<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[23416] trunk: Change all core API to expect unslashed rather than slashed arguments.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg > ul, #logmsg > ol { margin-left: 0; margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://core.trac.wordpress.org/changeset/23416">23416</a></dd>
<dt>Author</dt> <dd>ryan</dd>
<dt>Date</dt> <dd>2013-02-14 22:51:06 +0000 (Thu, 14 Feb 2013)</dd>
</dl>
<h3>Log Message</h3>
<pre>Change all core API to expect unslashed rather than slashed arguments.
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.
Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.
Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.
Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.
Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.
Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.
Plugins should use wp_unslash() on data being passed to core API.
Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.
Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.
Remove many no longer necessary calls to $wpdb->escape() and esc_sql().
In wp_get_referer() and wp_get_original_referer(), return unslashed data.
Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.
Switch several queries over to prepare().
Expect something to break.
Props alexkingorg
see <a href="http://core.trac.wordpress.org/ticket/21767">#21767</a></pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkwpadminadminphp">trunk/wp-admin/admin.php</a></li>
<li><a href="#trunkwpadmincustombackgroundphp">trunk/wp-admin/custom-background.php</a></li>
<li><a href="#trunkwpadmincustomheaderphp">trunk/wp-admin/custom-header.php</a></li>
<li><a href="#trunkwpadmineditcommentsphp">trunk/wp-admin/edit-comments.php</a></li>
<li><a href="#trunkwpadmineditformadvancedphp">trunk/wp-admin/edit-form-advanced.php</a></li>
<li><a href="#trunkwpadmineditformcommentphp">trunk/wp-admin/edit-form-comment.php</a></li>
<li><a href="#trunkwpadminedittagsphp">trunk/wp-admin/edit-tags.php</a></li>
<li><a href="#trunkwpadmineditphp">trunk/wp-admin/edit.php</a></li>
<li><a href="#trunkwpadminincludesajaxactionsphp">trunk/wp-admin/includes/ajax-actions.php</a></li>
<li><a href="#trunkwpadminincludesbookmarkphp">trunk/wp-admin/includes/bookmark.php</a></li>
<li><a href="#trunkwpadminincludesclasswpcommentslisttablephp">trunk/wp-admin/includes/class-wp-comments-list-table.php</a></li>
<li><a href="#trunkwpadminincludesclasswpmssiteslisttablephp">trunk/wp-admin/includes/class-wp-ms-sites-list-table.php</a></li>
<li><a href="#trunkwpadminincludesclasswpmsthemeslisttablephp">trunk/wp-admin/includes/class-wp-ms-themes-list-table.php</a></li>
<li><a href="#trunkwpadminincludesclasswpmsuserslisttablephp">trunk/wp-admin/includes/class-wp-ms-users-list-table.php</a></li>
<li><a href="#trunkwpadminincludesclasswpplugininstalllisttablephp">trunk/wp-admin/includes/class-wp-plugin-install-list-table.php</a></li>
<li><a href="#trunkwpadminincludesclasswppluginslisttablephp">trunk/wp-admin/includes/class-wp-plugins-list-table.php</a></li>
<li><a href="#trunkwpadminincludesclasswptermslisttablephp">trunk/wp-admin/includes/class-wp-terms-list-table.php</a></li>
<li><a href="#trunkwpadminincludesclasswpthemeinstalllisttablephp">trunk/wp-admin/includes/class-wp-theme-install-list-table.php</a></li>
<li><a href="#trunkwpadminincludesclasswpthemeslisttablephp">trunk/wp-admin/includes/class-wp-themes-list-table.php</a></li>
<li><a href="#trunkwpadminincludesclasswpupgraderphp">trunk/wp-admin/includes/class-wp-upgrader.php</a></li>
<li><a href="#trunkwpadminincludesclasswpuserslisttablephp">trunk/wp-admin/includes/class-wp-users-list-table.php</a></li>
<li><a href="#trunkwpadminincludescommentphp">trunk/wp-admin/includes/comment.php</a></li>
<li><a href="#trunkwpadminincludesdashboardphp">trunk/wp-admin/includes/dashboard.php</a></li>
<li><a href="#trunkwpadminincludesdeprecatedphp">trunk/wp-admin/includes/deprecated.php</a></li>
<li><a href="#trunkwpadminincludesfilephp">trunk/wp-admin/includes/file.php</a></li>
<li><a href="#trunkwpadminincludesimageeditphp">trunk/wp-admin/includes/image-edit.php</a></li>
<li><a href="#trunkwpadminincludesmediaphp">trunk/wp-admin/includes/media.php</a></li>
<li><a href="#trunkwpadminincludesmiscphp">trunk/wp-admin/includes/misc.php</a></li>
<li><a href="#trunkwpadminincludesplugininstallphp">trunk/wp-admin/includes/plugin-install.php</a></li>
<li><a href="#trunkwpadminincludespostphp">trunk/wp-admin/includes/post.php</a></li>
<li><a href="#trunkwpadminincludesschemaphp">trunk/wp-admin/includes/schema.php</a></li>
<li><a href="#trunkwpadminincludestaxonomyphp">trunk/wp-admin/includes/taxonomy.php</a></li>
<li><a href="#trunkwpadminincludestemplatephp">trunk/wp-admin/includes/template.php</a></li>
<li><a href="#trunkwpadminincludesthemeinstallphp">trunk/wp-admin/includes/theme-install.php</a></li>
<li><a href="#trunkwpadminincludesupgradephp">trunk/wp-admin/includes/upgrade.php</a></li>
<li><a href="#trunkwpadminincludesuserphp">trunk/wp-admin/includes/user.php</a></li>
<li><a href="#trunkwpadmininstallphp">trunk/wp-admin/install.php</a></li>
<li><a href="#trunkwpadminlinkmanagerphp">trunk/wp-admin/link-manager.php</a></li>
<li><a href="#trunkwpadminmediaphp">trunk/wp-admin/media.php</a></li>
<li><a href="#trunkwpadminnavmenusphp">trunk/wp-admin/nav-menus.php</a></li>
<li><a href="#trunkwpadminnetworksettingsphp">trunk/wp-admin/network/settings.php</a></li>
<li><a href="#trunkwpadminnetworksiteinfophp">trunk/wp-admin/network/site-info.php</a></li>
<li><a href="#trunkwpadminnetworksitenewphp">trunk/wp-admin/network/site-new.php</a></li>
<li><a href="#trunkwpadminnetworksitesettingsphp">trunk/wp-admin/network/site-settings.php</a></li>
<li><a href="#trunkwpadminnetworksitesphp">trunk/wp-admin/network/sites.php</a></li>
<li><a href="#trunkwpadminnetworkphp">trunk/wp-admin/network.php</a></li>
<li><a href="#trunkwpadminoptionsphp">trunk/wp-admin/options.php</a></li>
<li><a href="#trunkwpadminplugineditorphp">trunk/wp-admin/plugin-editor.php</a></li>
<li><a href="#trunkwpadminpressthisphp">trunk/wp-admin/press-this.php</a></li>
<li><a href="#trunkwpadminsetupconfigphp">trunk/wp-admin/setup-config.php</a></li>
<li><a href="#trunkwpadminthemeeditorphp">trunk/wp-admin/theme-editor.php</a></li>
<li><a href="#trunkwpadminupdatephp">trunk/wp-admin/update.php</a></li>
<li><a href="#trunkwpadminupgradephp">trunk/wp-admin/upgrade.php</a></li>
<li><a href="#trunkwpadminuploadphp">trunk/wp-admin/upload.php</a></li>
<li><a href="#trunkwpadminusereditphp">trunk/wp-admin/user-edit.php</a></li>
<li><a href="#trunkwpadminusernewphp">trunk/wp-admin/user-new.php</a></li>
<li><a href="#trunkwpadminusersphp">trunk/wp-admin/users.php</a></li>
<li><a href="#trunkwpcommentspostphp">trunk/wp-comments-post.php</a></li>
<li><a href="#trunkwpincludesclasswpcustomizemanagerphp">trunk/wp-includes/class-wp-customize-manager.php</a></li>
<li><a href="#trunkwpincludesclasswpcustomizesettingphp">trunk/wp-includes/class-wp-customize-setting.php</a></li>
<li><a href="#trunkwpincludesclasswpxmlrpcserverphp">trunk/wp-includes/class-wp-xmlrpc-server.php</a></li>
<li><a href="#trunkwpincludesclasswpphp">trunk/wp-includes/class-wp.php</a></li>
<li><a href="#trunkwpincludescommentphp">trunk/wp-includes/comment.php</a></li>
<li><a href="#trunkwpincludescronphp">trunk/wp-includes/cron.php</a></li>
<li><a href="#trunkwpincludesdefaultfiltersphp">trunk/wp-includes/default-filters.php</a></li>
<li><a href="#trunkwpincludesdefaultwidgetsphp">trunk/wp-includes/default-widgets.php</a></li>
<li><a href="#trunkwpincludesdeprecatedphp">trunk/wp-includes/deprecated.php</a></li>
<li><a href="#trunkwpincludesfeedphp">trunk/wp-includes/feed.php</a></li>
<li><a href="#trunkwpincludesformattingphp">trunk/wp-includes/formatting.php</a></li>
<li><a href="#trunkwpincludesfunctionsphp">trunk/wp-includes/functions.php</a></li>
<li><a href="#trunkwpincludesksesphp">trunk/wp-includes/kses.php</a></li>
<li><a href="#trunkwpincludeslinktemplatephp">trunk/wp-includes/link-template.php</a></li>
<li><a href="#trunkwpincludesmetaphp">trunk/wp-includes/meta.php</a></li>
<li><a href="#trunkwpincludesmsfilesphp">trunk/wp-includes/ms-files.php</a></li>
<li><a href="#trunkwpincludesmsfunctionsphp">trunk/wp-includes/ms-functions.php</a></li>
<li><a href="#trunkwpincludesnavmenuphp">trunk/wp-includes/nav-menu.php</a></li>
<li><a href="#trunkwpincludespluggablephp">trunk/wp-includes/pluggable.php</a></li>
<li><a href="#trunkwpincludesposttemplatephp">trunk/wp-includes/post-template.php</a></li>
<li><a href="#trunkwpincludespostphp">trunk/wp-includes/post.php</a></li>
<li><a href="#trunkwpincludesqueryphp">trunk/wp-includes/query.php</a></li>
<li><a href="#trunkwpincludestaxonomyphp">trunk/wp-includes/taxonomy.php</a></li>
<li><a href="#trunkwpincludesuserphp">trunk/wp-includes/user.php</a></li>
<li><a href="#trunkwpincludeswidgetsphp">trunk/wp-includes/widgets.php</a></li>
<li><a href="#trunkwploginphp">trunk/wp-login.php</a></li>
<li><a href="#trunkwpmailphp">trunk/wp-mail.php</a></li>
<li><a href="#trunkwptrackbackphp">trunk/wp-trackback.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkwpadminadminphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/admin.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/admin.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/admin.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -43,7 +43,7 @@
</span><span class="cx"> do_action('after_db_upgrade');
</span><span class="cx"> } elseif ( get_option('db_version') != $wp_db_version && empty($_POST) ) {
</span><span class="cx"> if ( !is_multisite() ) {
</span><del>- wp_redirect(admin_url('upgrade.php?_wp_http_referer=' . urlencode(stripslashes($_SERVER['REQUEST_URI']))));
</del><ins>+ wp_redirect( admin_url( 'upgrade.php?_wp_http_referer=' . urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
</ins><span class="cx"> exit;
</span><span class="cx"> } elseif ( apply_filters( 'do_mu_upgrade', true ) ) {
</span><span class="cx"> /**
</span><span class="lines">@@ -84,7 +84,7 @@
</span><span class="cx"> $editing = false;
</span><span class="cx">
</span><span class="cx"> if ( isset($_GET['page']) ) {
</span><del>- $plugin_page = stripslashes($_GET['page']);
</del><ins>+ $plugin_page = wp_unslash( $_GET['page'] );
</ins><span class="cx"> $plugin_page = plugin_basename($plugin_page);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadmincustombackgroundphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/custom-background.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/custom-background.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/custom-background.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -378,7 +378,7 @@
</span><span class="cx">
</span><span class="cx"> // Add the meta-data
</span><span class="cx"> wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) );
</span><del>- update_post_meta( $id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) );
</del><ins>+ wp_update_post_meta( $id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) );
</ins><span class="cx">
</span><span class="cx"> set_theme_mod('background_image', esc_url_raw($url));
</span><span class="cx">
</span><span class="lines">@@ -415,7 +415,7 @@
</span><span class="cx"> if ( in_array( $_POST['size'], $sizes ) )
</span><span class="cx"> $size = esc_attr( $_POST['size'] );
</span><span class="cx">
</span><del>- update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) );
</del><ins>+ wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', get_option('stylesheet' ) );
</ins><span class="cx"> $url = wp_get_attachment_image_src( $attachment_id, $size );
</span><span class="cx"> $thumbnail = wp_get_attachment_image_src( $attachment_id, 'thumbnail' );
</span><span class="cx"> set_theme_mod( 'background_image', esc_url_raw( $url[0] ) );
</span></span></pre></div>
<a id="trunkwpadmincustomheaderphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/custom-header.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/custom-header.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/custom-header.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -948,7 +948,7 @@
</span><span class="cx"> 'width' => $choice['width'],
</span><span class="cx"> );
</span><span class="cx">
</span><del>- update_post_meta( $choice['attachment_id'], '_wp_attachment_is_custom_header', get_stylesheet() );
</del><ins>+ wp_update_post_meta( $choice['attachment_id'], '_wp_attachment_is_custom_header', get_stylesheet() );
</ins><span class="cx"> set_theme_mod( 'header_image', $choice['url'] );
</span><span class="cx"> set_theme_mod( 'header_image_data', $header_image_data );
</span><span class="cx"> return;
</span></span></pre></div>
<a id="trunkwpadmineditcommentsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/edit-comments.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/edit-comments.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/edit-comments.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -20,9 +20,9 @@
</span><span class="cx"> check_admin_referer( 'bulk-comments' );
</span><span class="cx">
</span><span class="cx"> if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
</span><del>- $comment_status = $wpdb->escape( $_REQUEST['comment_status'] );
- $delete_time = $wpdb->escape( $_REQUEST['pagegen_timestamp'] );
- $comment_ids = $wpdb->get_col( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = '$comment_status' AND '$delete_time' > comment_date_gmt" );
</del><ins>+ $comment_status = $_REQUEST['comment_status'];
+ $delete_time = $_REQUEST['pagegen_timestamp'];
+ $comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
</ins><span class="cx"> $doaction = 'delete';
</span><span class="cx"> } elseif ( isset( $_REQUEST['delete_comments'] ) ) {
</span><span class="cx"> $comment_ids = $_REQUEST['delete_comments'];
</span><span class="lines">@@ -95,7 +95,7 @@
</span><span class="cx"> wp_safe_redirect( $redirect_to );
</span><span class="cx"> exit;
</span><span class="cx"> } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
</span><del>- wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
</del><ins>+ wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
</ins><span class="cx"> exit;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -153,7 +153,7 @@
</span><span class="cx"> echo __('Comments');
</span><span class="cx">
</span><span class="cx"> if ( isset($_REQUEST['s']) && $_REQUEST['s'] )
</span><del>- printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( stripslashes( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?>
</del><ins>+ printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50 ) ) . '</span>' ); ?>
</ins><span class="cx"> </h2>
</span><span class="cx">
</span><span class="cx"> <?php
</span></span></pre></div>
<a id="trunkwpadmineditformadvancedphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/edit-form-advanced.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/edit-form-advanced.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/edit-form-advanced.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -304,7 +304,7 @@
</span><span class="cx"> <input type="hidden" id="post_author" name="post_author" value="<?php echo esc_attr( $post->post_author ); ?>" />
</span><span class="cx"> <input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr( $post_type ) ?>" />
</span><span class="cx"> <input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr( $post->post_status) ?>" />
</span><del>-<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
</del><ins>+<input type="hidden" id="referredby" name="referredby" value="<?php echo esc_url( wp_get_referer() ); ?>" />
</ins><span class="cx"> <?php if ( ! empty( $active_post_lock ) ) { ?>
</span><span class="cx"> <input type="hidden" id="active_post_lock" value="<?php echo esc_attr( implode( ':', $active_post_lock ) ); ?>" />
</span><span class="cx"> <?php
</span></span></pre></div>
<a id="trunkwpadmineditformcommentphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/edit-form-comment.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/edit-form-comment.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/edit-form-comment.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -132,7 +132,7 @@
</span><span class="cx">
</span><span class="cx"> <input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID) ?>" />
</span><span class="cx"> <input type="hidden" name="p" value="<?php echo esc_attr($comment->comment_post_ID) ?>" />
</span><del>-<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
</del><ins>+<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url( wp_get_referer() ); ?>" />
</ins><span class="cx"> <?php wp_original_referer_field(true, 'previous'); ?>
</span><span class="cx"> <input type="hidden" name="noredir" value="1" />
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminedittagsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/edit-tags.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/edit-tags.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/edit-tags.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -47,7 +47,9 @@
</span><span class="cx"> if ( !current_user_can( $tax->cap->edit_terms ) )
</span><span class="cx"> wp_die( __( 'Cheatin&#8217; uh?' ) );
</span><span class="cx">
</span><del>- $ret = wp_insert_term( $_POST['tag-name'], $taxonomy, $_POST );
</del><ins>+ $post_data = wp_unslash( $_POST );
+
+ $ret = wp_insert_term( $post_data['tag-name'], $taxonomy, $post_data );
</ins><span class="cx"> $location = 'edit-tags.php?taxonomy=' . $taxonomy;
</span><span class="cx"> if ( 'post' != $post_type )
</span><span class="cx"> $location .= '&post_type=' . $post_type;
</span><span class="lines">@@ -132,7 +134,10 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case 'editedtag':
</span><del>- $tag_ID = (int) $_POST['tag_ID'];
</del><ins>+
+ $post_data = wp_unslash( $_POST );
+
+ $tag_ID = (int) $post_data['tag_ID'];
</ins><span class="cx"> check_admin_referer( 'update-tag_' . $tag_ID );
</span><span class="cx">
</span><span class="cx"> if ( !current_user_can( $tax->cap->edit_terms ) )
</span><span class="lines">@@ -142,7 +147,7 @@
</span><span class="cx"> if ( ! $tag )
</span><span class="cx"> wp_die( __( 'You attempted to edit an item that doesn&#8217;t exist. Perhaps it was deleted?' ) );
</span><span class="cx">
</span><del>- $ret = wp_update_term( $tag_ID, $taxonomy, $_POST );
</del><ins>+ $ret = wp_update_term( $tag_ID, $taxonomy, $post_data );
</ins><span class="cx">
</span><span class="cx"> $location = 'edit-tags.php?taxonomy=' . $taxonomy;
</span><span class="cx"> if ( 'post' != $post_type )
</span><span class="lines">@@ -164,7 +169,7 @@
</span><span class="cx">
</span><span class="cx"> default:
</span><span class="cx"> if ( ! empty($_REQUEST['_wp_http_referer']) ) {
</span><del>- $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) );
</del><ins>+ $location = remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) );
</ins><span class="cx">
</span><span class="cx"> if ( ! empty( $_REQUEST['paged'] ) )
</span><span class="cx"> $location = add_query_arg( 'paged', (int) $_REQUEST['paged'] );
</span><span class="lines">@@ -264,8 +269,8 @@
</span><span class="cx"> <div class="wrap nosubsub">
</span><span class="cx"> <?php screen_icon(); ?>
</span><span class="cx"> <h2><?php echo esc_html( $title );
</span><del>-if ( !empty($_REQUEST['s']) )
- printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?>
</del><ins>+if ( ! empty($_REQUEST['s']) )
+ printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( wp_unslash( $_REQUEST['s'] ) ) ); ?>
</ins><span class="cx"> </h2>
</span><span class="cx">
</span><span class="cx"> <?php if ( isset($_REQUEST['message']) && ( $msg = (int) $_REQUEST['message'] ) ) : ?>
</span></span></pre></div>
<a id="trunkwpadmineditphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/edit.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/edit.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/edit.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -138,7 +138,7 @@
</span><span class="cx"> wp_redirect($sendback);
</span><span class="cx"> exit();
</span><span class="cx"> } elseif ( ! empty($_REQUEST['_wp_http_referer']) ) {
</span><del>- wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']) ) );
</del><ins>+ wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
</ins><span class="cx"> exit;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminincludesajaxactionsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/ajax-actions.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/ajax-actions.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/ajax-actions.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -59,7 +59,7 @@
</span><span class="cx"> wp_die( 0 );
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $s = stripslashes( $_GET['q'] );
</del><ins>+ $s = wp_unslash( $_GET['q'] );
</ins><span class="cx">
</span><span class="cx"> $comma = _x( ',', 'tag delimiter' );
</span><span class="cx"> if ( ',' !== $comma )
</span><span class="lines">@@ -279,19 +279,21 @@
</span><span class="cx"> */
</span><span class="cx">
</span><span class="cx"> function _wp_ajax_add_hierarchical_term() {
</span><del>- $action = $_POST['action'];
</del><ins>+ $post_data = wp_unslash( $_POST );
+
+ $action = $post_data['action'];
</ins><span class="cx"> $taxonomy = get_taxonomy(substr($action, 4));
</span><span class="cx"> check_ajax_referer( $action, '_ajax_nonce-add-' . $taxonomy->name );
</span><span class="cx"> if ( !current_user_can( $taxonomy->cap->edit_terms ) )
</span><span class="cx"> wp_die( -1 );
</span><del>- $names = explode(',', $_POST['new'.$taxonomy->name]);
- $parent = isset($_POST['new'.$taxonomy->name.'_parent']) ? (int) $_POST['new'.$taxonomy->name.'_parent'] : 0;
</del><ins>+ $names = explode(',', $post_data['new'.$taxonomy->name]);
+ $parent = isset($post_data['new'.$taxonomy->name.'_parent']) ? (int) $post_data['new'.$taxonomy->name.'_parent'] : 0;
</ins><span class="cx"> if ( 0 > $parent )
</span><span class="cx"> $parent = 0;
</span><span class="cx"> if ( $taxonomy->name == 'category' )
</span><del>- $post_category = isset($_POST['post_category']) ? (array) $_POST['post_category'] : array();
</del><ins>+ $post_category = isset( $post_data['post_category'] ) ? (array) $post_data['post_category'] : array();
</ins><span class="cx"> else
</span><del>- $post_category = ( isset($_POST['tax_input']) && isset($_POST['tax_input'][$taxonomy->name]) ) ? (array) $_POST['tax_input'][$taxonomy->name] : array();
</del><ins>+ $post_category = ( isset( $post_data['tax_input'] ) && isset( $post_data['tax_input'][$taxonomy->name] ) ) ? (array) $post_data['tax_input'][$taxonomy->name] : array();
</ins><span class="cx"> $checked_categories = array_map( 'absint', (array) $post_category );
</span><span class="cx"> $popular_ids = wp_popular_terms_checklist($taxonomy->name, 0, 10, false);
</span><span class="cx">
</span><span class="lines">@@ -559,7 +561,7 @@
</span><span class="cx"> check_ajax_referer( $action );
</span><span class="cx"> if ( !current_user_can( 'manage_categories' ) )
</span><span class="cx"> wp_die( -1 );
</span><del>- $names = explode(',', $_POST['newcat']);
</del><ins>+ $names = explode( ',', wp_unslash( $_POST['newcat'] ) );
</ins><span class="cx"> $x = new WP_Ajax_Response();
</span><span class="cx"> foreach ( $names as $cat_name ) {
</span><span class="cx"> $cat_name = trim($cat_name);
</span><span class="lines">@@ -572,7 +574,7 @@
</span><span class="cx"> continue;
</span><span class="cx"> else if ( is_array( $cat_id ) )
</span><span class="cx"> $cat_id = $cat_id['term_id'];
</span><del>- $cat_name = esc_html(stripslashes($cat_name));
</del><ins>+ $cat_name = esc_html( wp_unslash( $cat_name ) );
</ins><span class="cx"> $x->add( array(
</span><span class="cx"> 'what' => 'link-category',
</span><span class="cx"> 'id' => $cat_id,
</span><span class="lines">@@ -586,9 +588,11 @@
</span><span class="cx"> function wp_ajax_add_tag() {
</span><span class="cx"> global $wp_list_table;
</span><span class="cx">
</span><ins>+ $post_data = wp_unslash( $_POST );
+
</ins><span class="cx"> check_ajax_referer( 'add-tag', '_wpnonce_add-tag' );
</span><del>- $post_type = !empty($_POST['post_type']) ? $_POST['post_type'] : 'post';
- $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag';
</del><ins>+ $post_type = !empty($post_data['post_type']) ? $post_data['post_type'] : 'post';
+ $taxonomy = !empty($post_data['taxonomy']) ? $post_data['taxonomy'] : 'post_tag';
</ins><span class="cx"> $tax = get_taxonomy($taxonomy);
</span><span class="cx">
</span><span class="cx"> if ( !current_user_can( $tax->cap->edit_terms ) )
</span><span class="lines">@@ -596,7 +600,7 @@
</span><span class="cx">
</span><span class="cx"> $x = new WP_Ajax_Response();
</span><span class="cx">
</span><del>- $tag = wp_insert_term($_POST['tag-name'], $taxonomy, $_POST );
</del><ins>+ $tag = wp_insert_term( $post_data['tag-name'], $taxonomy, $post_data );
</ins><span class="cx">
</span><span class="cx"> if ( !$tag || is_wp_error($tag) || (!$tag = get_term( $tag['term_id'], $taxonomy )) ) {
</span><span class="cx"> $message = __('An error has occurred. Please reload the page and try again.');
</span><span class="lines">@@ -610,7 +614,7 @@
</span><span class="cx"> $x->send();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $_POST['screen'] ) );
</del><ins>+ $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => $post_data['screen'] ) );
</ins><span class="cx">
</span><span class="cx"> $level = 0;
</span><span class="cx"> if ( is_taxonomy_hierarchical($taxonomy) ) {
</span><span class="lines">@@ -728,10 +732,10 @@
</span><span class="cx"> $user = wp_get_current_user();
</span><span class="cx"> if ( $user->exists() ) {
</span><span class="cx"> $user_ID = $user->ID;
</span><del>- $comment_author = $wpdb->escape($user->display_name);
- $comment_author_email = $wpdb->escape($user->user_email);
- $comment_author_url = $wpdb->escape($user->user_url);
- $comment_content = trim($_POST['content']);
</del><ins>+ $comment_author = $user->display_name;
+ $comment_author_email = $user->user_email;
+ $comment_author_url = $user->user_url;
+ $comment_content = trim( wp_unslash( $_POST['content'] ) );
</ins><span class="cx"> if ( current_user_can( 'unfiltered_html' ) ) {
</span><span class="cx"> if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {
</span><span class="cx"> kses_remove_filters(); // start with a clean slate
</span><span class="lines">@@ -957,8 +961,8 @@
</span><span class="cx"> ) );
</span><span class="cx"> } else { // Update?
