( esc_sql( "mods_$theme" ) );
</del><ins>+        $mods = get_option( "mods_$theme" );
</ins><span class="cx">
</span><span class="cx">         if ( isset($mods[$name]) )
</span><span class="cx">                 return apply_filters( "theme_mod_$name", $mods[$name] );
</span></span></pre>
</div>
</div>
</body>
</html>