</span><span class="cx"> $mid = (int) key( $_POST['meta'] );
</span><del>- $key = stripslashes( $_POST['meta'][$mid]['key'] );
- $value = stripslashes( $_POST['meta'][$mid]['value'] );
</del><ins>+ $key = wp_unslash( $_POST['meta'][$mid]['key'] );
+ $value = wp_unslash( $_POST['meta'][$mid]['value'] );
</ins><span class="cx"> if ( '' == trim($key) )
</span><span class="cx"> wp_die( __( 'Please provide a custom field name.' ) );
</span><span class="cx"> if ( '' == trim($value) )
</span><span class="lines">@@ -1227,7 +1231,7 @@
</span><span class="cx"> $args = array();
</span><span class="cx">
</span><span class="cx"> if ( isset( $_POST['search'] ) )
</span><del>- $args['s'] = stripslashes( $_POST['search'] );
</del><ins>+ $args['s'] = wp_unslash( $_POST['search'] );
</ins><span class="cx"> $args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1;
</span><span class="cx">
</span><span class="cx"> require(ABSPATH . WPINC . '/class-wp-editor.php');
</span><span class="lines">@@ -1328,7 +1332,6 @@
</span><span class="cx"> $data = &$_POST;
</span><span class="cx">
</span><span class="cx"> $post = get_post( $post_ID, ARRAY_A );
</span><del>- $post = add_magic_quotes($post); //since it is from db
</del><span class="cx">
</span><span class="cx"> $data['content'] = $post['post_content'];
</span><span class="cx"> $data['excerpt'] = $post['post_excerpt'];
</span><span class="lines">@@ -1376,8 +1379,10 @@
</span><span class="cx"> global $wp_list_table;
</span><span class="cx">
</span><span class="cx"> check_ajax_referer( 'taxinlineeditnonce', '_inline_edit' );
</span><ins>+
+ $post_data = wp_unslash( $_POST );
</ins><span class="cx">
</span><del>- $taxonomy = sanitize_key( $_POST['taxonomy'] );
</del><ins>+ $taxonomy = sanitize_key( $post_data['taxonomy'] );
</ins><span class="cx"> $tax = get_taxonomy( $taxonomy );
</span><span class="cx"> if ( ! $tax )
</span><span class="cx"> wp_die( 0 );
</span><span class="lines">@@ -1387,13 +1392,13 @@
</span><span class="cx">
</span><span class="cx"> $wp_list_table = _get_list_table( 'WP_Terms_List_Table', array( 'screen' => 'edit-' . $taxonomy ) );
</span><span class="cx">
</span><del>- if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) )
</del><ins>+ if ( ! isset($post_data['tax_ID']) || ! ( $id = (int) $post_data['tax_ID'] ) )
</ins><span class="cx"> wp_die( -1 );
</span><span class="cx">
</span><span class="cx"> $tag = get_term( $id, $taxonomy );
</span><del>- $_POST['description'] = $tag->description;
</del><ins>+ $post_data['description'] = $tag->description;
</ins><span class="cx">
</span><del>- $updated = wp_update_term($id, $taxonomy, $_POST);
</del><ins>+ $updated = wp_update_term($id, $taxonomy, $post_data );
</ins><span class="cx"> if ( $updated && !is_wp_error($updated) ) {
</span><span class="cx"> $tag = get_term( $updated['term_id'], $taxonomy );
</span><span class="cx"> if ( !$tag || is_wp_error( $tag ) ) {
</span><span class="lines">@@ -1425,7 +1430,7 @@
</span><span class="cx"> $post_types = get_post_types( array( 'public' => true ), 'objects' );
</span><span class="cx"> unset( $post_types['attachment'] );
</span><span class="cx">
</span><del>- $s = stripslashes( $_POST['ps'] );
</del><ins>+ $s = wp_unslash( $_POST['ps'] );
</ins><span class="cx"> $searchand = $search = '';
</span><span class="cx"> $args = array(
</span><span class="cx"> 'post_type' => array_keys( $post_types ),
</span><span class="lines">@@ -1596,7 +1601,7 @@
</span><span class="cx"> $post_id = null;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
</del><ins>+ $post_data = isset( $_REQUEST['post_data'] ) ? wp_unslash( $_REQUEST['post_data'] ) : array();
</ins><span class="cx">
</span><span class="cx"> // If the context is custom header or background, make sure the uploaded file is an image.
</span><span class="cx"> if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {
</span><span class="lines">@@ -1630,10 +1635,10 @@
</span><span class="cx">
</span><span class="cx"> if ( isset( $post_data['context'] ) && isset( $post_data['theme'] ) ) {
</span><span class="cx"> if ( 'custom-background' === $post_data['context'] )
</span><del>- update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] );
</del><ins>+ wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] );
</ins><span class="cx">
</span><span class="cx"> if ( 'custom-header' === $post_data['context'] )
</span><del>- update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] );
</del><ins>+ wp_update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ( ! $attachment = wp_prepare_attachment_for_js( $attachment_id ) )
</span><span class="lines">@@ -1778,7 +1783,7 @@
</span><span class="cx"> wp_die( 0 );
</span><span class="cx">
</span><span class="cx"> $new_lock = ( time() - apply_filters( 'wp_check_post_lock_window', AUTOSAVE_INTERVAL * 2 ) + 5 ) . ':' . $active_lock[1];
</span><del>- update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) );
</del><ins>+ wp_update_post_meta( $post_id, '_edit_lock', $new_lock, implode( ':', $active_lock ) );
</ins><span class="cx"> wp_die( 1 );
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1873,7 +1878,7 @@
</span><span class="cx"> if ( ! current_user_can( 'edit_post', $id ) )
</span><span class="cx"> wp_send_json_error();
</span><span class="cx">
</span><del>- $changes = $_REQUEST['changes'];
</del><ins>+ $changes = wp_unslash( $_REQUEST['changes'] );
</ins><span class="cx"> $post = get_post( $id, ARRAY_A );
</span><span class="cx">
</span><span class="cx"> if ( 'attachment' != $post['post_type'] )
</span><span class="lines">@@ -1890,10 +1895,10 @@
</span><span class="cx">
</span><span class="cx"> if ( isset( $changes['alt'] ) ) {
</span><span class="cx"> $alt = get_post_meta( $id, '_wp_attachment_image_alt', true );
</span><del>- $new_alt = stripslashes( $changes['alt'] );
</del><ins>+ $new_alt = $changes['alt'];
</ins><span class="cx"> if ( $alt != $new_alt ) {
</span><span class="cx"> $new_alt = wp_strip_all_tags( $new_alt, true );
</span><del>- update_post_meta( $id, '_wp_attachment_image_alt', addslashes( $new_alt ) );
</del><ins>+ wp_update_post_meta( $id, '_wp_attachment_image_alt', $new_alt );
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1915,7 +1920,7 @@
</span><span class="cx">
</span><span class="cx"> if ( empty( $_REQUEST['attachments'] ) || empty( $_REQUEST['attachments'][ $id ] ) )
</span><span class="cx"> wp_send_json_error();
</span><del>- $attachment_data = $_REQUEST['attachments'][ $id ];
</del><ins>+ $attachment_data = wp_unslash( $_REQUEST['attachments'][ $id ] );
</ins><span class="cx">
</span><span class="cx"> check_ajax_referer( 'update-post_' . $id, 'nonce' );
</span><span class="cx">
</span><span class="lines">@@ -1959,7 +1964,7 @@
</span><span class="cx">
</span><span class="cx"> check_ajax_referer( 'update-post_' . $post_id, 'nonce' );
</span><span class="cx">
</span><del>- $attachments = $_REQUEST['attachments'];
</del><ins>+ $attachments = wp_unslash( $_REQUEST['attachments'] );
</ins><span class="cx">
</span><span class="cx"> if ( ! current_user_can( 'edit_post', $post_id ) )
</span><span class="cx"> wp_send_json_error();
</span><span class="lines">@@ -1990,7 +1995,7 @@
</span><span class="cx"> function wp_ajax_send_attachment_to_editor() {
</span><span class="cx"> check_ajax_referer( 'media-send-to-editor', 'nonce' );
</span><span class="cx">
</span><del>- $attachment = stripslashes_deep( $_POST['attachment'] );
</del><ins>+ $attachment = wp_unslash( $_POST['attachment'] );
</ins><span class="cx">
</span><span class="cx"> $id = intval( $attachment['id'] );
</span><span class="cx">
</span><span class="lines">@@ -2045,7 +2050,7 @@
</span><span class="cx"> function wp_ajax_send_link_to_editor() {
</span><span class="cx"> check_ajax_referer( 'media-send-to-editor', 'nonce' );
</span><span class="cx">
</span><del>- if ( ! $src = stripslashes( $_POST['src'] ) )
</del><ins>+ if ( ! $src = wp_unslash( $_POST['src'] ) )
</ins><span class="cx"> wp_send_json_error();
</span><span class="cx">
</span><span class="cx"> if ( ! strpos( $src, '://' ) )
</span><span class="lines">@@ -2054,7 +2059,7 @@
</span><span class="cx"> if ( ! $src = esc_url_raw( $src ) )
</span><span class="cx"> wp_send_json_error();
</span><span class="cx">
</span><del>- if ( ! $title = trim( stripslashes( $_POST['title'] ) ) )
</del><ins>+ if ( ! $title = trim( wp_unslash( $_POST['title'] ) ) )
</ins><span class="cx"> $title = wp_basename( $src );
</span><span class="cx">
</span><span class="cx"> $html = '';
</span><span class="lines">@@ -2083,7 +2088,7 @@
</span><span class="cx"> $screen_id = 'site';
</span><span class="cx">
</span><span class="cx"> if ( ! empty($_POST['data']) ) {
</span><del>- $data = (array) $_POST['data'];
</del><ins>+ $data = wp_unslash( (array) $_POST['data'] );
</ins><span class="cx"> // todo: how much to sanitize and preset and what to leave to be accessed from $data or $_POST..?
</span><span class="cx"> $user = wp_get_current_user();
</span><span class="cx"> $data['user_id'] = $user->exists() ? $user->ID : 0;
</span></span></pre></div>
<a id="trunkwpadminincludesbookmarkphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/bookmark.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/bookmark.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/bookmark.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -39,9 +39,9 @@
</span><span class="cx">
</span><span class="cx"> if ( !empty( $link_id ) ) {
</span><span class="cx"> $_POST['link_id'] = $link_id;
</span><del>- return wp_update_link( $_POST );
</del><ins>+ return wp_update_link( wp_unslash( $_POST ) );
</ins><span class="cx"> } else {
</span><del>- return wp_insert_link( $_POST );
</del><ins>+ return wp_insert_link( wp_unslash( $_POST ) );
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -137,7 +137,7 @@
</span><span class="cx"> $linkdata = wp_parse_args( $linkdata, $defaults );
</span><span class="cx"> $linkdata = sanitize_bookmark( $linkdata, 'db' );
</span><span class="cx">
</span><del>- extract( stripslashes_deep( $linkdata ), EXTR_SKIP );
</del><ins>+ extract( $linkdata, EXTR_SKIP );
</ins><span class="cx">
</span><span class="cx"> $update = false;
</span><span class="cx">
</span><span class="lines">@@ -250,9 +250,6 @@
</span><span class="cx">
</span><span class="cx"> $link = get_bookmark( $link_id, ARRAY_A );
</span><span class="cx">
</span><del>- // Escape data pulled from DB.
- $link = add_magic_quotes( $link );
-
</del><span class="cx"> // Passed link category list overwrites existing category list if not empty.
</span><span class="cx"> if ( isset( $linkdata['link_category'] ) && is_array( $linkdata['link_category'] )
</span><span class="cx"> && 0 != count( $linkdata['link_category'] ) )
</span></span></pre></div>
<a id="trunkwpadminincludesclasswpcommentslisttablephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/class-wp-comments-list-table.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/class-wp-comments-list-table.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/class-wp-comments-list-table.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -170,7 +170,7 @@
</span><span class="cx"> /*
</span><span class="cx"> // I toyed with this, but decided against it. Leaving it in here in case anyone thinks it is a good idea. ~ Mark
</span><span class="cx"> if ( !empty( $_REQUEST['s'] ) )
</span><del>- $link = add_query_arg( 's', esc_attr( stripslashes( $_REQUEST['s'] ) ), $link );
</del><ins>+ $link = add_query_arg( 's', esc_attr( wp_unslash( $_REQUEST['s'] ) ), $link );
</ins><span class="cx"> */
</span><span class="cx"> $status_links[$status] = "<a href='$link'$class>" . sprintf(
</span><span class="cx"> translate_nooped_plural( $label, $num_comments->$status ),
</span></span></pre></div>
<a id="trunkwpadminincludesclasswpmssiteslisttablephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/class-wp-ms-sites-list-table.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/class-wp-ms-sites-list-table.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/class-wp-ms-sites-list-table.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -29,7 +29,7 @@
</span><span class="cx">
</span><span class="cx"> $pagenum = $this->get_pagenum();
</span><span class="cx">
</span><del>- $s = isset( $_REQUEST['s'] ) ? stripslashes( trim( $_REQUEST[ 's' ] ) ) : '';
</del><ins>+ $s = isset( $_REQUEST['s'] ) ? wp_unslash( trim( $_REQUEST[ 's' ] ) ) : '';
</ins><span class="cx"> $wild = '';
</span><span class="cx"> if ( false !== strpos($s, '*') ) {
</span><span class="cx"> $wild = '%';
</span></span></pre></div>
<a id="trunkwpadminincludesclasswpmsthemeslisttablephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/class-wp-ms-themes-list-table.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/class-wp-ms-themes-list-table.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/class-wp-ms-themes-list-table.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -126,7 +126,7 @@
</span><span class="cx"> function _search_callback( $theme ) {
</span><span class="cx"> static $term;
</span><span class="cx"> if ( is_null( $term ) )
</span><del>- $term = stripslashes( $_REQUEST['s'] );
</del><ins>+ $term = wp_unslash( $_REQUEST['s'] );
</ins><span class="cx">
</span><span class="cx"> foreach ( array( 'Name', 'Description', 'Author', 'Author', 'AuthorURI' ) as $field ) {
</span><span class="cx"> // Don't mark up; Do translate.
</span></span></pre></div>
<a id="trunkwpadminincludesclasswpmsuserslisttablephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/class-wp-ms-users-list-table.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/class-wp-ms-users-list-table.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/class-wp-ms-users-list-table.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -173,10 +173,10 @@
</span><span class="cx">
</span><span class="cx"> case 'username':
</span><span class="cx"> $avatar = get_avatar( $user->user_email, 32 );
</span><del>- $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) );
</del><ins>+ $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user->ID ) ) );
</ins><span class="cx">
</span><span class="cx"> echo "<td $attributes>"; ?>
</span><del>- <?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo stripslashes( $user->user_login ); ?></a><?php
</del><ins>+ <?php echo $avatar; ?><strong><a href="<?php echo $edit_link; ?>" class="edit"><?php echo $user->user_login; ?></a><?php
</ins><span class="cx"> if ( in_array( $user->user_login, $super_admins ) )
</span><span class="cx"> echo ' - ' . __( 'Super Admin' );
</span><span class="cx"> ?></strong>
</span><span class="lines">@@ -186,7 +186,7 @@
</span><span class="cx"> $actions['edit'] = '<a href="' . $edit_link . '">' . __( 'Edit' ) . '</a>';
</span><span class="cx">
</span><span class="cx"> if ( current_user_can( 'delete_user', $user->ID ) && ! in_array( $user->user_login, $super_admins ) ) {
</span><del>- $actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>';
</del><ins>+ $actions['delete'] = '<a href="' . $delete = esc_url( network_admin_url( add_query_arg( '_wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'users.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user->ID ) ) ) . '" class="delete">' . __( 'Delete' ) . '</a>';
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> $actions = apply_filters( 'ms_user_row_actions', $actions, $user );
</span></span></pre></div>
<a id="trunkwpadminincludesclasswpplugininstalllisttablephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/class-wp-plugin-install-list-table.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/class-wp-plugin-install-list-table.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/class-wp-plugin-install-list-table.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -48,8 +48,8 @@
</span><span class="cx">
</span><span class="cx"> switch ( $tab ) {
</span><span class="cx"> case 'search':
</span><del>- $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
- $term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : '';
</del><ins>+ $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
+ $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : '';
</ins><span class="cx">
</span><span class="cx"> switch ( $type ) {
</span><span class="cx"> case 'tag':
</span><span class="lines">@@ -73,7 +73,7 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case 'favorites':
</span><del>- $user = isset( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
</del><ins>+ $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
</ins><span class="cx"> update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
</span><span class="cx"> if ( $user )
</span><span class="cx"> $args['user'] = $user;
</span></span></pre></div>
<a id="trunkwpadminincludesclasswppluginslisttablephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/class-wp-plugins-list-table.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/class-wp-plugins-list-table.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/class-wp-plugins-list-table.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -22,7 +22,7 @@
</span><span class="cx"> $status = $_REQUEST['plugin_status'];
</span><span class="cx">
</span><span class="cx"> if ( isset($_REQUEST['s']) )
</span><del>- $_SERVER['REQUEST_URI'] = add_query_arg('s', stripslashes($_REQUEST['s']) );
</del><ins>+ $_SERVER['REQUEST_URI'] = add_query_arg('s', wp_unslash($_REQUEST['s']) );
</ins><span class="cx">
</span><span class="cx"> $page = $this->get_pagenum();
</span><span class="cx"> }
</span><span class="lines">@@ -140,7 +140,7 @@
</span><span class="cx"> function _search_callback( $plugin ) {
</span><span class="cx"> static $term;
</span><span class="cx"> if ( is_null( $term ) )
</span><del>- $term = stripslashes( $_REQUEST['s'] );
</del><ins>+ $term = wp_unslash( $_REQUEST['s'] );
</ins><span class="cx">
</span><span class="cx"> foreach ( $plugin as $value )
</span><span class="cx"> if ( stripos( $value, $term ) !== false )
</span></span></pre></div>
<a id="trunkwpadminincludesclasswptermslisttablephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/class-wp-terms-list-table.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/class-wp-terms-list-table.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/class-wp-terms-list-table.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -52,7 +52,7 @@
</span><span class="cx"> $tags_per_page = apply_filters( 'edit_categories_per_page', $tags_per_page ); // Old filter
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $search = !empty( $_REQUEST['s'] ) ? trim( stripslashes( $_REQUEST['s'] ) ) : '';
</del><ins>+ $search = !empty( $_REQUEST['s'] ) ? trim( wp_unslash( $_REQUEST['s'] ) ) : '';
</ins><span class="cx">
</span><span class="cx"> $args = array(
</span><span class="cx"> 'search' => $search,
</span><span class="lines">@@ -61,10 +61,10 @@
</span><span class="cx"> );
</span><span class="cx">
</span><span class="cx"> if ( !empty( $_REQUEST['orderby'] ) )
</span><del>- $args['orderby'] = trim( stripslashes( $_REQUEST['orderby'] ) );
</del><ins>+ $args['orderby'] = trim( wp_unslash( $_REQUEST['orderby'] ) );
</ins><span class="cx">
</span><span class="cx"> if ( !empty( $_REQUEST['order'] ) )
</span><del>- $args['order'] = trim( stripslashes( $_REQUEST['order'] ) );
</del><ins>+ $args['order'] = trim( wp_unslash( $_REQUEST['order'] ) );
</ins><span class="cx">
</span><span class="cx"> $this->callback_args = $args;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminincludesclasswpthemeinstalllisttablephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/class-wp-theme-install-list-table.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/class-wp-theme-install-list-table.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/class-wp-theme-install-list-table.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -24,7 +24,7 @@
</span><span class="cx"> $search_terms = array();
</span><span class="cx"> $search_string = '';
</span><span class="cx"> if ( ! empty( $_REQUEST['s'] ) ){
</span><del>- $search_string = strtolower( stripslashes( $_REQUEST['s'] ) );
</del><ins>+ $search_string = strtolower( wp_unslash( $_REQUEST['s'] ) );
</ins><span class="cx"> $search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', $search_string ) ) ) );
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -59,7 +59,7 @@
</span><span class="cx">
</span><span class="cx"> switch ( $tab ) {
</span><span class="cx"> case 'search':
</span><del>- $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
</del><ins>+ $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
</ins><span class="cx"> switch ( $type ) {
</span><span class="cx"> case 'tag':
</span><span class="cx"> $args['tag'] = array_map( 'sanitize_key', $search_terms );
</span></span></pre></div>
<a id="trunkwpadminincludesclasswpthemeslisttablephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/class-wp-themes-list-table.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/class-wp-themes-list-table.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/class-wp-themes-list-table.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -28,7 +28,7 @@
</span><span class="cx"> $themes = wp_get_themes( array( 'allowed' => true ) );
</span><span class="cx">
</span><span class="cx"> if ( ! empty( $_REQUEST['s'] ) )
</span><del>- $this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( stripslashes( $_REQUEST['s'] ) ) ) ) ) );
</del><ins>+ $this->search_terms = array_unique( array_filter( array_map( 'trim', explode( ',', strtolower( wp_unslash( $_REQUEST['s'] ) ) ) ) ) );
</ins><span class="cx">
</span><span class="cx"> if ( ! empty( $_REQUEST['features'] ) )
</span><span class="cx"> $this->features = $_REQUEST['features'];
</span><span class="lines">@@ -235,7 +235,7 @@
</span><span class="cx"> * @uses _pagination_args['total_pages']
</span><span class="cx"> */
</span><span class="cx"> function _js_vars( $extra_args = array() ) {
</span><del>- $search_string = isset( $_REQUEST['s'] ) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : '';
</del><ins>+ $search_string = isset( $_REQUEST['s'] ) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : '';
</ins><span class="cx">
</span><span class="cx"> $args = array(
</span><span class="cx"> 'search' => $search_string,
</span></span></pre></div>
<a id="trunkwpadminincludesclasswpupgraderphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/class-wp-upgrader.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/class-wp-upgrader.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/class-wp-upgrader.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -1427,7 +1427,7 @@
</span><span class="cx">
</span><span class="cx"> $install_actions = array();
</span><span class="cx">
</span><del>- $from = isset($_GET['from']) ? stripslashes($_GET['from']) : 'plugins';
</del><ins>+ $from = isset($_GET['from']) ? wp_unslash( $_GET['from'] ) : 'plugins';
</ins><span class="cx">
</span><span class="cx"> if ( 'import' == $from )
</span><span class="cx"> $install_actions['activate_plugin'] = '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;from=import&amp;plugin=' . $plugin_file, 'activate-plugin_' . $plugin_file) . '" title="' . esc_attr__('Activate this plugin') . '" target="_parent">' . __('Activate Plugin &amp; Run Importer') . '</a>';
</span></span></pre></div>
<a id="trunkwpadminincludesclasswpuserslisttablephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/class-wp-users-list-table.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/class-wp-users-list-table.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/class-wp-users-list-table.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -241,7 +241,7 @@
</span><span class="cx"> // Check if the user for this row is editable
</span><span class="cx"> if ( current_user_can( 'list_users' ) ) {
</span><span class="cx"> // Set up the user editing link
</span><del>- $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) );
</del><ins>+ $edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), get_edit_user_link( $user_object->ID ) ) );
</ins><span class="cx">
</span><span class="cx"> // Set up the hover actions for this user
</span><span class="cx"> $actions = array();
</span></span></pre></div>
<a id="trunkwpadminincludescommentphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/comment.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/comment.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/comment.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -19,9 +19,6 @@
</span><span class="cx"> function comment_exists($comment_author, $comment_date) {
</span><span class="cx"> global $wpdb;
</span><span class="cx">
</span><del>- $comment_author = stripslashes($comment_author);
- $comment_date = stripslashes($comment_date);
-
</del><span class="cx"> return $wpdb->get_var( $wpdb->prepare("SELECT comment_post_ID FROM $wpdb->comments
</span><span class="cx"> WHERE comment_author = %s AND comment_date = %s", $comment_author, $comment_date) );
</span><span class="cx"> }
</span><span class="lines">@@ -33,38 +30,40 @@
</span><span class="cx"> */
</span><span class="cx"> function edit_comment() {
</span><span class="cx">
</span><del>- if ( ! current_user_can( 'edit_comment', (int) $_POST['comment_ID'] ) )
</del><ins>+ $post_data = wp_unslash( $_POST );
+
+ if ( ! current_user_can( 'edit_comment', (int) $post_data['comment_ID'] ) )
</ins><span class="cx"> wp_die ( __( 'You are not allowed to edit comments on this post.' ) );
</span><span class="cx">
</span><del>- $_POST['comment_author'] = $_POST['newcomment_author'];
- $_POST['comment_author_email'] = $_POST['newcomment_author_email'];
- $_POST['comment_author_url'] = $_POST['newcomment_author_url'];
- $_POST['comment_approved'] = $_POST['comment_status'];
- $_POST['comment_content'] = $_POST['content'];
- $_POST['comment_ID'] = (int) $_POST['comment_ID'];
</del><ins>+ $post_data['comment_author'] = $post_data['newcomment_author'];
+ $post_data['comment_author_email'] = $post_data['newcomment_author_email'];
+ $post_data['comment_author_url'] = $post_data['newcomment_author_url'];
+ $post_data['comment_approved'] = $post_data['comment_status'];
+ $post_data['comment_content'] = $post_data['content'];
+ $post_data['comment_ID'] = (int) $post_data['comment_ID'];
</ins><span class="cx">
</span><span class="cx"> foreach ( array ('aa', 'mm', 'jj', 'hh', 'mn') as $timeunit ) {
</span><del>- if ( !empty( $_POST['hidden_' . $timeunit] ) && $_POST['hidden_' . $timeunit] != $_POST[$timeunit] ) {
</del><ins>+ if ( !empty( $post_data['hidden_' . $timeunit] ) && $post_data['hidden_' . $timeunit] != $post_data[$timeunit] ) {
</ins><span class="cx"> $_POST['edit_date'] = '1';
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if ( !empty ( $_POST['edit_date'] ) ) {
- $aa = $_POST['aa'];
- $mm = $_POST['mm'];
- $jj = $_POST['jj'];
- $hh = $_POST['hh'];
- $mn = $_POST['mn'];
- $ss = $_POST['ss'];
</del><ins>+ if ( !empty ( $post_data['edit_date'] ) ) {
+ $aa = $post_data['aa'];
+ $mm = $post_data['mm'];
+ $jj = $post_data['jj'];
+ $hh = $post_data['hh'];
+ $mn = $post_data['mn'];
+ $ss = $post_data['ss'];
</ins><span class="cx"> $jj = ($jj > 31 ) ? 31 : $jj;
</span><span class="cx"> $hh = ($hh > 23 ) ? $hh -24 : $hh;
</span><span class="cx"> $mn = ($mn > 59 ) ? $mn -60 : $mn;
</span><span class="cx"> $ss = ($ss > 59 ) ? $ss -60 : $ss;
</span><del>- $_POST['comment_date'] = "$aa-$mm-$jj $hh:$mn:$ss";
</del><ins>+ $post_data['comment_date'] = "$aa-$mm-$jj $hh:$mn:$ss";
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- wp_update_comment( $_POST );
</del><ins>+ wp_update_comment( $post_data );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span></span></pre></div>
<a id="trunkwpadminincludesdashboardphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/dashboard.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/dashboard.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/dashboard.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -1093,7 +1093,7 @@
</span><span class="cx"> $widget_options[$widget_id]['number'] = $number;
</span><span class="cx">
</span><span class="cx"> if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset($_POST['widget-rss'][$number]) ) {
</span><del>- $_POST['widget-rss'][$number] = stripslashes_deep( $_POST['widget-rss'][$number] );
</del><ins>+ $_POST['widget-rss'][$number] = wp_unslash( $_POST['widget-rss'][$number] );
</ins><span class="cx"> $widget_options[$widget_id] = wp_widget_rss_process( $_POST['widget-rss'][$number] );
</span><span class="cx"> // title is optional. If black, fill it if possible
</span><span class="cx"> if ( !$widget_options[$widget_id]['title'] && isset($_POST['widget-rss'][$number]['title']) ) {
</span></span></pre></div>
<a id="trunkwpadminincludesdeprecatedphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/deprecated.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/deprecated.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/deprecated.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -472,14 +472,13 @@
</span><span class="cx"> function WP_User_Search ($search_term = '', $page = '', $role = '') {
</span><span class="cx"> _deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' );
</span><span class="cx">
</span><del>- $this->search_term = stripslashes( $search_term );
</del><ins>+ $this->search_term = $search_term;
</ins><span class="cx"> $this->raw_page = ( '' == $page ) ? false : (int) $page;
</span><span class="cx"> $this->page = (int) ( '' == $page ) ? 1 : $page;
</span><span class="cx"> $this->role = $role;
</span><span class="cx">
</span><span class="cx"> $this->prepare_query();
</span><span class="cx"> $this->query();
</span><del>- $this->prepare_vars_for_template_usage();
</del><span class="cx"> $this->do_paging();
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -550,9 +549,7 @@
</span><span class="cx"> * @since 2.1.0
</span><span class="cx"> * @access public
</span><span class="cx"> */
</span><del>- function prepare_vars_for_template_usage() {
- $this->search_term = stripslashes($this->search_term); // done with DB, from now on we want slashes gone
- }
</del><ins>+ function prepare_vars_for_template_usage() {}
</ins><span class="cx">
</span><span class="cx"> /**
</span><span class="cx"> * {@internal Missing Short Description}}
</span></span></pre></div>
<a id="trunkwpadminincludesfilephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/file.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/file.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/file.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -901,13 +901,13 @@
</span><span class="cx"> $credentials = get_option('ftp_credentials', array( 'hostname' => '', 'username' => ''));
</span><span class="cx">
</span><span class="cx"> // If defined, set it to that, Else, If POST'd, set it to that, If not, Set it to whatever it previously was(saved details in option)
</span><del>- $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? stripslashes($_POST['hostname']) : $credentials['hostname']);
- $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? stripslashes($_POST['username']) : $credentials['username']);
- $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? stripslashes($_POST['password']) : '');
</del><ins>+ $credentials['hostname'] = defined('FTP_HOST') ? FTP_HOST : (!empty($_POST['hostname']) ? wp_unslash( $_POST['hostname'] ) : $credentials['hostname']);
+ $credentials['username'] = defined('FTP_USER') ? FTP_USER : (!empty($_POST['username']) ? wp_unslash( $_POST['username'] ) : $credentials['username']);
+ $credentials['password'] = defined('FTP_PASS') ? FTP_PASS : (!empty($_POST['password']) ? wp_unslash( $_POST['password'] ) : '');
</ins><span class="cx">
</span><span class="cx"> // Check to see if we are setting the public/private keys for ssh
</span><del>- $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? stripslashes($_POST['public_key']) : '');
- $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? stripslashes($_POST['private_key']) : '');
</del><ins>+ $credentials['public_key'] = defined('FTP_PUBKEY') ? FTP_PUBKEY : (!empty($_POST['public_key']) ? wp_unslash( $_POST['public_key'] ) : '');
+ $credentials['private_key'] = defined('FTP_PRIKEY') ? FTP_PRIKEY : (!empty($_POST['private_key']) ? wp_unslash( $_POST['private_key'] ) : '');
</ins><span class="cx">
</span><span class="cx"> //sanitize the hostname, Some people might pass in odd-data:
</span><span class="cx"> $credentials['hostname'] = preg_replace('|\w+://|', '', $credentials['hostname']); //Strip any schemes off
</span><span class="lines">@@ -925,7 +925,7 @@
</span><span class="cx"> else if ( (defined('FTP_SSL') && FTP_SSL) && 'ftpext' == $type ) //Only the FTP Extension understands SSL
</span><span class="cx"> $credentials['connection_type'] = 'ftps';
</span><span class="cx"> else if ( !empty($_POST['connection_type']) )
</span><del>- $credentials['connection_type'] = stripslashes($_POST['connection_type']);
</del><ins>+ $credentials['connection_type'] = wp_unslash( $_POST['connection_type'] );
</ins><span class="cx"> else if ( !isset($credentials['connection_type']) ) //All else fails (And it's not defaulted to something else saved), Default to FTP
</span><span class="cx"> $credentials['connection_type'] = 'ftp';
</span><span class="cx">
</span><span class="lines">@@ -1050,7 +1050,7 @@
</span><span class="cx"> <?php
</span><span class="cx"> foreach ( (array) $extra_fields as $field ) {
</span><span class="cx"> if ( isset( $_POST[ $field ] ) )
</span><del>- echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( stripslashes( $_POST[ $field ] ) ) . '" />';
</del><ins>+ echo '<input type="hidden" name="' . esc_attr( $field ) . '" value="' . esc_attr( wp_unslash( $_POST[ $field ] ) ) . '" />';
</ins><span class="cx"> }
</span><span class="cx"> submit_button( __( 'Proceed' ), 'button', 'upgrade' );
</span><span class="cx"> ?>
</span></span></pre></div>
<a id="trunkwpadminincludesimageeditphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/image-edit.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/image-edit.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/image-edit.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -454,7 +454,7 @@
</span><span class="cx"> if ( is_wp_error( $img ) )
</span><span class="cx"> return false;
</span><span class="cx">
</span><del>- $changes = !empty($_REQUEST['history']) ? json_decode( stripslashes($_REQUEST['history']) ) : null;
</del><ins>+ $changes = !empty($_REQUEST['history']) ? json_decode( wp_unslash( $_REQUEST['history'] ) ) : null;
</ins><span class="cx"> if ( $changes )
</span><span class="cx"> $img = image_edit_apply_changes( $img, $changes );
</span><span class="cx">
</span><span class="lines">@@ -533,7 +533,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if ( !wp_update_attachment_metadata($post_id, $meta) || !update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes) ) {
</del><ins>+ if ( !wp_update_attachment_metadata($post_id, $meta) || !wp_update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes) ) {
</ins><span class="cx"> $msg->error = __('Cannot save image metadata.');
</span><span class="cx"> return $msg;
</span><span class="cx"> }
</span><span class="lines">@@ -587,7 +587,7 @@
</span><span class="cx"> return $return;
</span><span class="cx"> }
</span><span class="cx"> } elseif ( !empty($_REQUEST['history']) ) {
</span><del>- $changes = json_decode( stripslashes($_REQUEST['history']) );
</del><ins>+ $changes = json_decode( wp_unslash( $_REQUEST['history'] ) );
</ins><span class="cx"> if ( $changes )
</span><span class="cx"> $img = image_edit_apply_changes($img, $changes);
</span><span class="cx"> } else {
</span><span class="lines">@@ -699,7 +699,7 @@
</span><span class="cx">
</span><span class="cx"> if ( $success ) {
</span><span class="cx"> wp_update_attachment_metadata( $post_id, $meta );
</span><del>- update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes);
</del><ins>+ wp_update_post_meta( $post_id, '_wp_attachment_backup_sizes', $backup_sizes);
</ins><span class="cx">
</span><span class="cx"> if ( $target == 'thumbnail' || $target == 'all' || $target == 'full' ) {
</span><span class="cx"> // Check if it's an image edit from attachment edit screen
</span></span></pre></div>
<a id="trunkwpadminincludesmediaphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/media.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/media.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/media.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -444,6 +444,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ( !empty($_POST['attachments']) ) foreach ( $_POST['attachments'] as $attachment_id => $attachment ) {
</span><ins>+ $attachment = wp_unslash( $attachment );
+
</ins><span class="cx"> $post = $_post = get_post($attachment_id, ARRAY_A);
</span><span class="cx"> $post_type_object = get_post_type_object( $post[ 'post_type' ] );
</span><span class="cx">
</span><span class="lines">@@ -468,10 +470,9 @@
</span><span class="cx">
</span><span class="cx"> if ( isset($attachment['image_alt']) ) {
</span><span class="cx"> $image_alt = get_post_meta($attachment_id, '_wp_attachment_image_alt', true);
</span><del>- if ( $image_alt != stripslashes($attachment['image_alt']) ) {
- $image_alt = wp_strip_all_tags( stripslashes($attachment['image_alt']), true );
- // update_meta expects slashed
- update_post_meta( $attachment_id, '_wp_attachment_image_alt', addslashes($image_alt) );
</del><ins>+ if ( $image_alt != $attachment['image_alt'] ) {
+ $image_alt = wp_strip_all_tags( $attachment['image_alt'], true );
+ wp_update_post_meta( $attachment_id, '_wp_attachment_image_alt', $image_alt );
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -501,7 +502,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ( isset($send_id) ) {
</span><del>- $attachment = stripslashes_deep( $_POST['attachments'][$send_id] );
</del><ins>+ $attachment = wp_unslash( $_POST['attachments'][$send_id] );
</ins><span class="cx">
</span><span class="cx"> $html = isset( $attachment['post_title'] ) ? $attachment['post_title'] : '';
</span><span class="cx"> if ( !empty($attachment['url']) ) {
</span><span class="lines">@@ -546,7 +547,7 @@
</span><span class="cx"> $src = "http://$src";
</span><span class="cx">
</span><span class="cx"> if ( isset( $_POST['media_type'] ) && 'image' != $_POST['media_type'] ) {
</span><del>- $title = esc_html( stripslashes( $_POST['title'] ) );
</del><ins>+ $title = esc_html( wp_unslash( $_POST['title'] ) );
</ins><span class="cx"> if ( empty( $title ) )
</span><span class="cx"> $title = esc_html( basename( $src ) );
</span><span class="cx">
</span><span class="lines">@@ -561,9 +562,9 @@
</span><span class="cx"> $html = apply_filters( $type . '_send_to_editor_url', $html, esc_url_raw( $src ), $title );
</span><span class="cx"> } else {
</span><span class="cx"> $align = '';
</span><del>- $alt = esc_attr( stripslashes( $_POST['alt'] ) );
</del><ins>+ $alt = esc_attr( wp_unslash( $_POST['alt'] ) );
</ins><span class="cx"> if ( isset($_POST['align']) ) {
</span><del>- $align = esc_attr( stripslashes( $_POST['align'] ) );
</del><ins>+ $align = esc_attr( wp_unslash( $_POST['align'] ) );
</ins><span class="cx"> $class = " class='align$align'";
</span><span class="cx"> }
</span><span class="cx"> if ( !empty($src) )
</span></span></pre></div>
<a id="trunkwpadminincludesmiscphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/misc.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/misc.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/misc.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -220,7 +220,7 @@
</span><span class="cx"> * @return string
</span><span class="cx"> */
</span><span class="cx"> function url_shorten( $url ) {
</span><del>- $short_url = str_replace( 'http://', '', stripslashes( $url ));
</del><ins>+ $short_url = str_replace( 'http://', '', $url );
</ins><span class="cx"> $short_url = str_replace( 'www.', '', $short_url );
</span><span class="cx"> $short_url = untrailingslashit( $short_url );
</span><span class="cx"> if ( strlen( $short_url ) > 35 )
</span><span class="lines">@@ -248,9 +248,9 @@
</span><span class="cx"> if ( empty( $_GET[$var] ) )
</span><span class="cx"> $$var = '';
</span><span class="cx"> else
</span><del>- $$var = $_GET[$var];
</del><ins>+ $$var = wp_unslash( $_GET[$var] );
</ins><span class="cx"> } else {
</span><del>- $$var = $_POST[$var];
</del><ins>+ $$var = wp_unslash( $_POST[$var] );
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -323,8 +323,8 @@
</span><span class="cx">
</span><span class="cx"> if ( !$user = wp_get_current_user() )
</span><span class="cx"> return;
</span><del>- $option = $_POST['wp_screen_options']['option'];
- $value = $_POST['wp_screen_options']['value'];
</del><ins>+ $option = wp_unslash( $_POST['wp_screen_options']['option'] );
+ $value = wp_unslash( $_POST['wp_screen_options']['value'] );
</ins><span class="cx">
</span><span class="cx"> if ( $option != sanitize_key( $option ) )
</span><span class="cx"> return;
</span></span></pre></div>
<a id="trunkwpadminincludesplugininstallphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/plugin-install.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/plugin-install.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/plugin-install.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -116,8 +116,8 @@
</span><span class="cx"> * @since 2.7.0
</span><span class="cx"> */
</span><span class="cx"> function install_search_form( $type_selector = true ) {
</span><del>- $type = isset($_REQUEST['type']) ? stripslashes( $_REQUEST['type'] ) : 'term';
- $term = isset($_REQUEST['s']) ? stripslashes( $_REQUEST['s'] ) : '';
</del><ins>+ $type = isset($_REQUEST['type']) ? wp_unslash( $_REQUEST['type'] ) : 'term';
+ $term = isset($_REQUEST['s']) ? wp_unslash( $_REQUEST['s'] ) : '';
</ins><span class="cx">
</span><span class="cx"> ?><form id="search-plugins" method="get" action="">
</span><span class="cx"> <input type="hidden" name="tab" value="search" />
</span><span class="lines">@@ -160,7 +160,7 @@
</span><span class="cx"> *
</span><span class="cx"> */
</span><span class="cx"> function install_plugins_favorites_form() {
</span><del>- $user = ! empty( $_GET['user'] ) ? stripslashes( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
</del><ins>+ $user = ! empty( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
</ins><span class="cx"> ?>
</span><span class="cx"> <p class="install-help"><?php _e( 'If you have marked plugins as favorites on WordPress.org, you can browse them here.' ); ?></p>
</span><span class="cx"> <form method="get" action="">
</span><span class="lines">@@ -251,7 +251,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> if ( isset($_GET['from']) )
</span><del>- $url .= '&amp;from=' . urlencode(stripslashes($_GET['from']));
</del><ins>+ $url .= '&amp;from=' . urlencode( wp_unslash( $_GET['from'] ) );
</ins><span class="cx">
</span><span class="cx"> return compact('status', 'url', 'version');
</span><span class="cx"> }
</span><span class="lines">@@ -264,7 +264,7 @@
</span><span class="cx"> function install_plugin_information() {
</span><span class="cx"> global $tab;
</span><span class="cx">
</span><del>- $api = plugins_api('plugin_information', array('slug' => stripslashes( $_REQUEST['plugin'] ) ));
</del><ins>+ $api = plugins_api('plugin_information', array('slug' => wp_unslash( $_REQUEST['plugin'] ) ));
</ins><span class="cx">
</span><span class="cx"> if ( is_wp_error($api) )
</span><span class="cx"> wp_die($api);
</span><span class="lines">@@ -295,7 +295,7 @@
</span><span class="cx"> $api->$key = wp_kses( $api->$key, $plugins_allowedtags );
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $section = isset($_REQUEST['section']) ? stripslashes( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English.
</del><ins>+ $section = isset($_REQUEST['section']) ? wp_unslash( $_REQUEST['section'] ) : 'description'; //Default to the Description tab, Do not translate, API returns English.
</ins><span class="cx"> if ( empty($section) || ! isset($api->sections[ $section ]) )
</span><span class="cx"> $section = array_shift( $section_titles = array_keys((array)$api->sections) );
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminincludespostphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/post.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/post.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/post.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -149,8 +149,8 @@
</span><span class="cx"> */
</span><span class="cx"> function edit_post( $post_data = null ) {
</span><span class="cx">
</span><del>- if ( empty($post_data) )
- $post_data = &$_POST;
</del><ins>+ if ( empty( $post_data ) )
+ $post_data = wp_unslash( $_POST );
</ins><span class="cx">
</span><span class="cx"> // Clear out any data in internal vars.
</span><span class="cx"> unset( $post_data['filter'] );
</span><span class="lines">@@ -228,10 +228,9 @@
</span><span class="cx"> if ( 'attachment' == $post_data['post_type'] ) {
</span><span class="cx"> if ( isset( $post_data[ '_wp_attachment_image_alt' ] ) ) {
</span><span class="cx"> $image_alt = get_post_meta( $post_ID, '_wp_attachment_image_alt', true );
</span><del>- if ( $image_alt != stripslashes( $post_data['_wp_attachment_image_alt'] ) ) {
- $image_alt = wp_strip_all_tags( stripslashes( $post_data['_wp_attachment_image_alt'] ), true );
- // update_meta expects slashed
- update_post_meta( $post_ID, '_wp_attachment_image_alt', addslashes( $image_alt ) );
</del><ins>+ if ( $image_alt != $post_data['_wp_attachment_image_alt'] ) {
+ $image_alt = wp_strip_all_tags( $post_data['_wp_attachment_image_alt'], true );
+ wp_update_post_meta( $post_ID, '_wp_attachment_image_alt', $image_alt );
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -241,7 +240,7 @@
</span><span class="cx">
</span><span class="cx"> add_meta( $post_ID );
</span><span class="cx">
</span><del>- update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
</del><ins>+ wp_update_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
</ins><span class="cx">
</span><span class="cx"> wp_update_post( $post_data );
</span><span class="cx">
</span><span class="lines">@@ -422,15 +421,15 @@
</span><span class="cx">
</span><span class="cx"> $post_title = '';
</span><span class="cx"> if ( !empty( $_REQUEST['post_title'] ) )
</span><del>- $post_title = esc_html( stripslashes( $_REQUEST['post_title'] ));
</del><ins>+ $post_title = esc_html( wp_unslash( $_REQUEST['post_title'] ));
</ins><span class="cx">
</span><span class="cx"> $post_content = '';
</span><span class="cx"> if ( !empty( $_REQUEST['content'] ) )
</span><del>- $post_content = esc_html( stripslashes( $_REQUEST['content'] ));
</del><ins>+ $post_content = esc_html( wp_unslash( $_REQUEST['content'] ));
</ins><span class="cx">
</span><span class="cx"> $post_excerpt = '';
</span><span class="cx"> if ( !empty( $_REQUEST['excerpt'] ) )
</span><del>- $post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] ));
</del><ins>+ $post_excerpt = esc_html( wp_unslash( $_REQUEST['excerpt'] ));
</ins><span class="cx">
</span><span class="cx"> if ( $create_in_db ) {
</span><span class="cx"> $post_id = wp_insert_post( array( 'post_title' => __( 'Auto Draft' ), 'post_type' => $post_type, 'post_status' => 'auto-draft' ) );
</span><span class="lines">@@ -479,9 +478,9 @@
</span><span class="cx"> function post_exists($title, $content = '', $date = '') {
</span><span class="cx"> global $wpdb;
</span><span class="cx">
</span><del>- $post_title = stripslashes( sanitize_post_field( 'post_title', $title, 0, 'db' ) );
- $post_content = stripslashes( sanitize_post_field( 'post_content', $content, 0, 'db' ) );
- $post_date = stripslashes( sanitize_post_field( 'post_date', $date, 0, 'db' ) );
</del><ins>+ $post_title = sanitize_post_field( 'post_title', $title, 0, 'db' );
+ $post_content = sanitize_post_field( 'post_content', $content, 0, 'db' );
+ $post_date = sanitize_post_field( 'post_date', $date, 0, 'db' );
</ins><span class="cx">
</span><span class="cx"> $query = "SELECT ID FROM $wpdb->posts WHERE 1=1";
</span><span class="cx"> $args = array();
</span><span class="lines">@@ -559,7 +558,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Create the post.
</span><del>- $post_ID = wp_insert_post( $_POST );
</del><ins>+ $post_ID = wp_insert_post( wp_unslash( $_POST ) );
</ins><span class="cx"> if ( is_wp_error( $post_ID ) )
</span><span class="cx"> return $post_ID;
</span><span class="cx">
</span><span class="lines">@@ -568,7 +567,7 @@
</span><span class="cx">
</span><span class="cx"> add_meta( $post_ID );
</span><span class="cx">
</span><del>- add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
</del><ins>+ wp_add_post_meta( $post_ID, '_edit_last', $GLOBALS['current_user']->ID );
</ins><span class="cx">
</span><span class="cx"> // Now that we have an ID we can fix any attachment anchor hrefs
</span><span class="cx"> _fix_attachment_links( $post_ID );
</span><span class="lines">@@ -612,9 +611,9 @@
</span><span class="cx"> global $wpdb;
</span><span class="cx"> $post_ID = (int) $post_ID;
</span><span class="cx">
</span><del>- $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
- $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
- $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : '';
</del><ins>+ $metakeyselect = isset($_POST['metakeyselect']) ? wp_unslash( trim( $_POST['metakeyselect'] ) ) : '';
+ $metakeyinput = isset($_POST['metakeyinput']) ? wp_unslash( trim( $_POST['metakeyinput'] ) ) : '';
+ $metavalue = isset($_POST['metavalue']) ? wp_unslash( trim( $_POST['metavalue'] ) ) : '';
</ins><span class="cx"> if ( is_string( $metavalue ) )
</span><span class="cx"> $metavalue = trim( $metavalue );
</span><span class="cx">
</span><span class="lines">@@ -631,9 +630,7 @@
</span><span class="cx"> if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) )
</span><span class="cx"> return false;
</span><span class="cx">
</span><del>- $metakey = esc_sql( $metakey );
-
- return add_post_meta( $post_ID, $metakey, $metavalue );
</del><ins>+ return wp_add_post_meta( $post_ID, $metakey, $metavalue );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> return false;
</span><span class="lines">@@ -706,14 +703,11 @@
</span><span class="cx"> * @since 1.2.0
</span><span class="cx"> *
</span><span class="cx"> * @param unknown_type $meta_id
</span><del>- * @param unknown_type $meta_key Expect Slashed
- * @param unknown_type $meta_value Expect Slashed
</del><ins>+ * @param unknown_type $meta_key
+ * @param unknown_type $meta_value
</ins><span class="cx"> * @return unknown
</span><span class="cx"> */
</span><span class="cx"> function update_meta( $meta_id, $meta_key, $meta_value ) {
</span><del>- $meta_key = stripslashes( $meta_key );
- $meta_value = stripslashes_deep( $meta_value );
-
</del><span class="cx"> return update_metadata_by_mid( 'post', $meta_id, $meta_value, $meta_key );
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -767,8 +761,6 @@
</span><span class="cx">
</span><span class="cx"> if ( $replace ) {
</span><span class="cx"> $post['post_content'] = $content;
</span><del>- // Escape data pulled from DB.
- $post = add_magic_quotes($post);
</del><span class="cx">
</span><span class="cx"> return wp_update_post($post);
</span><span class="cx"> }
</span><span class="lines">@@ -1179,7 +1171,7 @@
</span><span class="cx"> $now = time();
</span><span class="cx"> $lock = "$now:$user_id";
</span><span class="cx">
</span><del>- update_post_meta( $post->ID, '_edit_lock', $lock );
</del><ins>+ wp_update_post_meta( $post->ID, '_edit_lock', $lock );
</ins><span class="cx"> return array( $now, $user_id );
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1230,14 +1222,14 @@
</span><span class="cx">
</span><span class="cx"> // Only store one autosave. If there is already an autosave, overwrite it.
</span><span class="cx"> if ( $old_autosave = wp_get_post_autosave( $post_id ) ) {
</span><del>- $new_autosave = _wp_post_revision_fields( $_POST, true );
</del><ins>+ $new_autosave = _wp_post_revision_fields( wp_unslash( $_POST ), true );
</ins><span class="cx"> $new_autosave['ID'] = $old_autosave->ID;
</span><span class="cx"> $new_autosave['post_author'] = get_current_user_id();
</span><span class="cx"> return wp_update_post( $new_autosave );
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // _wp_put_post_revision() expects unescaped.
</span><del>- $_POST = stripslashes_deep($_POST);
</del><ins>+ $_POST = wp_unslash( $_POST );
</ins><span class="cx">
</span><span class="cx"> // Otherwise create the new autosave as a special post revision
</span><span class="cx"> return _wp_put_post_revision( $_POST, true );
</span></span></pre></div>
<a id="trunkwpadminincludesschemaphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/schema.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/schema.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/schema.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -505,13 +505,11 @@
</span><span class="cx"> else
</span><span class="cx"> $autoload = 'yes';
</span><span class="cx">
</span><del>- $option = $wpdb->escape($option);
</del><span class="cx"> if ( is_array($value) )
</span><span class="cx"> $value = serialize($value);
</span><del>- $value = $wpdb->escape($value);
</del><span class="cx"> if ( !empty($insert) )
</span><span class="cx"> $insert .= ', ';
</span><del>- $insert .= "('$option', '$value', '$autoload')";
</del><ins>+ $insert .= $wpdb->prepare( "(%s, %s, %s)", $option, $value, $autoload );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ( !empty($insert) )
</span><span class="lines">@@ -921,13 +919,11 @@
</span><span class="cx">
</span><span class="cx"> $insert = '';
</span><span class="cx"> foreach ( $sitemeta as $meta_key => $meta_value ) {
</span><del>- $meta_key = $wpdb->escape( $meta_key );
</del><span class="cx"> if ( is_array( $meta_value ) )
</span><span class="cx"> $meta_value = serialize( $meta_value );
</span><del>- $meta_value = $wpdb->escape( $meta_value );
</del><span class="cx"> if ( !empty( $insert ) )
</span><span class="cx"> $insert .= ', ';
</span><del>- $insert .= "( $network_id, '$meta_key', '$meta_value')";
</del><ins>+ $insert .= $wpdb->prepare( "( %d, %s, %s)", $network_id, $meta_key, $meta_value );
</ins><span class="cx"> }
</span><span class="cx"> $wpdb->query( "INSERT INTO $wpdb->sitemeta ( site_id, meta_key, meta_value ) VALUES " . $insert );
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminincludestaxonomyphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/taxonomy.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/taxonomy.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/taxonomy.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -157,9 +157,6 @@
</span><span class="cx"> // First, get all of the original fields
</span><span class="cx"> $category = get_category($cat_ID, ARRAY_A);
</span><span class="cx">
</span><del>- // Escape data pulled from DB.
- $category = add_magic_quotes($category);
-
</del><span class="cx"> // Merge old and new fields with new fields overwriting old ones.
</span><span class="cx"> $catarr = array_merge($category, $catarr);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminincludestemplatephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/template.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/template.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/template.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -1331,7 +1331,7 @@
</span><span class="cx"> *
</span><span class="cx"> */
</span><span class="cx"> function _admin_search_query() {
</span><del>- echo isset($_REQUEST['s']) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : '';
</del><ins>+ echo isset($_REQUEST['s']) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : '';
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span></span></pre></div>
<a id="trunkwpadminincludesthemeinstallphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/theme-install.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/theme-install.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/theme-install.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -50,8 +50,8 @@
</span><span class="cx"> * @since 2.8.0
</span><span class="cx"> */
</span><span class="cx"> function install_theme_search_form( $type_selector = true ) {
</span><del>- $type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
- $term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : '';
</del><ins>+ $type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
+ $term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : '';
</ins><span class="cx"> if ( ! $type_selector )
</span><span class="cx"> echo '<p class="install-help">' . __( 'Search for themes by keyword.' ) . '</p>';
</span><span class="cx"> ?>
</span><span class="lines">@@ -179,7 +179,7 @@
</span><span class="cx"> function install_theme_information() {
</span><span class="cx"> global $tab, $themes_allowedtags, $wp_list_table;
</span><span class="cx">
</span><del>- $theme = themes_api( 'theme_information', array( 'slug' => stripslashes( $_REQUEST['theme'] ) ) );
</del><ins>+ $theme = themes_api( 'theme_information', array( 'slug' => wp_unslash( $_REQUEST['theme'] ) ) );
</ins><span class="cx">
</span><span class="cx"> if ( is_wp_error( $theme ) )
</span><span class="cx"> wp_die( $theme );
</span></span></pre></div>
<a id="trunkwpadminincludesupgradephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/upgrade.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/upgrade.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/upgrade.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -132,7 +132,7 @@
</span><span class="cx"> $first_post = get_site_option( 'first_post' );
</span><span class="cx">
</span><span class="cx"> if ( empty($first_post) )
</span><del>- $first_post = stripslashes( __( 'Welcome to <a href="SITE_URL">SITE_NAME</a>. This is your first post. Edit or delete it, then start blogging!' ) );
</del><ins>+ $first_post = __( 'Welcome to <a href="SITE_URL">SITE_NAME</a>. This is your first post. Edit or delete it, then start blogging!' );
</ins><span class="cx">
</span><span class="cx"> $first_post = str_replace( "SITE_URL", esc_url( network_home_url() ), $first_post );
</span><span class="cx"> $first_post = str_replace( "SITE_NAME", $current_site->site_name, $first_post );
</span><span class="lines">@@ -636,23 +636,23 @@
</span><span class="cx"> $users = $wpdb->get_results("SELECT * FROM $wpdb->users");
</span><span class="cx"> foreach ( $users as $user ) :
</span><span class="cx"> if ( !empty( $user->user_firstname ) )
</span><del>- update_user_meta( $user->ID, 'first_name', $wpdb->escape($user->user_firstname) );
</del><ins>+ update_user_meta( $user->ID, 'first_name', $user->user_firstname );
</ins><span class="cx"> if ( !empty( $user->user_lastname ) )
</span><del>- update_user_meta( $user->ID, 'last_name', $wpdb->escape($user->user_lastname) );
</del><ins>+ update_user_meta( $user->ID, 'last_name', $user->user_lastname );
</ins><span class="cx"> if ( !empty( $user->user_nickname ) )
</span><del>- update_user_meta( $user->ID, 'nickname', $wpdb->escape($user->user_nickname) );
</del><ins>+ update_user_meta( $user->ID, 'nickname', $user->user_nickname );
</ins><span class="cx"> if ( !empty( $user->user_level ) )
</span><span class="cx"> update_user_meta( $user->ID, $wpdb->prefix . 'user_level', $user->user_level );
</span><span class="cx"> if ( !empty( $user->user_icq ) )
</span><del>- update_user_meta( $user->ID, 'icq', $wpdb->escape($user->user_icq) );
</del><ins>+ update_user_meta( $user->ID, 'icq', $user->user_icq );
</ins><span class="cx"> if ( !empty( $user->user_aim ) )
</span><del>- update_user_meta( $user->ID, 'aim', $wpdb->escape($user->user_aim) );
</del><ins>+ update_user_meta( $user->ID, 'aim', $user->user_aim );
</ins><span class="cx"> if ( !empty( $user->user_msn ) )
</span><del>- update_user_meta( $user->ID, 'msn', $wpdb->escape($user->user_msn) );
</del><ins>+ update_user_meta( $user->ID, 'msn', $user->user_msn );
</ins><span class="cx"> if ( !empty( $user->user_yim ) )
</span><del>- update_user_meta( $user->ID, 'yim', $wpdb->escape($user->user_icq) );
</del><ins>+ update_user_meta( $user->ID, 'yim', $user->user_icq );
</ins><span class="cx"> if ( !empty( $user->user_description ) )
</span><del>- update_user_meta( $user->ID, 'description', $wpdb->escape($user->user_description) );
</del><ins>+ update_user_meta( $user->ID, 'description', $user->user_description );
</ins><span class="cx">
</span><span class="cx"> if ( isset( $user->user_idmode ) ):
</span><span class="cx"> $idmode = $user->user_idmode;
</span><span class="lines">@@ -854,7 +854,7 @@
</span><span class="cx"> foreach ( $link_cats as $category) {
</span><span class="cx"> $cat_id = (int) $category->cat_id;
</span><span class="cx"> $term_id = 0;
</span><del>- $name = $wpdb->escape($category->cat_name);
</del><ins>+ $name = $category->cat_name;
</ins><span class="cx"> $slug = sanitize_title($name);
</span><span class="cx"> $term_group = 0;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminincludesuserphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/user.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/user.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/includes/user.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -34,22 +34,25 @@
</span><span class="cx"> $update = true;
</span><span class="cx"> $user->ID = (int) $user_id;
</span><span class="cx"> $userdata = get_userdata( $user_id );
</span><del>- $user->user_login = $wpdb->escape( $userdata->user_login );
</del><ins>+ $user->user_login = $userdata->user_login;
</ins><span class="cx"> } else {
</span><span class="cx"> $update = false;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if ( !$update && isset( $_POST['user_login'] ) )
- $user->user_login = sanitize_user($_POST['user_login'], true);
</del><ins>+ // get clean data before we get started.
+ $post_data = wp_unslash( $_POST );
</ins><span class="cx">
</span><ins>+ if ( !$update && isset( $post_data['user_login'] ) )
+ $user->user_login = sanitize_user($post_data['user_login'], true);
+
</ins><span class="cx"> $pass1 = $pass2 = '';
</span><del>- if ( isset( $_POST['pass1'] ))
- $pass1 = $_POST['pass1'];
- if ( isset( $_POST['pass2'] ))
- $pass2 = $_POST['pass2'];
</del><ins>+ if ( isset( $post_data['pass1'] ))
+ $pass1 = $post_data['pass1'];
+ if ( isset( $post_data['pass2'] ))
+ $pass2 = $post_data['pass2'];
</ins><span class="cx">
</span><del>- if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) {
- $new_role = sanitize_text_field( $_POST['role'] );
</del><ins>+ if ( isset( $post_data['role'] ) && current_user_can( 'edit_users' ) ) {
+ $new_role = sanitize_text_field( $post_data['role'] );
</ins><span class="cx"> $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false;
</span><span class="cx"> // Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
</span><span class="cx"> // Multisite super admins can freely edit their blog roles -- they possess all caps.
</span><span class="lines">@@ -62,44 +65,44 @@
</span><span class="cx"> wp_die(__('You can&#8217;t give users that role.'));
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if ( isset( $_POST['email'] ))
- $user->user_email = sanitize_text_field( $_POST['email'] );
- if ( isset( $_POST['url'] ) ) {
- if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) {
</del><ins>+ if ( isset( $post_data['email'] ))
+ $user->user_email = sanitize_text_field( $post_data['email'] );
+ if ( isset( $post_data['url'] ) ) {
+ if ( empty ( $post_data['url'] ) || $post_data['url'] == 'http://' ) {
</ins><span class="cx"> $user->user_url = '';
</span><span class="cx"> } else {
</span><del>- $user->user_url = esc_url_raw( $_POST['url'] );
</del><ins>+ $user->user_url = esc_url_raw( $post_data['url'] );
</ins><span class="cx"> $protocols = implode( '|', array_map( 'preg_quote', wp_allowed_protocols() ) );
</span><span class="cx"> $user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url;
</span><span class="cx"> }
</span><span class="cx"> }
</span><del>- if ( isset( $_POST['first_name'] ) )
- $user->first_name = sanitize_text_field( $_POST['first_name'] );
- if ( isset( $_POST['last_name'] ) )
- $user->last_name = sanitize_text_field( $_POST['last_name'] );
- if ( isset( $_POST['nickname'] ) )
- $user->nickname = sanitize_text_field( $_POST['nickname'] );
- if ( isset( $_POST['display_name'] ) )
- $user->display_name = sanitize_text_field( $_POST['display_name'] );
</del><ins>+ if ( isset( $post_data['first_name'] ) )
+ $user->first_name = sanitize_text_field( $post_data['first_name'] );
+ if ( isset( $post_data['last_name'] ) )
+ $user->last_name = sanitize_text_field( $post_data['last_name'] );
+ if ( isset( $post_data['nickname'] ) )
+ $user->nickname = sanitize_text_field( $post_data['nickname'] );
+ if ( isset( $post_data['display_name'] ) )
+ $user->display_name = sanitize_text_field( $post_data['display_name'] );
</ins><span class="cx">
</span><del>- if ( isset( $_POST['description'] ) )
- $user->description = trim( $_POST['description'] );
</del><ins>+ if ( isset( $post_data['description'] ) )
+ $user->description = trim( $post_data['description'] );
</ins><span class="cx">
</span><span class="cx"> foreach ( _wp_get_user_contactmethods( $user ) as $method => $name ) {
</span><del>- if ( isset( $_POST[$method] ))
- $user->$method = sanitize_text_field( $_POST[$method] );
</del><ins>+ if ( isset( $post_data[$method] ))
+ $user->$method = sanitize_text_field( $post_data[$method] );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ( $update ) {
</span><del>- $user->rich_editing = isset( $_POST['rich_editing'] ) && 'false' == $_POST['rich_editing'] ? 'false' : 'true';
- $user->admin_color = isset( $_POST['admin_color'] ) ? sanitize_text_field( $_POST['admin_color'] ) : 'fresh';
- $user->show_admin_bar_front = isset( $_POST['admin_bar_front'] ) ? 'true' : 'false';
</del><ins>+ $user->rich_editing = isset( $post_data['rich_editing'] ) && 'false' == $post_data['rich_editing'] ? 'false' : 'true';
+ $user->admin_color = isset( $post_data['admin_color'] ) ? sanitize_text_field( $post_data['admin_color'] ) : 'fresh';
+ $user->show_admin_bar_front = isset( $post_data['admin_bar_front'] ) ? 'true' : 'false';
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] ) && 'true' == $_POST['comment_shortcuts'] ? 'true' : '';
</del><ins>+ $user->comment_shortcuts = isset( $post_data['comment_shortcuts'] ) && 'true' == $post_data['comment_shortcuts'] ? 'true' : '';
</ins><span class="cx">
</span><span class="cx"> $user->use_ssl = 0;
</span><del>- if ( !empty($_POST['use_ssl']) )
</del><ins>+ if ( !empty($post_data['use_ssl']) )
</ins><span class="cx"> $user->use_ssl = 1;
</span><span class="cx">
</span><span class="cx"> $errors = new WP_Error();
</span><span class="lines">@@ -124,7 +127,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /* Check for "\" in password */
</span><del>- if ( false !== strpos( stripslashes($pass1), "\\" ) )
</del><ins>+ if ( false !== strpos( $pass1, "\\" ) )
</ins><span class="cx"> $errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) );
</span><span class="cx">
</span><span class="cx"> /* checking the password has been typed twice the same */
</span><span class="lines">@@ -134,7 +137,7 @@
</span><span class="cx"> if ( !empty( $pass1 ) )
</span><span class="cx"> $user->user_pass = $pass1;
</span><span class="cx">
</span><del>- if ( !$update && isset( $_POST['user_login'] ) && !validate_username( $_POST['user_login'] ) )
</del><ins>+ if ( !$update && isset( $post_data['user_login'] ) && !validate_username( $post_data['user_login'] ) )
</ins><span class="cx"> $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ));
</span><span class="cx">
</span><span class="cx"> if ( !$update && username_exists( $user->user_login ) )
</span><span class="lines">@@ -159,7 +162,7 @@
</span><span class="cx"> $user_id = wp_update_user( $user );
</span><span class="cx"> } else {
</span><span class="cx"> $user_id = wp_insert_user( $user );
</span><del>- wp_new_user_notification( $user_id, isset($_POST['send_password']) ? $pass1 : '' );
</del><ins>+ wp_new_user_notification( $user_id, isset($post_data['send_password']) ? $pass1 : '' );
</ins><span class="cx"> }
</span><span class="cx"> return $user_id;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkwpadmininstallphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/install.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/install.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/install.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -84,10 +84,10 @@
</span><span class="cx"> if ( ! empty( $_POST ) )
</span><span class="cx"> $blog_public = isset( $_POST['blog_public'] );
</span><span class="cx">
</span><del>- $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';
- $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';
- $admin_password = isset($_POST['admin_password']) ? trim( stripslashes( $_POST['admin_password'] ) ) : '';
- $admin_email = isset( $_POST['admin_email'] ) ? trim( stripslashes( $_POST['admin_email'] ) ) : '';
</del><ins>+ $weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : '';
+ $user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin';
+ $admin_password = isset($_POST['admin_password']) ? trim( wp_unslash( $_POST['admin_password'] ) ) : '';
+ $admin_email = isset( $_POST['admin_email'] ) ? trim( wp_unslash( $_POST['admin_email'] ) ) : '';
</ins><span class="cx">
</span><span class="cx"> if ( ! is_null( $error ) ) {
</span><span class="cx"> ?>
</span><span class="lines">@@ -189,11 +189,11 @@
</span><span class="cx">
</span><span class="cx"> display_header();
</span><span class="cx"> // Fill in the data we gathered
</span><del>- $weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';
- $user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';
- $admin_password = isset($_POST['admin_password']) ? $_POST['admin_password'] : '';
- $admin_password_check = isset($_POST['admin_password2']) ? $_POST['admin_password2'] : '';
- $admin_email = isset( $_POST['admin_email'] ) ?trim( stripslashes( $_POST['admin_email'] ) ) : '';
</del><ins>+ $weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : '';
+ $user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin';
+ $admin_password = isset($_POST['admin_password']) ? wp_unslash( $_POST['admin_password'] ) : '';
+ $admin_password_check = isset($_POST['admin_password2']) ? wp_unslash( $_POST['admin_password2'] ) : '';
+ $admin_email = isset( $_POST['admin_email'] ) ?trim( wp_unslash( $_POST['admin_email'] ) ) : '';
</ins><span class="cx"> $public = isset( $_POST['blog_public'] ) ? (int) $_POST['blog_public'] : 0;
</span><span class="cx"> // check e-mail address
</span><span class="cx"> $error = false;
</span></span></pre></div>
<a id="trunkwpadminlinkmanagerphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/link-manager.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/link-manager.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/link-manager.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -31,7 +31,7 @@
</span><span class="cx"> exit;
</span><span class="cx"> }
</span><span class="cx"> } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
</span><del>- wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
</del><ins>+ wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
</ins><span class="cx"> exit;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -72,7 +72,7 @@
</span><span class="cx"> <?php screen_icon(); ?>
</span><span class="cx"> <h2><?php echo esc_html( $title ); ?> <a href="link-add.php" class="add-new-h2"><?php echo esc_html_x('Add New', 'link'); ?></a> <?php
</span><span class="cx"> if ( !empty($_REQUEST['s']) )
</span><del>- printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?>
</del><ins>+ printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( wp_unslash($_REQUEST['s']) ) ); ?>
</ins><span class="cx"> </h2>
</span><span class="cx">
</span><span class="cx"> <?php
</span></span></pre></div>
<a id="trunkwpadminmediaphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/media.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/media.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/media.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -32,7 +32,7 @@
</span><span class="cx"> }
</span><span class="cx"> if ( false !== strpos($location, 'upload.php') ) {
</span><span class="cx"> $location = remove_query_arg('message', $location);
</span><del>- $location = add_query_arg('posted', $attachment_id, $location);
</del><ins>+ $location = add_query_arg('posted', $attachment_id, $location);
</ins><span class="cx"> } elseif ( false !== strpos($location, 'media.php') ) {
</span><span class="cx"> $location = add_query_arg('message', 'updated', $location);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkwpadminnavmenusphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/nav-menus.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/nav-menus.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/nav-menus.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -93,7 +93,7 @@
</span><span class="cx"> if ( ! is_wp_error( $parent_object ) ) {
</span><span class="cx"> $parent_data = (array) $parent_object;
</span><span class="cx"> $menu_item_data['menu_item_parent'] = $parent_data['menu_item_parent'];
</span><del>- update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
</del><ins>+ wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
</ins><span class="cx">
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -103,7 +103,7 @@
</span><span class="cx"> $menu_item_data['menu_order'] = $menu_item_data['menu_order'] + 1;
</span><span class="cx">
</span><span class="cx"> $menu_item_data['menu_item_parent'] = $next_item_data['ID'];
</span><del>- update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
</del><ins>+ wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
</ins><span class="cx">
</span><span class="cx"> wp_update_post($menu_item_data);
</span><span class="cx"> wp_update_post($next_item_data);
</span><span class="lines">@@ -115,7 +115,7 @@
</span><span class="cx"> in_array( $menu_item_data['menu_item_parent'], $orders_to_dbids )
</span><span class="cx"> ) {
</span><span class="cx"> $menu_item_data['menu_item_parent'] = (int) get_post_meta( $menu_item_data['menu_item_parent'], '_menu_item_menu_item_parent', true);
</span><del>- update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
</del><ins>+ wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -190,7 +190,7 @@
</span><span class="cx"> $menu_item_data['menu_order'] = $menu_item_data['menu_order'] - 1;
</span><span class="cx">
</span><span class="cx"> // save changes
</span><del>- update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
</del><ins>+ wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
</ins><span class="cx"> wp_update_post($menu_item_data);
</span><span class="cx"> wp_update_post($parent_data);
</span><span class="cx"> }
</span><span class="lines">@@ -205,7 +205,7 @@
</span><span class="cx"> ) {
</span><span class="cx"> // just make it a child of the previous; keep the order
</span><span class="cx"> $menu_item_data['menu_item_parent'] = (int) $orders_to_dbids[$dbids_to_orders[$menu_item_id] - 1];
</span><del>- update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
</del><ins>+ wp_update_post_meta( $menu_item_data['ID'], '_menu_item_menu_item_parent', (int) $menu_item_data['menu_item_parent'] );
</ins><span class="cx"> wp_update_post($menu_item_data);
</span><span class="cx"> }
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkwpadminnetworksettingsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/network/settings.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/network/settings.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/network/settings.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -61,7 +61,7 @@
</span><span class="cx"> foreach ( $options as $option_name ) {
</span><span class="cx"> if ( ! isset($_POST[$option_name]) )
</span><span class="cx"> continue;
</span><del>- $value = stripslashes_deep( $_POST[$option_name] );
</del><ins>+ $value = wp_unslash( $_POST[$option_name] );
</ins><span class="cx"> update_site_option( $option_name, $value );
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -181,7 +181,7 @@
</span><span class="cx"> <th scope="row"><label for="welcome_email"><?php _e( 'Welcome Email' ) ?></label></th>
</span><span class="cx"> <td>
</span><span class="cx"> <textarea name="welcome_email" id="welcome_email" rows="5" cols="45" class="large-text">
</span><del>-<?php echo esc_textarea( stripslashes( get_site_option( 'welcome_email' ) ) ) ?></textarea>
</del><ins>+<?php echo esc_textarea( get_site_option( 'welcome_email' ) ) ?></textarea>
</ins><span class="cx"> <br />
</span><span class="cx"> <?php _e( 'The welcome email sent to new site owners.' ) ?>
</span><span class="cx"> </td>
</span><span class="lines">@@ -190,7 +190,7 @@
</span><span class="cx"> <th scope="row"><label for="welcome_user_email"><?php _e( 'Welcome User Email' ) ?></label></th>
</span><span class="cx"> <td>
</span><span class="cx"> <textarea name="welcome_user_email" id="welcome_user_email" rows="5" cols="45" class="large-text">
</span><del>-<?php echo esc_textarea( stripslashes( get_site_option( 'welcome_user_email' ) ) ) ?></textarea>
</del><ins>+<?php echo esc_textarea( get_site_option( 'welcome_user_email' ) ) ?></textarea>
</ins><span class="cx"> <br />
</span><span class="cx"> <?php _e( 'The welcome email sent to new users.' ) ?>
</span><span class="cx"> </td>
</span><span class="lines">@@ -199,7 +199,7 @@
</span><span class="cx"> <th scope="row"><label for="first_post"><?php _e( 'First Post' ) ?></label></th>
</span><span class="cx"> <td>
</span><span class="cx"> <textarea name="first_post" id="first_post" rows="5" cols="45" class="large-text">
</span><del>-<?php echo esc_textarea( stripslashes( get_site_option( 'first_post' ) ) ) ?></textarea>
</del><ins>+<?php echo esc_textarea( get_site_option( 'first_post' ) ) ?></textarea>
</ins><span class="cx"> <br />
</span><span class="cx"> <?php _e( 'The first post on a new site.' ) ?>
</span><span class="cx"> </td>
</span><span class="lines">@@ -208,7 +208,7 @@
</span><span class="cx"> <th scope="row"><label for="first_page"><?php _e( 'First Page' ) ?></label></th>
</span><span class="cx"> <td>
</span><span class="cx"> <textarea name="first_page" id="first_page" rows="5" cols="45" class="large-text">
</span><del>-<?php echo esc_textarea( stripslashes( get_site_option('first_page') ) ) ?></textarea>
</del><ins>+<?php echo esc_textarea( get_site_option( 'first_page' ) ) ?></textarea>
</ins><span class="cx"> <br />
</span><span class="cx"> <?php _e( 'The first page on a new site.' ) ?>
</span><span class="cx"> </td>
</span><span class="lines">@@ -217,7 +217,7 @@
</span><span class="cx"> <th scope="row"><label for="first_comment"><?php _e( 'First Comment' ) ?></label></th>
</span><span class="cx"> <td>
</span><span class="cx"> <textarea name="first_comment" id="first_comment" rows="5" cols="45" class="large-text">
</span><del>-<?php echo esc_textarea( stripslashes( get_site_option('first_comment') ) ) ?></textarea>
</del><ins>+<?php echo esc_textarea( get_site_option( 'first_comment' ) ) ?></textarea>
</ins><span class="cx"> <br />
</span><span class="cx"> <?php _e( 'The first comment on a new site.' ) ?>
</span><span class="cx"> </td>
</span></span></pre></div>
<a id="trunkwpadminnetworksiteinfophp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/network/site-info.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/network/site-info.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/network/site-info.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -62,7 +62,7 @@
</span><span class="cx"> delete_option( 'rewrite_rules' );
</span><span class="cx">
</span><span class="cx"> // update blogs table
</span><del>- $blog_data = stripslashes_deep( $_POST['blog'] );
</del><ins>+ $blog_data = wp_unslash( $_POST['blog'] );
</ins><span class="cx"> $existing_details = get_blog_details( $id, false );
</span><span class="cx"> $blog_data_checkboxes = array( 'public', 'archived', 'spam', 'mature', 'deleted' );
</span><span class="cx"> foreach ( $blog_data_checkboxes as $c ) {
</span></span></pre></div>
<a id="trunkwpadminnetworksitenewphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/network/site-new.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/network/site-new.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/network/site-new.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -38,7 +38,7 @@
</span><span class="cx">
</span><span class="cx"> if ( ! is_array( $_POST['blog'] ) )
</span><span class="cx"> wp_die( __( 'Can&#8217;t create an empty site.' ) );
</span><del>- $blog = $_POST['blog'];
</del><ins>+ $blog = wp_unslash( $_POST['blog'] );
</ins><span class="cx"> $domain = '';
</span><span class="cx"> if ( preg_match( '|^([a-zA-Z0-9-])+$|', $blog['domain'] ) )
</span><span class="cx"> $domain = strtolower( $blog['domain'] );
</span><span class="lines">@@ -88,7 +88,7 @@
</span><span class="cx"> $content_mail = sprintf( __( 'New site created by %1$s
</span><span class="cx">
</span><span class="cx"> Address: %2$s
</span><del>-Name: %3$s' ), $current_user->user_login , get_site_url( $id ), stripslashes( $title ) );
</del><ins>+Name: %3$s' ), $current_user->user_login , get_site_url( $id ), $title );
</ins><span class="cx"> wp_mail( get_site_option('admin_email'), sprintf( __( '[%s] New Site Created' ), $current_site->site_name ), $content_mail, 'From: "Site Admin" <' . get_site_option( 'admin_email' ) . '>' );
</span><span class="cx"> wpmu_welcome_notification( $id, $user_id, $password, $title, array( 'public' => 1 ) );
</span><span class="cx"> wp_redirect( add_query_arg( array( 'update' => 'added', 'id' => $id ), 'site-new.php' ) );
</span></span></pre></div>
<a id="trunkwpadminnetworksitesettingsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/network/site-settings.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/network/site-settings.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/network/site-settings.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -53,12 +53,14 @@
</span><span class="cx"> $count = count( $_POST['option'] );
</span><span class="cx"> $skip_options = array( 'allowedthemes' ); // Don't update these options since they are handled elsewhere in the form.
</span><span class="cx"> foreach ( (array) $_POST['option'] as $key => $val ) {
</span><ins>+ $key = wp_unslash( $key );
+ $val = wp_unslash( $val );
</ins><span class="cx"> if ( $key === 0 || is_array( $val ) || in_array($key, $skip_options) )
</span><span class="cx"> continue; // Avoids "0 is a protected WP option and may not be modified" error when edit blog options
</span><span class="cx"> if ( $c == $count )
</span><del>- update_option( $key, stripslashes( $val ) );
</del><ins>+ update_option( $key, $val );
</ins><span class="cx"> else
</span><del>- update_option( $key, stripslashes( $val ), false ); // no need to refresh blog details yet
</del><ins>+ update_option( $key, $val, false ); // no need to refresh blog details yet
</ins><span class="cx"> $c++;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminnetworksitesphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/network/sites.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/network/sites.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/network/sites.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -79,7 +79,7 @@
</span><span class="cx"> <input type="hidden" name="id" value="<?php echo esc_attr( $id ); ?>" />
</span><span class="cx"> <input type="hidden" name="_wp_http_referer" value="<?php echo esc_attr( wp_get_referer() ); ?>" />
</span><span class="cx"> <?php wp_nonce_field( $_GET['action2'], '_wpnonce', false ); ?>
</span><del>- <p><?php echo esc_html( stripslashes( $_GET['msg'] ) ); ?></p>
</del><ins>+ <p><?php echo esc_html( wp_unslash( $_GET['msg'] ) ); ?></p>
</ins><span class="cx"> <?php submit_button( __('Confirm'), 'button' ); ?>
</span><span class="cx"> </form>
</span><span class="cx"> </body>
</span></span></pre></div>
<a id="trunkwpadminnetworkphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/network.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/network.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/network.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -520,7 +520,7 @@
</span><span class="cx"> $base = parse_url( trailingslashit( get_option( 'home' ) ), PHP_URL_PATH );
</span><span class="cx"> $subdomain_install = allow_subdomain_install() ? !empty( $_POST['subdomain_install'] ) : false;
</span><span class="cx"> if ( ! network_domain_check() ) {
</span><del>- $result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), stripslashes( $_POST['sitename'] ), $base, $subdomain_install );
</del><ins>+ $result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), wp_unslash( $_POST['sitename'] ), $base, $subdomain_install );
</ins><span class="cx"> if ( is_wp_error( $result ) ) {
</span><span class="cx"> if ( 1 == count( $result->get_error_codes() ) && 'no_wildcard_dns' == $result->get_error_code() )
</span><span class="cx"> network_step2( $result );
</span></span></pre></div>
<a id="trunkwpadminoptionsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/options.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/options.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/options.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -120,16 +120,16 @@
</span><span class="cx"> if ( 'options' == $option_page ) {
</span><span class="cx"> if ( is_multisite() && ! is_super_admin() )
</span><span class="cx"> wp_die( __( 'You do not have sufficient permissions to modify unregistered settings for this site.' ) );
</span><del>- $options = explode( ',', stripslashes( $_POST[ 'page_options' ] ) );
</del><ins>+ $options = explode( ',', wp_unslash( $_POST[ 'page_options' ] ) );
</ins><span class="cx"> } else {
</span><span class="cx"> $options = $whitelist_options[ $option_page ];
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Handle custom date/time formats
</span><span class="cx"> if ( 'general' == $option_page ) {
</span><del>- if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['date_format'] ) )
</del><ins>+ if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['date_format'] ) )
</ins><span class="cx"> $_POST['date_format'] = $_POST['date_format_custom'];
</span><del>- if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['time_format'] ) )
</del><ins>+ if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['time_format'] ) )
</ins><span class="cx"> $_POST['time_format'] = $_POST['time_format_custom'];
</span><span class="cx"> // Map UTC+- timezones to gmt_offsets and set timezone_string to empty.
</span><span class="cx"> if ( !empty($_POST['timezone_string']) && preg_match('/^UTC[+-]/', $_POST['timezone_string']) ) {
</span><span class="lines">@@ -150,7 +150,7 @@
</span><span class="cx"> $value = $_POST[ $option ];
</span><span class="cx"> if ( ! is_array( $value ) )
</span><span class="cx"> $value = trim( $value );
</span><del>- $value = stripslashes_deep( $value );
</del><ins>+ $value = wp_unslash( $value );
</ins><span class="cx"> }
</span><span class="cx"> update_option( $option, $value );
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkwpadminplugineditorphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/plugin-editor.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/plugin-editor.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/plugin-editor.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -28,7 +28,7 @@
</span><span class="cx"> wp_die( __('There are no plugins installed on this site.') );
</span><span class="cx">
</span><span class="cx"> if ( isset($_REQUEST['file']) )
</span><del>- $plugin = stripslashes($_REQUEST['file']);
</del><ins>+ $plugin = wp_unslash($_REQUEST['file']);
</ins><span class="cx">
</span><span class="cx"> if ( empty($plugin) ) {
</span><span class="cx"> $plugin = array_keys($plugins);
</span><span class="lines">@@ -40,7 +40,7 @@
</span><span class="cx"> if ( empty($file) )
</span><span class="cx"> $file = $plugin_files[0];
</span><span class="cx"> else
</span><del>- $file = stripslashes($file);
</del><ins>+ $file = wp_unslash($file);
</ins><span class="cx">
</span><span class="cx"> $file = validate_file_to_edit($file, $plugin_files);
</span><span class="cx"> $real_file = WP_PLUGIN_DIR . '/' . $file;
</span><span class="lines">@@ -52,7 +52,7 @@
</span><span class="cx">
</span><span class="cx"> check_admin_referer('edit-plugin_' . $file);
</span><span class="cx">
</span><del>- $newcontent = stripslashes($_POST['newcontent']);
</del><ins>+ $newcontent = wp_unslash( $_POST['newcontent'] );
</ins><span class="cx"> if ( is_writeable($real_file) ) {
</span><span class="cx"> $f = fopen($real_file, 'w+');
</span><span class="cx"> fwrite($f, $newcontent);
</span></span></pre></div>
<a id="trunkwpadminpressthisphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/press-this.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/press-this.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/press-this.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -91,11 +91,11 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Set Variables
</span><del>-$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( stripslashes( $_GET['t'] ) , ENT_QUOTES) ) ) : '';
</del><ins>+$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( wp_unslash( $_GET['t'] ) , ENT_QUOTES) ) ) : '';
</ins><span class="cx">
</span><span class="cx"> $selection = '';
</span><span class="cx"> if ( !empty($_GET['s']) ) {
</span><del>- $selection = str_replace('&apos;', "'", stripslashes($_GET['s']));
</del><ins>+ $selection = str_replace('&apos;', "'", wp_unslash($_GET['s']));
</ins><span class="cx"> $selection = trim( htmlspecialchars( html_entity_decode($selection, ENT_QUOTES) ) );
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminsetupconfigphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/setup-config.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/setup-config.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/setup-config.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -164,7 +164,7 @@
</span><span class="cx">
</span><span class="cx"> case 2:
</span><span class="cx"> foreach ( array( 'dbname', 'uname', 'pwd', 'dbhost', 'prefix' ) as $key )
</span><del>- $$key = trim( stripslashes( $_POST[ $key ] ) );
</del><ins>+ $$key = trim( wp_unslash( $_POST[ $key ] ) );
</ins><span class="cx">
</span><span class="cx"> $tryagain_link = '</p><p class="step"><a href="setup-config.php?step=1" onclick="javascript:history.go(-1);return false;" class="button button-large">' . __( 'Try again' ) . '</a>';
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminthemeeditorphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/theme-editor.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/theme-editor.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/theme-editor.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -68,7 +68,7 @@
</span><span class="cx"> $relative_file = 'style.css';
</span><span class="cx"> $file = $allowed_files['style.css'];
</span><span class="cx"> } else {
</span><del>- $relative_file = stripslashes( $file );
</del><ins>+ $relative_file = wp_unslash( $file );
</ins><span class="cx"> $file = $theme->get_stylesheet_directory() . '/' . $relative_file;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -78,7 +78,7 @@
</span><span class="cx"> switch( $action ) {
</span><span class="cx"> case 'update':
</span><span class="cx"> check_admin_referer( 'edit-theme_' . $file . $stylesheet );
</span><del>- $newcontent = stripslashes( $_POST['newcontent'] );
</del><ins>+ $newcontent = wp_unslash( $_POST['newcontent'] );
</ins><span class="cx"> $location = 'theme-editor.php?file=' . urlencode( $relative_file ) . '&theme=' . urlencode( $stylesheet ) . '&scrollto=' . $scrollto;
</span><span class="cx"> if ( is_writeable( $file ) ) {
</span><span class="cx"> //is_writable() not always reliable, check return value. see comments @ http://uk.php.net/is_writable
</span></span></pre></div>
<a id="trunkwpadminupdatephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/update.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/update.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/update.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -26,7 +26,7 @@
</span><span class="cx"> check_admin_referer( 'bulk-update-plugins' );
</span><span class="cx">
</span><span class="cx"> if ( isset( $_GET['plugins'] ) )
</span><del>- $plugins = explode( ',', stripslashes($_GET['plugins']) );
</del><ins>+ $plugins = explode( ',', wp_unslash($_GET['plugins']) );
</ins><span class="cx"> elseif ( isset( $_POST['checked'] ) )
</span><span class="cx"> $plugins = (array) $_POST['checked'];
</span><span class="cx"> else
</span><span class="lines">@@ -109,7 +109,7 @@
</span><span class="cx"> $nonce = 'install-plugin_' . $plugin;
</span><span class="cx"> $url = 'update.php?action=install-plugin&plugin=' . $plugin;
</span><span class="cx"> if ( isset($_GET['from']) )
</span><del>- $url .= '&from=' . urlencode(stripslashes($_GET['from']));
</del><ins>+ $url .= '&from=' . urlencode( wp_unslash( $_GET['from'] ) );
</ins><span class="cx">
</span><span class="cx"> $type = 'web'; //Install plugin type, From Web or an Upload.
</span><span class="cx">
</span><span class="lines">@@ -173,7 +173,7 @@
</span><span class="cx"> check_admin_referer( 'bulk-update-themes' );
</span><span class="cx">
</span><span class="cx"> if ( isset( $_GET['themes'] ) )
</span><del>- $themes = explode( ',', stripslashes($_GET['themes']) );
</del><ins>+ $themes = explode( ',', wp_unslash( $_GET['themes'] ) );
</ins><span class="cx"> elseif ( isset( $_POST['checked'] ) )
</span><span class="cx"> $themes = (array) $_POST['checked'];
</span><span class="cx"> else
</span></span></pre></div>
<a id="trunkwpadminupgradephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/upgrade.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/upgrade.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/upgrade.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -77,7 +77,7 @@
</span><span class="cx"> <?php else :
</span><span class="cx"> switch ( $step ) :
</span><span class="cx"> case 0:
</span><del>- $goback = stripslashes( wp_get_referer() );
</del><ins>+ $goback = wp_get_referer();
</ins><span class="cx"> $goback = esc_url_raw( $goback );
</span><span class="cx"> $goback = urlencode( $goback );
</span><span class="cx"> ?>
</span><span class="lines">@@ -90,7 +90,7 @@
</span><span class="cx"> case 1:
</span><span class="cx"> wp_upgrade();
</span><span class="cx">
</span><del>- $backto = !empty($_GET['backto']) ? stripslashes( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/';
</del><ins>+ $backto = !empty($_GET['backto']) ? wp_unslash( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/';
</ins><span class="cx"> $backto = esc_url( $backto );
</span><span class="cx"> $backto = wp_validate_redirect($backto, __get_option( 'home' ) . '/');
</span><span class="cx"> ?>
</span></span></pre></div>
<a id="trunkwpadminuploadphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/upload.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/upload.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/upload.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -132,7 +132,7 @@
</span><span class="cx"> wp_redirect( $location );
</span><span class="cx"> exit;
</span><span class="cx"> } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
</span><del>- wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
</del><ins>+ wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
</ins><span class="cx"> exit;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminusereditphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/user-edit.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/user-edit.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/user-edit.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -54,7 +54,7 @@
</span><span class="cx"> '<p>' . __('<a href="http://wordpress.org/support/" target="_blank">Support Forums</a>') . '</p>'
</span><span class="cx"> );
</span><span class="cx">
</span><del>-$wp_http_referer = remove_query_arg(array('update', 'delete_count'), stripslashes($wp_http_referer));
</del><ins>+$wp_http_referer = remove_query_arg(array('update', 'delete_count'), wp_unslash( $wp_http_referer ) );
</ins><span class="cx">
</span><span class="cx"> $user_can_edit = current_user_can( 'edit_posts' ) || current_user_can( 'edit_pages' );
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminusernewphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/user-new.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/user-new.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/user-new.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -112,15 +112,15 @@
</span><span class="cx"> }
</span><span class="cx"> } else {
</span><span class="cx"> // Adding a new user to this blog
</span><del>- $user_details = wpmu_validate_user_signup( $_REQUEST[ 'user_login' ], $_REQUEST[ 'email' ] );
</del><ins>+ $user_details = wpmu_validate_user_signup( wp_unslash( $_REQUEST[ 'user_login' ] ), wp_unslash( $_REQUEST[ 'email' ] ) );
</ins><span class="cx"> if ( is_wp_error( $user_details[ 'errors' ] ) && !empty( $user_details[ 'errors' ]->errors ) ) {
</span><span class="cx"> $add_user_errors = $user_details[ 'errors' ];
</span><span class="cx"> } else {
</span><del>- $new_user_login = apply_filters('pre_user_login', sanitize_user(stripslashes($_REQUEST['user_login']), true));
</del><ins>+ $new_user_login = apply_filters('pre_user_login', sanitize_user( wp_unslash( $_REQUEST['user_login'] ), true ) );
</ins><span class="cx"> if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
</span><span class="cx"> add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email
</span><span class="cx"> }
</span><del>- wpmu_signup_user( $new_user_login, $_REQUEST[ 'email' ], array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) );
</del><ins>+ wpmu_signup_user( $new_user_login, wp_unslash( $_REQUEST[ 'email' ] ), array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) );
</ins><span class="cx"> if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
</span><span class="cx"> $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $_REQUEST[ 'email' ] ) );
</span><span class="cx"> wpmu_activate_signup( $key );
</span><span class="lines">@@ -309,7 +309,7 @@
</span><span class="cx"> $var = "new_user_$var";
</span><span class="cx"> if( isset( $_POST['createuser'] ) ) {
</span><span class="cx"> if ( ! isset($$var) )
</span><del>- $$var = isset( $_POST[$post_field] ) ? stripslashes( $_POST[$post_field] ) : '';
</del><ins>+ $$var = isset( $_POST[$post_field] ) ? wp_unslash( $_POST[$post_field] ) : '';
</ins><span class="cx"> } else {
</span><span class="cx"> $$var = false;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkwpadminusersphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/users.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/users.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-admin/users.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -64,9 +64,9 @@
</span><span class="cx"> );
</span><span class="cx">
</span><span class="cx"> if ( empty($_REQUEST) ) {
</span><del>- $referer = '<input type="hidden" name="wp_http_referer" value="'. esc_attr(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
</del><ins>+ $referer = '<input type="hidden" name="wp_http_referer" value="'. esc_attr( wp_unslash( $_SERVER['REQUEST_URI'] ) ) . '" />';
</ins><span class="cx"> } elseif ( isset($_REQUEST['wp_http_referer']) ) {
</span><del>- $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), stripslashes($_REQUEST['wp_http_referer']));
</del><ins>+ $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), wp_unslash( $_REQUEST['wp_http_referer'] ) );
</ins><span class="cx"> $referer = '<input type="hidden" name="wp_http_referer" value="' . esc_attr($redirect) . '" />';
</span><span class="cx"> } else {
</span><span class="cx"> $redirect = 'users.php';
</span><span class="lines">@@ -357,7 +357,7 @@
</span><span class="cx"> default:
</span><span class="cx">
</span><span class="cx"> if ( !empty($_GET['_wp_http_referer']) ) {
</span><del>- wp_redirect(remove_query_arg(array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI'])));
</del><ins>+ wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce'), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
</ins><span class="cx"> exit;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -381,7 +381,7 @@
</span><span class="cx"> case 'add':
</span><span class="cx"> if ( isset( $_GET['id'] ) && ( $user_id = $_GET['id'] ) && current_user_can( 'edit_user', $user_id ) ) {
</span><span class="cx"> $messages[] = '<div id="message" class="updated"><p>' . sprintf( __( 'New user created. <a href="%s">Edit user</a>' ),
</span><del>- esc_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ),
</del><ins>+ esc_url( add_query_arg( 'wp_http_referer', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ),
</ins><span class="cx"> self_admin_url( 'user-edit.php?user_id=' . $user_id ) ) ) ) . '</p></div>';
</span><span class="cx"> } else {
</span><span class="cx"> $messages[] = '<div id="message" class="updated"><p>' . __( 'New user created.' ) . '</p></div>';
</span></span></pre></div>
<a id="trunkwpcommentspostphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-comments-post.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-comments-post.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-comments-post.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -17,8 +17,10 @@
</span><span class="cx">
</span><span class="cx"> nocache_headers();
</span><span class="cx">
</span><del>-$comment_post_ID = isset($_POST['comment_post_ID']) ? (int) $_POST['comment_post_ID'] : 0;
</del><ins>+$post_data = wp_unslash( $_POST );
</ins><span class="cx">
</span><ins>+$comment_post_ID = isset($post_data['comment_post_ID']) ? (int) $post_data['comment_post_ID'] : 0;
+
</ins><span class="cx"> $post = get_post($comment_post_ID);
</span><span class="cx">
</span><span class="cx"> if ( empty($post->comment_status) ) {
</span><span class="lines">@@ -47,21 +49,21 @@
</span><span class="cx"> do_action('pre_comment_on_post', $comment_post_ID);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-$comment_author = ( isset($_POST['author']) ) ? trim(strip_tags($_POST['author'])) : null;
-$comment_author_email = ( isset($_POST['email']) ) ? trim($_POST['email']) : null;
-$comment_author_url = ( isset($_POST['url']) ) ? trim($_POST['url']) : null;
-$comment_content = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null;
</del><ins>+$comment_author = ( isset( $post_data['author'] ) ) ? trim( strip_tags( $post_data['author'] ) ) : null;
+$comment_author_email = ( isset( $post_data['email'] ) ) ? trim( $post_data['email'] ) : null;
+$comment_author_url = ( isset( $post_data['url'] ) ) ? trim( $post_data['url'] ) : null;
+$comment_content = ( isset( $post_data['comment'] ) ) ? trim( $post_data['comment'] ) : null;
</ins><span class="cx">
</span><span class="cx"> // If the user is logged in
</span><span class="cx"> $user = wp_get_current_user();
</span><span class="cx"> if ( $user->exists() ) {
</span><span class="cx"> if ( empty( $user->display_name ) )
</span><del>- $user->display_name=$user->user_login;
- $comment_author = $wpdb->escape($user->display_name);
- $comment_author_email = $wpdb->escape($user->user_email);
- $comment_author_url = $wpdb->escape($user->user_url);
</del><ins>+ $user->display_name = $user->user_login;
+ $comment_author = $user->display_name;
+ $comment_author_email = $user->user_email;
+ $comment_author_url = $user->user_url;
</ins><span class="cx"> if ( current_user_can('unfiltered_html') ) {
</span><del>- if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
</del><ins>+ if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $post_data['_wp_unfiltered_html_comment'] ) {
</ins><span class="cx"> kses_remove_filters(); // start with a clean slate
</span><span class="cx"> kses_init_filters(); // set up the filters
</span><span class="cx"> }
</span><span class="lines">@@ -83,7 +85,7 @@
</span><span class="cx"> if ( '' == $comment_content )
</span><span class="cx"> wp_die( __('<strong>ERROR</strong>: please type a comment.') );
</span><span class="cx">
</span><del>-$comment_parent = isset($_POST['comment_parent']) ? absint($_POST['comment_parent']) : 0;
</del><ins>+$comment_parent = isset($post_data['comment_parent']) ? absint($post_data['comment_parent']) : 0;
</ins><span class="cx">
</span><span class="cx"> $commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type', 'comment_parent', 'user_ID');
</span><span class="cx">
</span><span class="lines">@@ -92,7 +94,7 @@
</span><span class="cx"> $comment = get_comment($comment_id);
</span><span class="cx"> do_action('set_comment_cookies', $comment, $user);
</span><span class="cx">
</span><del>-$location = empty($_POST['redirect_to']) ? get_comment_link($comment_id) : $_POST['redirect_to'] . '#comment-' . $comment_id;
</del><ins>+$location = empty($post_data['redirect_to']) ? get_comment_link($comment_id) : $post_data['redirect_to'] . '#comment-' . $comment_id;
</ins><span class="cx"> $location = apply_filters('comment_post_redirect', $location, $comment);
</span><span class="cx">
</span><span class="cx"> wp_safe_redirect( $location );
</span></span></pre></div>
<a id="trunkwpincludesclasswpcustomizemanagerphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/class-wp-customize-manager.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/class-wp-customize-manager.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/class-wp-customize-manager.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -310,7 +310,7 @@
</span><span class="cx"> public function post_value( $setting ) {
</span><span class="cx"> if ( ! isset( $this->_post_values ) ) {
</span><span class="cx"> if ( isset( $_POST['customized'] ) )
</span><del>- $this->_post_values = json_decode( stripslashes( $_POST['customized'] ), true );
</del><ins>+ $this->_post_values = json_decode( wp_unslash( $_POST['customized'] ), true );
</ins><span class="cx"> else
</span><span class="cx"> $this->_post_values = false;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkwpincludesclasswpcustomizesettingphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/class-wp-customize-setting.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/class-wp-customize-setting.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/class-wp-customize-setting.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -144,7 +144,7 @@
</span><span class="cx"> * @return mixed Null if an input isn't valid, otherwise the sanitized value.
</span><span class="cx"> */
</span><span class="cx"> public function sanitize( $value ) {
</span><del>- $value = stripslashes_deep( $value );
</del><ins>+ $value = wp_unslash( $value );
</ins><span class="cx"> return apply_filters( "customize_sanitize_{$this->id}", $value, $this );
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpincludesclasswpxmlrpcserverphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/class-wp-xmlrpc-server.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/class-wp-xmlrpc-server.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/class-wp-xmlrpc-server.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -280,17 +280,15 @@
</span><span class="cx"> $meta['id'] = (int) $meta['id'];
</span><span class="cx"> $pmeta = get_metadata_by_mid( 'post', $meta['id'] );
</span><span class="cx"> if ( isset($meta['key']) ) {
</span><del>- $meta['key'] = stripslashes( $meta['key'] );
</del><span class="cx"> if ( $meta['key'] != $pmeta->meta_key )
</span><span class="cx"> continue;
</span><del>- $meta['value'] = stripslashes_deep( $meta['value'] );
</del><span class="cx"> if ( current_user_can( 'edit_post_meta', $post_id, $meta['key'] ) )
</span><span class="cx"> update_metadata_by_mid( 'post', $meta['id'], $meta['value'] );
</span><span class="cx"> } elseif ( current_user_can( 'delete_post_meta', $post_id, $pmeta->meta_key ) ) {
</span><span class="cx"> delete_metadata_by_mid( 'post', $meta['id'] );
</span><span class="cx"> }
</span><del>- } elseif ( current_user_can( 'add_post_meta', $post_id, stripslashes( $meta['key'] ) ) ) {
- add_post_meta( $post_id, $meta['key'], $meta['value'] );
</del><ins>+ } elseif ( current_user_can( 'add_post_meta', $post_id, $meta['key'] ) ) {
+ wp_add_post_meta( $post_id, $meta['key'], $meta['value'] );
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -462,8 +460,6 @@
</span><span class="cx"> return $this->blogger_getUsersBlogs( $args );
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $username = $args[0];
</span><span class="cx"> $password = $args[1];
</span><span class="cx">
</span><span class="lines">@@ -955,8 +951,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 4 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -1239,8 +1233,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 5 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -1274,7 +1266,6 @@
</span><span class="cx"> else
</span><span class="cx"> $post['post_date_gmt'] = $this->_convert_date( $post['post_date_gmt'] );
</span><span class="cx">
</span><del>- $this->escape( $post );
</del><span class="cx"> $merged_content_struct = array_merge( $post, $content_struct );
</span><span class="cx">
</span><span class="cx"> $retval = $this->_insert_post( $user, $merged_content_struct );
</span><span class="lines">@@ -1301,8 +1292,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 4 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -1377,8 +1366,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 4 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -1434,8 +1421,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 3 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -1529,8 +1514,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 4 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -1616,8 +1599,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 5 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -1708,8 +1689,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 5 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -1775,8 +1754,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 5 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -1828,8 +1805,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 4 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -1903,8 +1878,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 4 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -1947,8 +1920,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 3 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2016,8 +1987,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 4 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2069,8 +2038,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 3 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2137,8 +2104,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 3 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2184,8 +2149,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 4 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2249,8 +2212,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function wp_getPage($args) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $page_id = (int) $args[1];
</span><span class="cx"> $username = $args[2];
</span><span class="lines">@@ -2292,8 +2253,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function wp_getPages($args) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2336,9 +2295,8 @@
</span><span class="cx"> * @return unknown
</span><span class="cx"> */
</span><span class="cx"> function wp_newPage($args) {
</span><del>- // Items not escaped here will be escaped in newPost.
- $username = $this->escape($args[1]);
- $password = $this->escape($args[2]);
</del><ins>+ $username = $args[1];
+ $password = $args[2];
</ins><span class="cx"> $page = $args[3];
</span><span class="cx"> $publish = $args[4];
</span><span class="cx">
</span><span class="lines">@@ -2363,8 +2321,6 @@
</span><span class="cx"> * @return bool True, if success.
</span><span class="cx"> */
</span><span class="cx"> function wp_deletePage($args) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2404,11 +2360,10 @@
</span><span class="cx"> * @return unknown
</span><span class="cx"> */
</span><span class="cx"> function wp_editPage($args) {
</span><del>- // Items not escaped here will be escaped in editPost.
</del><span class="cx"> $blog_id = (int) $args[0];
</span><del>- $page_id = (int) $this->escape($args[1]);
- $username = $this->escape($args[2]);
- $password = $this->escape($args[3]);
</del><ins>+ $page_id = (int) $args[1];
+ $username = $args[2];
+ $password = $args[3];
</ins><span class="cx"> $content = $args[4];
</span><span class="cx"> $publish = $args[5];
</span><span class="cx">
</span><span class="lines">@@ -2453,8 +2408,6 @@
</span><span class="cx"> function wp_getPageList($args) {
</span><span class="cx"> global $wpdb;
</span><span class="cx">
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2503,9 +2456,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function wp_getAuthors($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2539,8 +2489,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function wp_getTags( $args ) {
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2580,8 +2528,6 @@
</span><span class="cx"> * @return int Category ID.
</span><span class="cx"> */
</span><span class="cx"> function wp_newCategory($args) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2641,8 +2587,6 @@
</span><span class="cx"> * @return mixed See {@link wp_delete_term()} for return info.
</span><span class="cx"> */
</span><span class="cx"> function wp_deleteCategory($args) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2673,8 +2617,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function wp_suggestCategories($args) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2710,8 +2652,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function wp_getComment($args) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2751,8 +2691,6 @@
</span><span class="cx"> * @return array. Contains a collection of comments. See {@link wp_xmlrpc_server::wp_getComment()} for a description of each item contents
</span><span class="cx"> */
</span><span class="cx"> function wp_getComments($args) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2811,8 +2749,6 @@
</span><span class="cx"> * @return mixed {@link wp_delete_comment()}
</span><span class="cx"> */
</span><span class="cx"> function wp_deleteComment($args) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2865,8 +2801,6 @@
</span><span class="cx"> * @return bool True, on success.
</span><span class="cx"> */
</span><span class="cx"> function wp_editComment($args) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2942,8 +2876,6 @@
</span><span class="cx"> function wp_newComment($args) {
</span><span class="cx"> global $wpdb;
</span><span class="cx">
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -2978,9 +2910,9 @@
</span><span class="cx"> $comment['comment_post_ID'] = $post_id;
</span><span class="cx">
</span><span class="cx"> if ( $logged_in ) {
</span><del>- $comment['comment_author'] = $wpdb->escape( $user->display_name );
- $comment['comment_author_email'] = $wpdb->escape( $user->user_email );
- $comment['comment_author_url'] = $wpdb->escape( $user->user_url );
</del><ins>+ $comment['comment_author'] = $user->display_name;
+ $comment['comment_author_email'] = $user->user_email;
+ $comment['comment_author_url'] = $user->user_url;
</ins><span class="cx"> $comment['user_ID'] = $user->ID;
</span><span class="cx"> } else {
</span><span class="cx"> $comment['comment_author'] = '';
</span><span class="lines">@@ -3027,8 +2959,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function wp_getCommentStatusList($args) {
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3053,8 +2983,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function wp_getCommentCount( $args ) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3086,8 +3014,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function wp_getPostStatusList( $args ) {
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3112,8 +3038,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function wp_getPageStatusList( $args ) {
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3138,8 +3062,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function wp_getPageTemplates( $args ) {
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3165,8 +3087,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function wp_getOptions( $args ) {
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3215,8 +3135,6 @@
</span><span class="cx"> * @return unknown
</span><span class="cx"> */
</span><span class="cx"> function wp_setOptions( $args ) {
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3264,8 +3182,6 @@
</span><span class="cx"> * - 'metadata'
</span><span class="cx"> */
</span><span class="cx"> function wp_getMediaItem($args) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3309,8 +3225,6 @@
</span><span class="cx"> * @return array. Contains a collection of media items. See {@link wp_xmlrpc_server::wp_getMediaItem()} for a description of each item contents
</span><span class="cx"> */
</span><span class="cx"> function wp_getMediaLibrary($args) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3351,8 +3265,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function wp_getPostFormats( $args ) {
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3411,8 +3323,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 4 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3457,8 +3367,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 3 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3511,8 +3419,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 4 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3577,8 +3483,6 @@
</span><span class="cx"> if ( ! $this->minimum_args( $args, 3 ) )
</span><span class="cx"> return $this->error;
</span><span class="cx">
</span><del>- $this->escape( $args );
-
</del><span class="cx"> $blog_id = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -3628,8 +3532,6 @@
</span><span class="cx"> if ( is_multisite() )
</span><span class="cx"> return $this->_multisite_getUsersBlogs($args);
</span><span class="cx">
</span><del>- $this->escape($args);
-
</del><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="cx">
</span><span class="lines">@@ -3691,9 +3593,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function blogger_getUserInfo($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="cx">
</span><span class="lines">@@ -3725,9 +3624,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function blogger_getPost($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $post_ID = (int) $args[1];
</span><span class="cx"> $username = $args[2];
</span><span class="cx"> $password = $args[3];
</span><span class="lines">@@ -3746,9 +3642,9 @@
</span><span class="cx">
</span><span class="cx"> $categories = implode(',', wp_get_post_categories($post_ID));
</span><span class="cx">
</span><del>- $content = '<title>'.stripslashes($post_data['post_title']).'</title>';
</del><ins>+ $content = '<title>'.$post_data['post_title'].'</title>';
</ins><span class="cx"> $content .= '<category>'.$categories.'</category>';
</span><del>- $content .= stripslashes($post_data['post_content']);
</del><ins>+ $content .= $post_data['post_content'];
</ins><span class="cx">
</span><span class="cx"> $struct = array(
</span><span class="cx"> 'userid' => (string) $post_data['post_author'],
</span><span class="lines">@@ -3769,9 +3665,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function blogger_getRecentPosts($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> // $args[0] = appkey - ignored
</span><span class="cx"> $blog_ID = (int) $args[1]; /* though we don't use it yet */
</span><span class="cx"> $username = $args[2];
</span><span class="lines">@@ -3800,9 +3693,9 @@
</span><span class="cx"> $post_date = $this->_convert_date( $entry['post_date'] );
</span><span class="cx"> $categories = implode(',', wp_get_post_categories($entry['ID']));
</span><span class="cx">
</span><del>- $content = '<title>'.stripslashes($entry['post_title']).'</title>';
</del><ins>+ $content = '<title>'.$entry['post_title'].'</title>';
</ins><span class="cx"> $content .= '<category>'.$categories.'</category>';
</span><del>- $content .= stripslashes($entry['post_content']);
</del><ins>+ $content .= $entry['post_content'];
</ins><span class="cx">
</span><span class="cx"> $struct[] = array(
</span><span class="cx"> 'userid' => (string) $entry['post_author'],
</span><span class="lines">@@ -3850,9 +3743,6 @@
</span><span class="cx"> * @return int
</span><span class="cx"> */
</span><span class="cx"> function blogger_newPost($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $blog_ID = (int) $args[1]; /* though we don't use it yet */
</span><span class="cx"> $username = $args[2];
</span><span class="cx"> $password = $args[3];
</span><span class="lines">@@ -3904,9 +3794,6 @@
</span><span class="cx"> * @return bool true when done.
</span><span class="cx"> */
</span><span class="cx"> function blogger_editPost($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $post_ID = (int) $args[1];
</span><span class="cx"> $username = $args[2];
</span><span class="cx"> $password = $args[3];
</span><span class="lines">@@ -3923,8 +3810,6 @@
</span><span class="cx"> if ( !$actual_post || $actual_post['post_type'] != 'post' )
</span><span class="cx"> return new IXR_Error(404, __('Sorry, no such post.'));
</span><span class="cx">
</span><del>- $this->escape($actual_post);
-
</del><span class="cx"> if ( !current_user_can('edit_post', $post_ID) )
</span><span class="cx"> return new IXR_Error(401, __('Sorry, you do not have the right to edit this post.'));
</span><span class="cx">
</span><span class="lines">@@ -3960,8 +3845,6 @@
</span><span class="cx"> * @return bool True when post is deleted.
</span><span class="cx"> */
</span><span class="cx"> function blogger_deletePost($args) {
</span><del>- $this->escape($args);
-
</del><span class="cx"> $post_ID = (int) $args[1];
</span><span class="cx"> $username = $args[2];
</span><span class="cx"> $password = $args[3];
</span><span class="lines">@@ -4030,13 +3913,11 @@
</span><span class="cx"> * @return int
</span><span class="cx"> */
</span><span class="cx"> function mw_newPost($args) {
</span><del>- $this->escape($args);
-
- $blog_ID = (int) $args[0];
- $username = $args[1];
- $password = $args[2];
</del><ins>+ $blog_ID = (int) $args[0];
+ $username = $args[1];
+ $password = $args[2];
</ins><span class="cx"> $content_struct = $args[3];
</span><del>- $publish = isset( $args[4] ) ? $args[4] : 0;
</del><ins>+ $publish = isset( $args[4] ) ? $args[4] : 0;
</ins><span class="cx">
</span><span class="cx"> if ( !$user = $this->login($username, $password) )
</span><span class="cx"> return $this->error;
</span><span class="lines">@@ -4316,7 +4197,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> if (!$found)
</span><del>- add_post_meta( $post_ID, 'enclosure', $encstring );
</del><ins>+ wp_add_post_meta( $post_ID, 'enclosure', $encstring );
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -4350,9 +4231,6 @@
</span><span class="cx"> * @return bool True on success.
</span><span class="cx"> */
</span><span class="cx"> function mw_editPost($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $post_ID = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -4391,7 +4269,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $this->escape($postdata);
</del><span class="cx"> extract($postdata, EXTR_SKIP);
</span><span class="cx">
</span><span class="cx"> // Let WordPress manage slug if none was provided.
</span><span class="lines">@@ -4619,9 +4496,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function mw_getPost($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $post_ID = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -4743,9 +4617,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function mw_getRecentPosts($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $blog_ID = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -4858,9 +4729,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function mw_getCategories($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $blog_ID = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -4907,10 +4775,10 @@
</span><span class="cx"> function mw_newMediaObject($args) {
</span><span class="cx"> global $wpdb;
</span><span class="cx">
</span><del>- $blog_ID = (int) $args[0];
- $username = $wpdb->escape($args[1]);
- $password = $wpdb->escape($args[2]);
- $data = $args[3];
</del><ins>+ $blog_ID = (int) $args[0];
+ $username = $args[1];
+ $password = $args[2];
+ $data = $args[3];
</ins><span class="cx">
</span><span class="cx"> $name = sanitize_file_name( $data['name'] );
</span><span class="cx"> $type = $data['type'];
</span><span class="lines">@@ -4997,9 +4865,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function mt_getRecentPostTitles($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $blog_ID = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -5057,9 +4922,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function mt_getCategoryList($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $blog_ID = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -5095,9 +4957,6 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function mt_getPostCategories($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $post_ID = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -5138,9 +4997,6 @@
</span><span class="cx"> * @return bool True on success.
</span><span class="cx"> */
</span><span class="cx"> function mt_setPostCategories($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $post_ID = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -5250,9 +5106,6 @@
</span><span class="cx"> * @return int
</span><span class="cx"> */
</span><span class="cx"> function mt_publishPost($args) {
</span><del>-
- $this->escape($args);
-
</del><span class="cx"> $post_ID = (int) $args[0];
</span><span class="cx"> $username = $args[1];
</span><span class="cx"> $password = $args[2];
</span><span class="lines">@@ -5274,7 +5127,6 @@
</span><span class="cx"> // retain old cats
</span><span class="cx"> $cats = wp_get_post_categories($post_ID);
</span><span class="cx"> $postdata['post_category'] = $cats;
</span><del>- $this->escape($postdata);
</del><span class="cx">
</span><span class="cx"> $result = wp_update_post($postdata);
</span><span class="cx">
</span><span class="lines">@@ -5298,8 +5150,6 @@
</span><span class="cx">
</span><span class="cx"> do_action('xmlrpc_call', 'pingback.ping');
</span><span class="cx">
</span><del>- $this->escape($args);
-
</del><span class="cx"> $pagelinkedfrom = $args[0];
</span><span class="cx"> $pagelinkedto = $args[1];
</span><span class="cx">
</span><span class="lines">@@ -5435,15 +5285,15 @@
</span><span class="cx"> $pagelinkedfrom = str_replace('&', '&amp;', $pagelinkedfrom);
</span><span class="cx">
</span><span class="cx"> $context = '[...] ' . esc_html( $excerpt ) . ' [...]';
</span><del>- $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom );
</del><ins>+ $pagelinkedfrom = $pagelinkedfrom;
</ins><span class="cx">
</span><span class="cx"> $comment_post_ID = (int) $post_ID;
</span><span class="cx"> $comment_author = $title;
</span><span class="cx"> $comment_author_email = '';
</span><del>- $this->escape($comment_author);
</del><ins>+ $comment_author;
</ins><span class="cx"> $comment_author_url = $pagelinkedfrom;
</span><span class="cx"> $comment_content = $context;
</span><del>- $this->escape($comment_content);
</del><ins>+ $comment_content;
</ins><span class="cx"> $comment_type = 'pingback';
</span><span class="cx">
</span><span class="cx"> $commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_url', 'comment_author_email', 'comment_content', 'comment_type');
</span><span class="lines">@@ -5465,13 +5315,10 @@
</span><span class="cx"> * @return array
</span><span class="cx"> */
</span><span class="cx"> function pingback_extensions_getPingbacks($args) {
</span><del>-
</del><span class="cx"> global $wpdb;
</span><span class="cx">
</span><span class="cx"> do_action('xmlrpc_call', 'pingback.extensions.getPingbacks');
</span><span class="cx">
</span><del>- $this->escape($args);
-
</del><span class="cx"> $url = $args;
</span><span class="cx">
</span><span class="cx"> $post_ID = url_to_postid($url);
</span></span></pre></div>
<a id="trunkwpincludesclasswpphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/class-wp.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/class-wp.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/class-wp.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -142,15 +142,15 @@
</span><span class="cx"> $this->did_permalink = true;
</span><span class="cx">
</span><span class="cx"> if ( isset($_SERVER['PATH_INFO']) )
</span><del>- $pathinfo = $_SERVER['PATH_INFO'];
</del><ins>+ $pathinfo = wp_unslash( $_SERVER['PATH_INFO'] );
</ins><span class="cx"> else
</span><span class="cx"> $pathinfo = '';
</span><span class="cx"> $pathinfo_array = explode('?', $pathinfo);
</span><span class="cx"> $pathinfo = str_replace("%", "%25", $pathinfo_array[0]);
</span><del>- $req_uri = $_SERVER['REQUEST_URI'];
</del><ins>+ $req_uri = wp_unslash( $_SERVER['REQUEST_URI'] );
</ins><span class="cx"> $req_uri_array = explode('?', $req_uri);
</span><span class="cx"> $req_uri = $req_uri_array[0];
</span><del>- $self = $_SERVER['PHP_SELF'];
</del><ins>+ $self = wp_unslash( $_SERVER['PHP_SELF'] );
</ins><span class="cx"> $home_path = parse_url(home_url());
</span><span class="cx"> if ( isset($home_path['path']) )
</span><span class="cx"> $home_path = $home_path['path'];
</span><span class="lines">@@ -255,9 +255,9 @@
</span><span class="cx"> if ( isset( $this->extra_query_vars[$wpvar] ) )
</span><span class="cx"> $this->query_vars[$wpvar] = $this->extra_query_vars[$wpvar];
</span><span class="cx"> elseif ( isset( $_POST[$wpvar] ) )
</span><del>- $this->query_vars[$wpvar] = $_POST[$wpvar];
</del><ins>+ $this->query_vars[$wpvar] = wp_unslash( $_POST[$wpvar] );
</ins><span class="cx"> elseif ( isset( $_GET[$wpvar] ) )
</span><del>- $this->query_vars[$wpvar] = $_GET[$wpvar];
</del><ins>+ $this->query_vars[$wpvar] = wp_unslash( $_GET[$wpvar] );
</ins><span class="cx"> elseif ( isset( $perma_query_vars[$wpvar] ) )
</span><span class="cx"> $this->query_vars[$wpvar] = $perma_query_vars[$wpvar];
</span><span class="cx">
</span><span class="lines">@@ -356,7 +356,7 @@
</span><span class="cx">
</span><span class="cx"> // Support for Conditional GET
</span><span class="cx"> if (isset($_SERVER['HTTP_IF_NONE_MATCH']))
</span><del>- $client_etag = stripslashes(stripslashes($_SERVER['HTTP_IF_NONE_MATCH']));
</del><ins>+ $client_etag = stripslashes( wp_unslash( $_SERVER['HTTP_IF_NONE_MATCH'] ) ); // Retain extra strip. See #2597
</ins><span class="cx"> else $client_etag = false;
</span><span class="cx">
</span><span class="cx"> $client_last_modified = empty($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? '' : trim($_SERVER['HTTP_IF_MODIFIED_SINCE']);
</span></span></pre></div>
<a id="trunkwpincludescommentphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/comment.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/comment.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/comment.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -633,22 +633,22 @@
</span><span class="cx"> */
</span><span class="cx"> function sanitize_comment_cookies() {
</span><span class="cx"> if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
</span><del>- $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
- $comment_author = stripslashes($comment_author);
</del><ins>+ $comment_author = wp_unslash( $_COOKIE['comment_author_'.COOKIEHASH] );
+ $comment_author = apply_filters('pre_comment_author_name', $comment_author);
</ins><span class="cx"> $comment_author = esc_attr($comment_author);
</span><span class="cx"> $_COOKIE['comment_author_'.COOKIEHASH] = $comment_author;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
</span><del>- $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
- $comment_author_email = stripslashes($comment_author_email);
</del><ins>+ $comment_author_email = wp_unslash( $_COOKIE['comment_author_email_'.COOKIEHASH] );
+ $comment_author_email = apply_filters('pre_comment_author_email', $comment_author_email);
</ins><span class="cx"> $comment_author_email = esc_attr($comment_author_email);
</span><span class="cx"> $_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
</span><del>- $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
- $comment_author_url = stripslashes($comment_author_url);
</del><ins>+ $comment_author_url = wp_unslash( $_COOKIE['comment_author_url_'.COOKIEHASH] );
+ $comment_author_url = apply_filters('pre_comment_author_url', $comment_author_url);
</ins><span class="cx"> $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -670,11 +670,10 @@
</span><span class="cx"> extract($commentdata, EXTR_SKIP);
</span><span class="cx">
</span><span class="cx"> // Simple duplicate check
</span><del>- // expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content)
- $dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_parent = '$comment_parent' AND comment_approved != 'trash' AND ( comment_author = '$comment_author' ";
</del><ins>+ $dupe = $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_parent = %s AND comment_approved != 'trash' AND ( comment_author = %s ", $comment_post_ID, $comment_parent, $comment_author );
</ins><span class="cx"> if ( $comment_author_email )
</span><del>- $dupe .= "OR comment_author_email = '$comment_author_email' ";
- $dupe .= ") AND comment_content = '$comment_content' LIMIT 1";
</del><ins>+ $dupe .= $wpdb->prepare( "OR comment_author_email = %s ", $comment_author_email );
+ $dupe .= $wpdb->prepare( ") AND comment_content = %s LIMIT 1", $comment_content );
</ins><span class="cx"> if ( $wpdb->get_var($dupe) ) {
</span><span class="cx"> do_action( 'comment_duplicate_trigger', $commentdata );
</span><span class="cx"> if ( defined('DOING_AJAX') )
</span><span class="lines">@@ -1262,7 +1261,7 @@
</span><span class="cx"> */
</span><span class="cx"> function wp_insert_comment($commentdata) {
</span><span class="cx"> global $wpdb;
</span><del>- extract(stripslashes_deep($commentdata), EXTR_SKIP);
</del><ins>+ extract($commentdata, EXTR_SKIP);
</ins><span class="cx">
</span><span class="cx"> if ( ! isset($comment_author_IP) )
</span><span class="cx"> $comment_author_IP = '';
</span><span class="lines">@@ -1491,9 +1490,6 @@
</span><span class="cx"> // First, get all of the original fields
</span><span class="cx"> $comment = get_comment($commentarr['comment_ID'], ARRAY_A);
</span><span class="cx">
</span><del>- // Escape data pulled from DB.
- $comment = esc_sql($comment);
-
</del><span class="cx"> $old_status = $comment['comment_approved'];
</span><span class="cx">
</span><span class="cx"> // Merge old and new fields with new fields overwriting old ones.
</span><span class="lines">@@ -1502,7 +1498,7 @@
</span><span class="cx"> $commentarr = wp_filter_comment( $commentarr );
</span><span class="cx">
</span><span class="cx"> // Now extract the merged array.
</span><del>- extract(stripslashes_deep($commentarr), EXTR_SKIP);
</del><ins>+ extract($commentarr, EXTR_SKIP);
</ins><span class="cx">
</span><span class="cx"> $comment_content = apply_filters('comment_save_pre', $comment_content);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpincludescronphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/cron.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/cron.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/cron.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -230,7 +230,7 @@
</span><span class="cx"> set_transient( 'doing_cron', $doing_wp_cron );
</span><span class="cx">
</span><span class="cx"> ob_start();
</span><del>- wp_redirect( add_query_arg('doing_wp_cron', $doing_wp_cron, stripslashes($_SERVER['REQUEST_URI'])) );
</del><ins>+ wp_redirect( add_query_arg( 'doing_wp_cron', $doing_wp_cron, wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
</ins><span class="cx"> echo ' ';
</span><span class="cx">
</span><span class="cx"> // flush any buffers and send the headers
</span></span></pre></div>
<a id="trunkwpincludesdefaultfiltersphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/default-filters.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/default-filters.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/default-filters.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -14,8 +14,8 @@
</span><span class="cx">
</span><span class="cx"> // Strip, trim, kses, special chars for string saves
</span><span class="cx"> foreach ( array( 'pre_term_name', 'pre_comment_author_name', 'pre_link_name', 'pre_link_target', 'pre_link_rel', 'pre_user_display_name', 'pre_user_first_name', 'pre_user_last_name', 'pre_user_nickname' ) as $filter ) {
</span><del>- add_filter( $filter, 'sanitize_text_field' );
- add_filter( $filter, 'wp_filter_kses' );
</del><ins>+ add_filter( $filter, 'sanitize_text_field' );
+ add_filter( $filter, 'wp_kses_data' );
</ins><span class="cx"> add_filter( $filter, '_wp_specialchars', 30 );
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -31,7 +31,7 @@
</span><span class="cx">
</span><span class="cx"> // Kses only for textarea saves
</span><span class="cx"> foreach ( array( 'pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description' ) as $filter ) {
</span><del>- add_filter( $filter, 'wp_filter_kses' );
</del><ins>+ add_filter( $filter, 'wp_kses_data' );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Kses only for textarea admin displays
</span><span class="lines">@@ -46,7 +46,7 @@
</span><span class="cx"> foreach ( array( 'pre_comment_author_email', 'pre_user_email' ) as $filter ) {
</span><span class="cx"> add_filter( $filter, 'trim' );
</span><span class="cx"> add_filter( $filter, 'sanitize_email' );
</span><del>- add_filter( $filter, 'wp_filter_kses' );
</del><ins>+ add_filter( $filter, 'wp_kses_data' );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Email admin display
</span></span></pre></div>
<a id="trunkwpincludesdefaultwidgetsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/default-widgets.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/default-widgets.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/default-widgets.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -412,7 +412,7 @@
</span><span class="cx"> if ( current_user_can('unfiltered_html') )
</span><span class="cx"> $instance['text'] = $new_instance['text'];
</span><span class="cx"> else
</span><del>- $instance['text'] = stripslashes( wp_filter_post_kses( addslashes($new_instance['text']) ) ); // wp_filter_post_kses() expects slashed
</del><ins>+ $instance['text'] = wp_kses_post( $new_instance['text'] );
</ins><span class="cx"> $instance['filter'] = isset($new_instance['filter']);
</span><span class="cx"> return $instance;
</span><span class="cx"> }
</span><span class="lines">@@ -1056,8 +1056,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> function update( $new_instance, $old_instance ) {
</span><del>- $instance['title'] = strip_tags(stripslashes($new_instance['title']));
- $instance['taxonomy'] = stripslashes($new_instance['taxonomy']);
</del><ins>+ $instance['title'] = strip_tags( $new_instance['title'] );
+ $instance['taxonomy'] = $new_instance['taxonomy'];
</ins><span class="cx"> return $instance;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1118,7 +1118,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> function update( $new_instance, $old_instance ) {
</span><del>- $instance['title'] = strip_tags( stripslashes($new_instance['title']) );
</del><ins>+ $instance['title'] = strip_tags( $new_instance['title'] );
</ins><span class="cx"> $instance['nav_menu'] = (int) $new_instance['nav_menu'];
</span><span class="cx"> return $instance;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkwpincludesdeprecatedphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/deprecated.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/deprecated.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/deprecated.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -2383,7 +2383,7 @@
</span><span class="cx">
</span><span class="cx"> /** @todo Might need fix because usermeta data is assumed to be already escaped */
</span><span class="cx"> if ( is_string($meta_value) )
</span><del>- $meta_value = stripslashes($meta_value);
</del><ins>+ $meta_value = $meta_value;
</ins><span class="cx"> $meta_value = maybe_serialize($meta_value);
</span><span class="cx">
</span><span class="cx"> if (empty($meta_value)) {
</span></span></pre></div>
<a id="trunkwpincludesfeedphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/feed.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/feed.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/feed.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -488,7 +488,7 @@
</span><span class="cx"> */
</span><span class="cx"> function self_link() {
</span><span class="cx"> $host = @parse_url(home_url());
</span><del>- echo esc_url( set_url_scheme( 'http://' . $host['host'] . stripslashes($_SERVER['REQUEST_URI']) ) );
</del><ins>+ echo esc_url( set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span></span></pre></div>
<a id="trunkwpincludesformattingphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/formatting.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/formatting.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/formatting.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -1716,10 +1716,7 @@
</span><span class="cx"> * @return string Converted content.
</span><span class="cx"> */
</span><span class="cx"> function wp_rel_nofollow( $text ) {
</span><del>- // This is a pre save filter, so text is already escaped.
- $text = stripslashes($text);
</del><span class="cx"> $text = preg_replace_callback('|<a (.+?)>|i', 'wp_rel_nofollow_callback', $text);
</span><del>- $text = esc_sql($text);
</del><span class="cx"> return $text;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -3342,3 +3339,53 @@
</span><span class="cx"> $urls_to_ping = implode( "\n", $urls_to_ping );
</span><span class="cx"> return apply_filters( 'sanitize_trackback_urls', $urls_to_ping, $to_ping );
</span><span class="cx"> }
</span><ins>+
+/**
+ * Conditionally add slashes to a string or array of strings. When GPCS
+ * slashing is turned on, slashes are added. When GPCS slashing is turned off,
+ * slashes are not added.
+ *
+ * This should be used when preparing data for core API that deal directly with GPCS data.
+ * Outside of unit tests, this should be rare. At a future date GPCS will no longer
+ * be slashed and this function will noop. Do not use it in situations where adding slashes
+ * is always required regardless of whether GPCS is slashed.
+ *
+ * @since 3.6.0
+ *
+ * @param string|array $value String or array of strings to slash.
+ * @return string|array Slashed $value
+ */
+function wp_slash( $value ) {
+ if ( is_array( $value ) ) {
+ foreach ( $value as $k => $v ) {
+ if ( is_array( $v ) ) {
+ $value[$k] = wp_slash( $v );
+ } else {
+ $value[$k] = addslashes( $v );
+ }
+ }
+ } else {
+ $value = addslashes( $value );
+ }
+
+ return $value;
+}
+
+/**
+ * Conditionally removes slashes from a string or array of strings. When GPCS
+ * slashing is turned on, slashes are stripped. When GPCS slashing is turned off,
+ * slashes are not stripped.
+ *
+ * This should be used for GPCS data before passing it along to core API. At a future
+ * date GPCS will no longer be slashed and this function will noop. Do not use it
+ * in situations where slash stripping is always required regardless of whether GPCS
+ * is slashed.
+ *
+ * @since 3.6.0
+ *
+ * @param string|array $value String or array of strings to unslash.
+ * @return string|array Unslashed $value
+ */
+function wp_unslash( $value ) {
+ return stripslashes_deep( $value );
+}
</ins></span></pre></div>
<a id="trunkwpincludesfunctionsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/functions.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/functions.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/functions.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -468,7 +468,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ( in_array( substr( $type, 0, strpos( $type, "/" ) ), $allowed_types ) ) {
</span><del>- add_post_meta( $post_ID, 'enclosure', "$url\n$len\n$mime\n" );
</del><ins>+ wp_add_post_meta( $post_ID, 'enclosure', "$url\n$len\n$mime\n" );
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -1256,9 +1256,9 @@
</span><span class="cx"> * @return string Original referer field.
</span><span class="cx"> */
</span><span class="cx"> function wp_original_referer_field( $echo = true, $jump_back_to = 'current' ) {
</span><del>- $jump_back_to = ( 'previous' == $jump_back_to ) ? wp_get_referer() : $_SERVER['REQUEST_URI'];
</del><ins>+ $jump_back_to = ( 'previous' == $jump_back_to ) ? wp_get_referer() : wp_unslash( $_SERVER['REQUEST_URI'] );
</ins><span class="cx"> $ref = ( wp_get_original_referer() ) ? wp_get_original_referer() : $jump_back_to;
</span><del>- $orig_referer_field = '<input type="hidden" name="_wp_original_http_referer" value="' . esc_attr( stripslashes( $ref ) ) . '" />';
</del><ins>+ $orig_referer_field = '<input type="hidden" name="_wp_original_http_referer" value="' . esc_attr( $ref ) . '" />';
</ins><span class="cx"> if ( $echo )
</span><span class="cx"> echo $orig_referer_field;
</span><span class="cx"> return $orig_referer_field;
</span><span class="lines">@@ -1277,11 +1277,11 @@
</span><span class="cx"> function wp_get_referer() {
</span><span class="cx"> $ref = false;
</span><span class="cx"> if ( ! empty( $_REQUEST['_wp_http_referer'] ) )
</span><del>- $ref = $_REQUEST['_wp_http_referer'];
</del><ins>+ $ref = wp_unslash( $_REQUEST['_wp_http_referer'] );
</ins><span class="cx"> else if ( ! empty( $_SERVER['HTTP_REFERER'] ) )
</span><del>- $ref = $_SERVER['HTTP_REFERER'];
</del><ins>+ $ref = wp_unslash( $_SERVER['HTTP_REFERER'] );
</ins><span class="cx">
</span><del>- if ( $ref && $ref !== $_SERVER['REQUEST_URI'] )
</del><ins>+ if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) )
</ins><span class="cx"> return $ref;
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="lines">@@ -1297,7 +1297,7 @@
</span><span class="cx"> */
</span><span class="cx"> function wp_get_original_referer() {
</span><span class="cx"> if ( !empty( $_REQUEST['_wp_original_http_referer'] ) )
</span><del>- return $_REQUEST['_wp_original_http_referer'];
</del><ins>+ return wp_unslash( $_REQUEST['_wp_original_http_referer'] );
</ins><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -3879,4 +3879,4 @@
</span><span class="cx"> */
</span><span class="cx"> function wp_checkdate( $month, $day, $year, $source_date ) {
</span><span class="cx"> return apply_filters( 'wp_checkdate', checkdate( $month, $day, $year ), $source_date );
</span><del>-}
</del><ins>+}
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="trunkwpincludesksesphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/kses.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/kses.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/kses.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -1326,18 +1326,18 @@
</span><span class="cx"> */
</span><span class="cx"> function kses_init_filters() {
</span><span class="cx"> // Normal filtering
</span><del>- add_filter('title_save_pre', 'wp_filter_kses');
</del><ins>+ add_filter('title_save_pre', 'wp_kses_data');
</ins><span class="cx">
</span><span class="cx"> // Comment filtering
</span><span class="cx"> if ( current_user_can( 'unfiltered_html' ) )
</span><del>- add_filter( 'pre_comment_content', 'wp_filter_post_kses' );
</del><ins>+ add_filter( 'pre_comment_content', 'wp_kses_post' );
</ins><span class="cx"> else
</span><del>- add_filter( 'pre_comment_content', 'wp_filter_kses' );
</del><ins>+ add_filter( 'pre_comment_content', 'wp_kses_data' );
</ins><span class="cx">
</span><span class="cx"> // Post filtering
</span><del>- add_filter('content_save_pre', 'wp_filter_post_kses');
- add_filter('excerpt_save_pre', 'wp_filter_post_kses');
- add_filter('content_filtered_save_pre', 'wp_filter_post_kses');
</del><ins>+ add_filter('content_save_pre', 'wp_kses_post');
+ add_filter('excerpt_save_pre', 'wp_kses_post');
+ add_filter('content_filtered_save_pre', 'wp_kses_post');
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span><span class="lines">@@ -1354,16 +1354,16 @@
</span><span class="cx"> */
</span><span class="cx"> function kses_remove_filters() {
</span><span class="cx"> // Normal filtering
</span><del>- remove_filter('title_save_pre', 'wp_filter_kses');
</del><ins>+ remove_filter('title_save_pre', 'wp_kses_data');
</ins><span class="cx">
</span><span class="cx"> // Comment filtering
</span><del>- remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
- remove_filter( 'pre_comment_content', 'wp_filter_kses' );
</del><ins>+ remove_filter( 'pre_comment_content', 'wp_kses_post' );
+ remove_filter( 'pre_comment_content', 'wp_kses_data' );
</ins><span class="cx">
</span><span class="cx"> // Post filtering
</span><del>- remove_filter('content_save_pre', 'wp_filter_post_kses');
- remove_filter('excerpt_save_pre', 'wp_filter_post_kses');
- remove_filter('content_filtered_save_pre', 'wp_filter_post_kses');
</del><ins>+ remove_filter('content_save_pre', 'wp_kses_post');
+ remove_filter('excerpt_save_pre', 'wp_kses_post');
+ remove_filter('content_filtered_save_pre', 'wp_kses_post');
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span></span></pre></div>
<a id="trunkwpincludeslinktemplatephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/link-template.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/link-template.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/link-template.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -746,7 +746,7 @@
</span><span class="cx"> if ( empty($query) )
</span><span class="cx"> $search = get_search_query( false );
</span><span class="cx"> else
</span><del>- $search = stripslashes($query);
</del><ins>+ $search = $query;
</ins><span class="cx">
</span><span class="cx"> $permastruct = $wp_rewrite->get_search_permastruct();
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpincludesmetaphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/meta.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/meta.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/meta.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -42,9 +42,6 @@
</span><span class="cx">
</span><span class="cx"> $column = esc_sql($meta_type . '_id');
</span><span class="cx">
</span><del>- // expected_slashed ($meta_key)
- $meta_key = stripslashes($meta_key);
- $meta_value = stripslashes_deep($meta_value);
</del><span class="cx"> $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
</span><span class="cx">
</span><span class="cx"> $check = apply_filters( "add_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $unique );
</span><span class="lines">@@ -113,10 +110,7 @@
</span><span class="cx"> $column = esc_sql($meta_type . '_id');
</span><span class="cx"> $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
</span><span class="cx">
</span><del>- // expected_slashed ($meta_key)
- $meta_key = stripslashes($meta_key);
</del><span class="cx"> $passed_value = $meta_value;
</span><del>- $meta_value = stripslashes_deep($meta_value);
</del><span class="cx"> $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );
</span><span class="cx">
</span><span class="cx"> $check = apply_filters( "update_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $prev_value );
</span><span class="lines">@@ -195,9 +189,6 @@
</span><span class="cx">
</span><span class="cx"> $type_column = esc_sql($meta_type . '_id');
</span><span class="cx"> $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
</span><del>- // expected_slashed ($meta_key)
- $meta_key = stripslashes($meta_key);
- $meta_value = stripslashes_deep($meta_value);
</del><span class="cx">
</span><span class="cx"> $check = apply_filters( "delete_{$meta_type}_metadata", null, $object_id, $meta_key, $meta_value, $delete_all );
</span><span class="cx"> if ( null !== $check )
</span></span></pre></div>
<a id="trunkwpincludesmsfilesphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/ms-files.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/ms-files.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/ms-files.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -58,7 +58,7 @@
</span><span class="cx"> header( 'Expires: ' . gmdate( 'D, d M Y H:i:s', time() + 100000000 ) . ' GMT' );
</span><span class="cx">
</span><span class="cx"> // Support for Conditional GET
</span><del>-$client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false;
</del><ins>+$client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? wp_unslash( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false;
</ins><span class="cx">
</span><span class="cx"> if( ! isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) )
</span><span class="cx"> $_SERVER['HTTP_IF_MODIFIED_SINCE'] = false;
</span></span></pre></div>
<a id="trunkwpincludesmsfunctionsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/ms-functions.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/ms-functions.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/ms-functions.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -279,9 +279,6 @@
</span><span class="cx"> * @return int The ID of the newly created blog
</span><span class="cx"> */
</span><span class="cx"> function create_empty_blog( $domain, $path, $weblog_title, $site_id = 1 ) {
</span><del>- $domain = addslashes( $domain );
- $weblog_title = addslashes( $weblog_title );
-
</del><span class="cx"> if ( empty($path) )
</span><span class="cx"> $path = '/';
</span><span class="cx">
</span><span class="lines">@@ -582,7 +579,7 @@
</span><span class="cx">
</span><span class="cx"> $blogname = apply_filters( 'newblogname', $blogname );
</span><span class="cx">
</span><del>- $blog_title = stripslashes( $blog_title );
</del><ins>+ $blog_title = $blog_title;
</ins><span class="cx">
</span><span class="cx"> if ( empty( $blog_title ) )
</span><span class="cx"> $errors->add('blog_title', __( 'Please enter a site title.' ) );
</span><span class="lines">@@ -635,10 +632,7 @@
</span><span class="cx"> global $wpdb;
</span><span class="cx">
</span><span class="cx"> $key = substr( md5( time() . rand() . $domain ), 0, 16 );
</span><del>- $meta = serialize($meta);
- $domain = $wpdb->escape($domain);
- $path = $wpdb->escape($path);
- $title = $wpdb->escape($title);
</del><ins>+ $meta = serialize( $meta );
</ins><span class="cx">
</span><span class="cx"> $wpdb->insert( $wpdb->signups, array(
</span><span class="cx"> 'domain' => $domain,
</span><span class="lines">@@ -651,7 +645,7 @@
</span><span class="cx"> 'meta' => $meta
</span><span class="cx"> ) );
</span><span class="cx">
</span><del>- wpmu_signup_blog_notification($domain, $path, $title, $user, $user_email, $key, $meta);
</del><ins>+ wpmu_signup_blog_notification( $domain, $path, $title, $user, $user_email, $key, $meta );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span><span class="lines">@@ -841,8 +835,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> $meta = maybe_unserialize($signup->meta);
</span><del>- $user_login = $wpdb->escape($signup->user_login);
- $user_email = $wpdb->escape($signup->user_email);
</del><ins>+ $user_login = $signup->user_login;
+ $user_email = $signup->user_email;
</ins><span class="cx"> $password = wp_generate_password( 12, false );
</span><span class="cx">
</span><span class="cx"> $user_id = username_exists($user_login);
</span><span class="lines">@@ -1159,7 +1153,7 @@
</span><span class="cx"> else
</span><span class="cx"> update_option( 'upload_path', get_blog_option( $current_site->blog_id, 'upload_path' ) );
</span><span class="cx">
</span><del>- update_option( 'blogname', stripslashes( $blog_title ) );
</del><ins>+ update_option( 'blogname', $blog_title );
</ins><span class="cx"> update_option( 'admin_email', '' );
</span><span class="cx">
</span><span class="cx"> // remove all perms
</span><span class="lines">@@ -1216,9 +1210,9 @@
</span><span class="cx"> if ( !apply_filters('wpmu_welcome_notification', $blog_id, $user_id, $password, $title, $meta) )
</span><span class="cx"> return false;
</span><span class="cx">
</span><del>- $welcome_email = stripslashes( get_site_option( 'welcome_email' ) );
</del><ins>+ $welcome_email = get_site_option( 'welcome_email' );
</ins><span class="cx"> if ( $welcome_email == false )
</span><del>- $welcome_email = stripslashes( __( 'Dear User,
</del><ins>+ $welcome_email = __( 'Dear User,
</ins><span class="cx">
</span><span class="cx"> Your new SITE_NAME site has been successfully set up at:
</span><span class="cx"> BLOG_URL
</span><span class="lines">@@ -1230,7 +1224,7 @@
</span><span class="cx">
</span><span class="cx"> We hope you enjoy your new site. Thanks!
</span><span class="cx">
</span><del>---The Team @ SITE_NAME' ) );
</del><ins>+--The Team @ SITE_NAME' );
</ins><span class="cx">
</span><span class="cx"> $url = get_blogaddress_by_id($blog_id);
</span><span class="cx"> $user = get_userdata( $user_id );
</span><span class="lines">@@ -1254,7 +1248,7 @@
</span><span class="cx"> if ( empty( $current_site->site_name ) )
</span><span class="cx"> $current_site->site_name = 'WordPress';
</span><span class="cx">
</span><del>- $subject = apply_filters( 'update_welcome_subject', sprintf(__('New %1$s Site: %2$s'), $current_site->site_name, stripslashes( $title ) ) );
</del><ins>+ $subject = apply_filters( 'update_welcome_subject', sprintf(__('New %1$s Site: %2$s'), $current_site->site_name, $title ) );
</ins><span class="cx"> wp_mail($user->user_email, $subject, $message, $message_headers);
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="lines">@@ -1509,7 +1503,7 @@
</span><span class="cx"> function wpmu_log_new_registrations( $blog_id, $user_id ) {
</span><span class="cx"> global $wpdb;
</span><span class="cx"> $user = get_userdata( (int) $user_id );
</span><del>- $wpdb->insert( $wpdb->registration_log, array('email' => $user->user_email, 'IP' => preg_replace( '/[^0-9., ]/', '',$_SERVER['REMOTE_ADDR'] ), 'blog_id' => $blog_id, 'date_registered' => current_time('mysql')) );
</del><ins>+ $wpdb->insert( $wpdb->registration_log, array('email' => $user->user_email, 'IP' => preg_replace( '/[^0-9., ]/', '', wp_unslash( $_SERVER['REMOTE_ADDR'] ) ), 'blog_id' => $blog_id, 'date_registered' => current_time('mysql')) );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span></span></pre></div>
<a id="trunkwpincludesnavmenuphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/nav-menu.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/nav-menu.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/nav-menu.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -369,20 +369,20 @@
</span><span class="cx">
</span><span class="cx"> $menu_item_db_id = (int) $menu_item_db_id;
</span><span class="cx">
</span><del>- update_post_meta( $menu_item_db_id, '_menu_item_type', sanitize_key($args['menu-item-type']) );
- update_post_meta( $menu_item_db_id, '_menu_item_menu_item_parent', strval( (int) $args['menu-item-parent-id'] ) );
- update_post_meta( $menu_item_db_id, '_menu_item_object_id', strval( (int) $args['menu-item-object-id'] ) );
- update_post_meta( $menu_item_db_id, '_menu_item_object', sanitize_key($args['menu-item-object']) );
- update_post_meta( $menu_item_db_id, '_menu_item_target', sanitize_key($args['menu-item-target']) );
</del><ins>+ wp_update_post_meta( $menu_item_db_id, '_menu_item_type', sanitize_key($args['menu-item-type']) );
+ wp_update_post_meta( $menu_item_db_id, '_menu_item_menu_item_parent', strval( (int) $args['menu-item-parent-id'] ) );
+ wp_update_post_meta( $menu_item_db_id, '_menu_item_object_id', strval( (int) $args['menu-item-object-id'] ) );
+ wp_update_post_meta( $menu_item_db_id, '_menu_item_object', sanitize_key($args['menu-item-object']) );
+ wp_update_post_meta( $menu_item_db_id, '_menu_item_target', sanitize_key($args['menu-item-target']) );
</ins><span class="cx">
</span><span class="cx"> $args['menu-item-classes'] = array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-classes'] ) );
</span><span class="cx"> $args['menu-item-xfn'] = implode( ' ', array_map( 'sanitize_html_class', explode( ' ', $args['menu-item-xfn'] ) ) );
</span><del>- update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] );
- update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] );
- update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw($args['menu-item-url']) );
</del><ins>+ wp_update_post_meta( $menu_item_db_id, '_menu_item_classes', $args['menu-item-classes'] );
+ wp_update_post_meta( $menu_item_db_id, '_menu_item_xfn', $args['menu-item-xfn'] );
+ wp_update_post_meta( $menu_item_db_id, '_menu_item_url', esc_url_raw($args['menu-item-url']) );
</ins><span class="cx">
</span><span class="cx"> if ( 0 == $menu_id )
</span><del>- update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() );
</del><ins>+ wp_update_post_meta( $menu_item_db_id, '_menu_item_orphaned', (string) time() );
</ins><span class="cx"> elseif ( get_post_meta( $menu_item_db_id, '_menu_item_orphaned' ) )
</span><span class="cx"> delete_post_meta( $menu_item_db_id, '_menu_item_orphaned' );
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpincludespluggablephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/pluggable.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/pluggable.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/pluggable.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -782,7 +782,7 @@
</span><span class="cx"> // The cookie is no good so force login
</span><span class="cx"> nocache_headers();
</span><span class="cx">
</span><del>- $redirect = ( strpos( $_SERVER['REQUEST_URI'], '/options.php' ) && wp_get_referer() ) ? wp_get_referer() : set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
</del><ins>+ $redirect = ( strpos( $_SERVER['REQUEST_URI'], '/options.php' ) && wp_get_referer() ) ? wp_get_referer() : set_url_scheme( 'http://' . wp_unslash( $_SERVER['HTTP_HOST'] ) . wp_unslash( $_SERVER['REQUEST_URI'] ) );
</ins><span class="cx">
</span><span class="cx"> $login_url = wp_login_url($redirect, true);
</span><span class="cx">
</span><span class="lines">@@ -1197,8 +1197,8 @@
</span><span class="cx"> function wp_new_user_notification($user_id, $plaintext_pass = '') {
</span><span class="cx"> $user = get_userdata( $user_id );
</span><span class="cx">
</span><del>- $user_login = stripslashes($user->user_login);
- $user_email = stripslashes($user->user_email);
</del><ins>+ $user_login = $user->user_login;
+ $user_email = $user->user_email;
</ins><span class="cx">
</span><span class="cx"> // The blogname option is escaped with esc_html on the way into the database in sanitize_option
</span><span class="cx"> // we want to reverse this for the plain text arena of emails.
</span></span></pre></div>
<a id="trunkwpincludesposttemplatephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/post-template.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/post-template.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/post-template.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -583,7 +583,7 @@
</span><span class="cx"> $wp_hasher = new PasswordHash(8, true);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $hash = stripslashes( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
</del><ins>+ $hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
</ins><span class="cx">
</span><span class="cx"> return ! $wp_hasher->CheckPassword( $post->post_password, $hash );
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkwpincludespostphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/post.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/post.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/post.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -1742,17 +1742,41 @@
</span><span class="cx"> * @link http://codex.wordpress.org/Function_Reference/add_post_meta
</span><span class="cx"> *
</span><span class="cx"> * @param int $post_id Post ID.
</span><del>- * @param string $meta_key Metadata name.
- * @param mixed $meta_value Metadata value.
</del><ins>+ * @param string $meta_key Metadata name (expected slashed).
+ * @param mixed $meta_value Metadata value (expected slashed).
</ins><span class="cx"> * @param bool $unique Optional, default is false. Whether the same key should not be added.
</span><span class="cx"> * @return bool False for failure. True for success.
</span><span class="cx"> */
</span><del>-function add_post_meta($post_id, $meta_key, $meta_value, $unique = false) {
</del><ins>+function add_post_meta( $post_id, $meta_key, $meta_value, $unique = false ) {
+ //_deprecated_function( __FUNCTION__, '3.6', 'wp_add_post_meta() (expects unslashed data)' );
+
+ // expected slashed
+ $meta_key = stripslashes( $meta_key );
+ $meta_value = stripslashes_deep( $meta_value );
+
+ return wp_add_post_meta( $post_id, $meta_key, $meta_value, $unique );
+}
+
+/**
+ * Add meta data field to a post.
+ *
+ * Post meta data is called "Custom Fields" on the Administration Screen.
+ *
+ * @since 3.6.0
+ * @link http://codex.wordpress.org/Function_Reference/wp_add_post_meta
+ *
+ * @param int $post_id Post ID.
+ * @param string $meta_key Metadata name (clean, slashes already stripped).
+ * @param mixed $meta_value Metadata value (clean, slashes already stripped).
+ * @param bool $unique Optional, default is false. Whether the same key should not be added.
+ * @return bool False for failure. True for success.
+ */
+function wp_add_post_meta( $post_id, $meta_key, $meta_value, $unique = false ) {
</ins><span class="cx"> // make sure meta is added to the post, not a revision
</span><del>- if ( $the_post = wp_is_post_revision($post_id) )
</del><ins>+ if ( $the_post = wp_is_post_revision( $post_id ) )
</ins><span class="cx"> $post_id = $the_post;
</span><span class="cx">
</span><del>- return add_metadata('post', $post_id, $meta_key, $meta_value, $unique);
</del><ins>+ return add_metadata( 'post', $post_id, $meta_key, $meta_value, $unique );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span><span class="lines">@@ -1809,17 +1833,45 @@
</span><span class="cx"> * @link http://codex.wordpress.org/Function_Reference/update_post_meta
</span><span class="cx"> *
</span><span class="cx"> * @param int $post_id Post ID.
</span><del>- * @param string $meta_key Metadata key.
- * @param mixed $meta_value Metadata value.
</del><ins>+ * @param string $meta_key Metadata key (expected slashed).
+ * @param mixed $meta_value Metadata value (expected slashed).
</ins><span class="cx"> * @param mixed $prev_value Optional. Previous value to check before removing.
</span><span class="cx"> * @return bool False on failure, true if success.
</span><span class="cx"> */
</span><del>-function update_post_meta($post_id, $meta_key, $meta_value, $prev_value = '') {
</del><ins>+function update_post_meta( $post_id, $meta_key, $meta_value, $prev_value = '' ) {
+ //_deprecated_function( __FUNCTION__, '3.6', 'wp_update_post_meta() (expects unslashed data)' );
+
+ // expected slashed
+ $meta_key = stripslashes( $meta_key );
+ $meta_value = stripslashes_deep( $meta_value );
+
+ return wp_update_post_meta( $post_id, $meta_key, $meta_value, $prev_value );
+}
+
+/**
+ * Update post meta field based on post ID.
+ *
+ * Use the $prev_value parameter to differentiate between meta fields with the
+ * same key and post ID.
+ *
+ * If the meta field for the post does not exist, it will be added.
+ *
+ * @since 3.6.0
+ * @uses $wpdb
+ * @link http://codex.wordpress.org/Function_Reference/wp_update_post_meta
+ *
+ * @param int $post_id Post ID.
+ * @param string $meta_key Metadata key (clean, slashes already stripped).
+ * @param mixed $meta_value Metadata value (clean, slashes already stripped).
+ * @param mixed $prev_value Optional. Previous value to check before removing.
+ * @return bool False on failure, true if success.
+ */
+function wp_update_post_meta( $post_id, $meta_key, $meta_value, $prev_value = '' ) {
</ins><span class="cx"> // make sure meta is added to the post, not a revision
</span><del>- if ( $the_post = wp_is_post_revision($post_id) )
</del><ins>+ if ( $the_post = wp_is_post_revision( $post_id ) )
</ins><span class="cx"> $post_id = $the_post;
</span><span class="cx">
</span><del>- return update_metadata('post', $post_id, $meta_key, $meta_value, $prev_value);
</del><ins>+ return update_metadata( 'post', $post_id, $meta_key, $meta_value, $prev_value );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span><span class="lines">@@ -2406,8 +2458,8 @@
</span><span class="cx">
</span><span class="cx"> do_action('wp_trash_post', $post_id);
</span><span class="cx">
</span><del>- add_post_meta($post_id,'_wp_trash_meta_status', $post['post_status']);
- add_post_meta($post_id,'_wp_trash_meta_time', time());
</del><ins>+ wp_add_post_meta($post_id,'_wp_trash_meta_status', $post['post_status']);
+ wp_add_post_meta($post_id,'_wp_trash_meta_time', time());
</ins><span class="cx">
</span><span class="cx"> $post['post_status'] = 'trash';
</span><span class="cx"> wp_insert_post($post);
</span><span class="lines">@@ -2483,7 +2535,7 @@
</span><span class="cx"> $statuses = array();
</span><span class="cx"> foreach ( $comments as $comment )
</span><span class="cx"> $statuses[$comment->comment_ID] = $comment->comment_approved;
</span><del>- add_post_meta($post_id, '_wp_trash_meta_comments_status', $statuses);
</del><ins>+ wp_add_post_meta($post_id, '_wp_trash_meta_comments_status', $statuses);
</ins><span class="cx">
</span><span class="cx"> // Set status for all comments to post-trashed
</span><span class="cx"> $result = $wpdb->update($wpdb->comments, array('comment_approved' => 'post-trashed'), array('comment_post_ID' => $post_id));
</span><span class="lines">@@ -2859,10 +2911,8 @@
</span><span class="cx">
</span><span class="cx"> $post_name = wp_unique_post_slug($post_name, $post_ID, $post_status, $post_type, $post_parent);
</span><span class="cx">
</span><del>- // expected_slashed (everything!)
</del><span class="cx"> $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'guid' ) );
</span><span class="cx"> $data = apply_filters('wp_insert_post_data', $data, $postarr);
</span><del>- $data = stripslashes_deep( $data );
</del><span class="cx"> $where = array( 'ID' => $post_ID );
</span><span class="cx">
</span><span class="cx"> if ( $update ) {
</span><span class="lines">@@ -2875,7 +2925,7 @@
</span><span class="cx"> }
</span><span class="cx"> } else {
</span><span class="cx"> if ( isset($post_mime_type) )
</span><del>- $data['post_mime_type'] = stripslashes( $post_mime_type ); // This isn't in the update
</del><ins>+ $data['post_mime_type'] = $post_mime_type; // This isn't in the update
</ins><span class="cx"> // If there is a suggested ID, use it if not already present
</span><span class="cx"> if ( !empty($import_id) ) {
</span><span class="cx"> $import_id = (int) $import_id;
</span><span class="lines">@@ -2936,7 +2986,7 @@
</span><span class="cx"> else
</span><span class="cx"> return 0;
</span><span class="cx"> }
</span><del>- update_post_meta($post_ID, '_wp_page_template', $page_template);
</del><ins>+ wp_update_post_meta($post_ID, '_wp_page_template', $page_template);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> wp_transition_post_status($data['post_status'], $previous_status, $post);
</span><span class="lines">@@ -2969,15 +3019,11 @@
</span><span class="cx"> if ( is_object($postarr) ) {
</span><span class="cx"> // non-escaped post was passed
</span><span class="cx"> $postarr = get_object_vars($postarr);
</span><del>- $postarr = add_magic_quotes($postarr);
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // First, get all of the original fields
</span><span class="cx"> $post = get_post($postarr['ID'], ARRAY_A);
</span><span class="cx">
</span><del>- // Escape data pulled from DB.
- $post = add_magic_quotes($post);
-
</del><span class="cx"> // Passed post category list overwrites existing category list if not empty.
</span><span class="cx"> if ( isset($postarr['post_category']) && is_array($postarr['post_category'])
</span><span class="cx"> && 0 != count($postarr['post_category']) )
</span><span class="lines">@@ -3392,7 +3438,7 @@
</span><span class="cx"> $trackback_urls = explode(',', $tb_list);
</span><span class="cx"> foreach( (array) $trackback_urls as $tb_url) {
</span><span class="cx"> $tb_url = trim($tb_url);
</span><del>- trackback($tb_url, stripslashes($post_title), $excerpt, $post_id);
</del><ins>+ trackback($tb_url, $post_title, $excerpt, $post_id);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -3735,9 +3781,6 @@
</span><span class="cx"> if ( ! empty( $meta_key ) || ! empty( $meta_value ) ) {
</span><span class="cx"> $join = " LEFT JOIN $wpdb->postmeta ON ( $wpdb->posts.ID = $wpdb->postmeta.post_id )";
</span><span class="cx">
</span><del>- // meta_key and meta_value might be slashed
- $meta_key = stripslashes($meta_key);
- $meta_value = stripslashes($meta_value);
</del><span class="cx"> if ( ! empty( $meta_key ) )
</span><span class="cx"> $where .= $wpdb->prepare(" AND $wpdb->postmeta.meta_key = %s", $meta_key);
</span><span class="cx"> if ( ! empty( $meta_value ) )
</span><span class="lines">@@ -3962,7 +4005,6 @@
</span><span class="cx"> else
</span><span class="cx"> $post_name = sanitize_title($post_name);
</span><span class="cx">
</span><del>- // expected_slashed ($post_name)
</del><span class="cx"> $post_name = wp_unique_post_slug($post_name, $post_ID, $post_status, $post_type, $post_parent);
</span><span class="cx">
</span><span class="cx"> if ( empty($post_date) )
</span><span class="lines">@@ -4005,9 +4047,7 @@
</span><span class="cx"> if ( ! isset($pinged) )
</span><span class="cx"> $pinged = '';
</span><span class="cx">
</span><del>- // expected_slashed (everything!)
</del><span class="cx"> $data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'guid' ) );
</span><del>- $data = stripslashes_deep( $data );
</del><span class="cx">
</span><span class="cx"> if ( $update ) {
</span><span class="cx"> $wpdb->update( $wpdb->posts, $data, array( 'ID' => $post_ID ) );
</span><span class="lines">@@ -4052,7 +4092,7 @@
</span><span class="cx"> clean_post_cache( $post_ID );
</span><span class="cx">
</span><span class="cx"> if ( ! empty( $context ) )
</span><del>- add_post_meta( $post_ID, '_wp_attachment_context', $context, true );
</del><ins>+ wp_add_post_meta( $post_ID, '_wp_attachment_context', $context, true );
</ins><span class="cx">
</span><span class="cx"> if ( $update) {
</span><span class="cx"> do_action('edit_attachment', $post_ID);
</span><span class="lines">@@ -4439,7 +4479,7 @@
</span><span class="cx">
</span><span class="cx"> // if we haven't added this old slug before, add it now
</span><span class="cx"> if ( !empty( $post_before->post_name ) && !in_array($post_before->post_name, $old_slugs) )
</span><del>- add_post_meta($post_id, '_wp_old_slug', $post_before->post_name);
</del><ins>+ wp_add_post_meta($post_id, '_wp_old_slug', $post_before->post_name);
</ins><span class="cx">
</span><span class="cx"> // if the new slug was used previously, delete it from the list
</span><span class="cx"> if ( in_array($post->post_name, $old_slugs) )
</span><span class="lines">@@ -4856,8 +4896,8 @@
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> if ( get_option('default_pingback_flag') )
</span><del>- add_post_meta( $post_id, '_pingme', '1' );
- add_post_meta( $post_id, '_encloseme', '1' );
</del><ins>+ wp_add_post_meta( $post_id, '_pingme', '1' );
+ wp_add_post_meta( $post_id, '_encloseme', '1' );
</ins><span class="cx">
</span><span class="cx"> wp_schedule_single_event(time(), 'do_pings');
</span><span class="cx"> }
</span><span class="lines">@@ -5097,7 +5137,6 @@
</span><span class="cx"> return new WP_Error( 'post_type', __( 'Cannot create a revision of a revision' ) );
</span><span class="cx">
</span><span class="cx"> $post = _wp_post_revision_fields( $post, $autosave );
</span><del>- $post = add_magic_quotes($post); //since data is from db
</del><span class="cx">
</span><span class="cx"> $revision_id = wp_insert_post( $post );
</span><span class="cx"> if ( is_wp_error($revision_id) )
</span><span class="lines">@@ -5176,8 +5215,6 @@
</span><span class="cx">
</span><span class="cx"> $update['ID'] = $revision['post_parent'];
</span><span class="cx">
</span><del>- $update = add_magic_quotes( $update ); //since data is from db
-
</del><span class="cx"> $post_id = wp_update_post( $update );
</span><span class="cx"> if ( is_wp_error( $post_id ) )
</span><span class="cx"> return $post_id;
</span><span class="lines">@@ -5399,7 +5436,7 @@
</span><span class="cx"> $thumbnail_id = absint( $thumbnail_id );
</span><span class="cx"> if ( $post && $thumbnail_id && get_post( $thumbnail_id ) ) {
</span><span class="cx"> if ( $thumbnail_html = wp_get_attachment_image( $thumbnail_id, 'thumbnail' ) )
</span><del>- return update_post_meta( $post->ID, '_thumbnail_id', $thumbnail_id );
</del><ins>+ return wp_update_post_meta( $post->ID, '_thumbnail_id', $thumbnail_id );
</ins><span class="cx"> else
</span><span class="cx"> return delete_post_meta( $post->ID, '_thumbnail_id' );
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkwpincludesqueryphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/query.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/query.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/query.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -1733,7 +1733,6 @@
</span><span class="cx"> // Category stuff
</span><span class="cx"> if ( !empty($q['cat']) && '0' != $q['cat'] && !$this->is_singular && $this->query_vars_changed ) {
</span><span class="cx"> $q['cat'] = ''.urldecode($q['cat']).'';
</span><del>- $q['cat'] = addslashes_gpc($q['cat']);
</del><span class="cx"> $cat_array = preg_split('/[,\s]+/', $q['cat']);
</span><span class="cx"> $q['cat'] = '';
</span><span class="cx"> $req_cats = array();
</span><span class="lines">@@ -2180,8 +2179,6 @@
</span><span class="cx">
</span><span class="cx"> // If a search pattern is specified, load the posts that match
</span><span class="cx"> if ( !empty($q['s']) ) {
</span><del>- // added slashes screw with quote grouping when done early, so done later
- $q['s'] = stripslashes($q['s']);
</del><span class="cx"> if ( empty( $_GET['s'] ) && $this->is_main_query() )
</span><span class="cx"> $q['s'] = urldecode($q['s']);
</span><span class="cx"> if ( !empty($q['sentence']) ) {
</span><span class="lines">@@ -2290,7 +2287,6 @@
</span><span class="cx"> $whichauthor = '';
</span><span class="cx"> } else {
</span><span class="cx"> $q['author'] = (string)urldecode($q['author']);
</span><del>- $q['author'] = addslashes_gpc($q['author']);
</del><span class="cx"> if ( strpos($q['author'], '-') !== false ) {
</span><span class="cx"> $eq = '!=';
</span><span class="cx"> $andor = 'AND';
</span><span class="lines">@@ -2352,7 +2348,6 @@
</span><span class="cx"> $allowed_keys[] = 'meta_value_num';
</span><span class="cx"> }
</span><span class="cx"> $q['orderby'] = urldecode($q['orderby']);
</span><del>- $q['orderby'] = addslashes_gpc($q['orderby']);
</del><span class="cx">
</span><span class="cx"> $orderby_array = array();
</span><span class="cx"> foreach ( explode( ' ', $q['orderby'] ) as $i => $orderby ) {
</span></span></pre></div>
<a id="trunkwpincludestaxonomyphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/taxonomy.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/taxonomy.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/taxonomy.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -953,8 +953,6 @@
</span><span class="cx"> if ( empty($value) )
</span><span class="cx"> return false;
</span><span class="cx"> } else if ( 'name' == $field ) {
</span><del>- // Assume already escaped
- $value = stripslashes($value);
</del><span class="cx"> $field = 't.name';
</span><span class="cx"> } else {
</span><span class="cx"> $term = get_term( (int) $value, $taxonomy, $output, $filter);
</span><span class="lines">@@ -1494,7 +1492,7 @@
</span><span class="cx"> return $wpdb->get_var( $wpdb->prepare( $select . $where, $term ) );
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $term = trim( stripslashes( $term ) );
</del><ins>+ $term = trim( $term );
</ins><span class="cx">
</span><span class="cx"> if ( '' === $slug = sanitize_title($term) )
</span><span class="cx"> return 0;
</span><span class="lines">@@ -2056,10 +2054,6 @@
</span><span class="cx"> $args = sanitize_term($args, $taxonomy, 'db');
</span><span class="cx"> extract($args, EXTR_SKIP);
</span><span class="cx">
</span><del>- // expected_slashed ($name)
- $name = stripslashes($name);
- $description = stripslashes($description);
-
</del><span class="cx"> if ( empty($slug) )
</span><span class="cx"> $slug = sanitize_title($name);
</span><span class="cx">
</span><span class="lines">@@ -2439,9 +2433,6 @@
</span><span class="cx"> if ( is_wp_error( $term ) )
</span><span class="cx"> return $term;
</span><span class="cx">
</span><del>- // Escape data pulled from DB.
- $term = add_magic_quotes($term);
-
</del><span class="cx"> // Merge old and new args with new args overwriting old ones.
</span><span class="cx"> $args = array_merge($term, $args);
</span><span class="cx">
</span><span class="lines">@@ -2450,10 +2441,6 @@
</span><span class="cx"> $args = sanitize_term($args, $taxonomy, 'db');
</span><span class="cx"> extract($args, EXTR_SKIP);
</span><span class="cx">
</span><del>- // expected_slashed ($name)
- $name = stripslashes($name);
- $description = stripslashes($description);
-
</del><span class="cx"> if ( '' == trim($name) )
</span><span class="cx"> return new WP_Error('empty_term_name', __('A name is required for this term'));
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpincludesuserphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/user.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/user.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/user.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -1390,7 +1390,6 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> $data = compact( 'user_pass', 'user_email', 'user_url', 'user_nicename', 'display_name', 'user_registered' );
</span><del>- $data = stripslashes_deep( $data );
</del><span class="cx">
</span><span class="cx"> if ( $update ) {
</span><span class="cx"> $wpdb->update( $wpdb->users, $data, compact( 'ID' ) );
</span><span class="lines">@@ -1462,9 +1461,6 @@
</span><span class="cx"> $user[ $key ] = get_user_meta( $ID, $key, true );
</span><span class="cx"> }
</span><span class="cx">
</span><del>- // Escape data pulled from DB.
- $user = add_magic_quotes( $user );
-
</del><span class="cx"> // If password is changing, hash it now.
</span><span class="cx"> if ( ! empty($userdata['user_pass']) ) {
</span><span class="cx"> $plaintext_pass = $userdata['user_pass'];
</span><span class="lines">@@ -1504,8 +1500,8 @@
</span><span class="cx"> * @return int The new user's ID.
</span><span class="cx"> */
</span><span class="cx"> function wp_create_user($username, $password, $email = '') {
</span><del>- $user_login = esc_sql( $username );
- $user_email = esc_sql( $email );
</del><ins>+ $user_login = $username;
+ $user_email = $email;
</ins><span class="cx"> $user_pass = $password;
</span><span class="cx">
</span><span class="cx"> $userdata = compact('user_login', 'user_email', 'user_pass');
</span></span></pre></div>
<a id="trunkwpincludeswidgetsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/widgets.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/widgets.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-includes/widgets.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -224,7 +224,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> foreach ( $settings as $number => $new_instance ) {
</span><del>- $new_instance = stripslashes_deep($new_instance);
</del><ins>+ $new_instance = wp_unslash($new_instance);
</ins><span class="cx"> $this->_set($number);
</span><span class="cx">
</span><span class="cx"> $old_instance = isset($all_instances[$number]) ? $all_instances[$number] : array();
</span></span></pre></div>
<a id="trunkwploginphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-login.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-login.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-login.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -396,7 +396,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // 10 days
</span><del>- setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH );
</del><ins>+ setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH );
</ins><span class="cx">
</span><span class="cx"> wp_safe_redirect( wp_get_referer() );
</span><span class="cx"> exit();
</span><span class="lines">@@ -431,7 +431,7 @@
</span><span class="cx"> do_action('lost_password');
</span><span class="cx"> login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '</p>', $errors);
</span><span class="cx">
</span><del>- $user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : '';
</del><ins>+ $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : '';
</ins><span class="cx">
</span><span class="cx"> ?>
</span><span class="cx">
</span><span class="lines">@@ -530,8 +530,8 @@
</span><span class="cx"> $user_login = '';
</span><span class="cx"> $user_email = '';
</span><span class="cx"> if ( $http_post ) {
</span><del>- $user_login = $_POST['user_login'];
- $user_email = $_POST['user_email'];
</del><ins>+ $user_login = wp_unslash( $_POST['user_login'] );
+ $user_email = wp_unslash( $_POST['user_email'] );
</ins><span class="cx"> $errors = register_new_user($user_login, $user_email);
</span><span class="cx"> if ( !is_wp_error($errors) ) {
</span><span class="cx"> $redirect_to = !empty( $_POST['redirect_to'] ) ? $_POST['redirect_to'] : 'wp-login.php?checkemail=registered';
</span><span class="lines">@@ -547,11 +547,11 @@
</span><span class="cx"> <form name="registerform" id="registerform" action="<?php echo esc_url( site_url('wp-login.php?action=register', 'login_post') ); ?>" method="post">
</span><span class="cx"> <p>
</span><span class="cx"> <label for="user_login"><?php _e('Username') ?><br />
</span><del>- <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(stripslashes($user_login)); ?>" size="20" /></label>
</del><ins>+ <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" /></label>
</ins><span class="cx"> </p>
</span><span class="cx"> <p>
</span><span class="cx"> <label for="user_email"><?php _e('E-mail') ?><br />
</span><del>- <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(stripslashes($user_email)); ?>" size="25" /></label>
</del><ins>+ <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr( $user_email ); ?>" size="25" /></label>
</ins><span class="cx"> </p>
</span><span class="cx"> <?php do_action('register_form'); ?>
</span><span class="cx"> <p id="reg_passmail"><?php _e('A password will be e-mailed to you.') ?></p>
</span><span class="lines">@@ -673,7 +673,7 @@
</span><span class="cx"> login_header(__('Log In'), '', $errors);
</span><span class="cx">
</span><span class="cx"> if ( isset($_POST['log']) )
</span><del>- $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(stripslashes($_POST['log'])) : '';
</del><ins>+ $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr( wp_unslash( $_POST['log'] ) ) : '';
</ins><span class="cx"> $rememberme = ! empty( $_POST['rememberme'] );
</span><span class="cx"> ?>
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpmailphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-mail.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-mail.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-mail.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -202,7 +202,6 @@
</span><span class="cx"> $post_category = array(get_option('default_email_category'));
</span><span class="cx">
</span><span class="cx"> $post_data = compact('post_content','post_title','post_date','post_date_gmt','post_author','post_category', 'post_status');
</span><del>- $post_data = add_magic_quotes($post_data);
</del><span class="cx">
</span><span class="cx"> $post_ID = wp_insert_post($post_data);
</span><span class="cx"> if ( is_wp_error( $post_ID ) )
</span></span></pre></div>
<a id="trunkwptrackbackphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-trackback.php (23415 => 23416)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-trackback.php 2013-02-14 16:45:43 UTC (rev 23415)
+++ trunk/wp-trackback.php 2013-02-14 22:51:06 UTC (rev 23416)
</span><span class="lines">@@ -45,9 +45,9 @@
</span><span class="cx"> $charset = isset($_POST['charset']) ? $_POST['charset'] : '';
</span><span class="cx">
</span><span class="cx"> // These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()
</span><del>-$title = isset($_POST['title']) ? stripslashes($_POST['title']) : '';
-$excerpt = isset($_POST['excerpt']) ? stripslashes($_POST['excerpt']) : '';
-$blog_name = isset($_POST['blog_name']) ? stripslashes($_POST['blog_name']) : '';
</del><ins>+$title = isset($_POST['title']) ? wp_unslash( $_POST['title'] ) : '';
+$excerpt = isset($_POST['excerpt']) ? wp_unslash( $_POST['excerpt'] ) : '';
+$blog_name = isset($_POST['blog_name']) ? wp_unslash( $_POST['blog_name'] ) : '';
</ins><span class="cx">
</span><span class="cx"> if ($charset)
</span><span class="cx"> $charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
</span><span class="lines">@@ -64,11 +64,6 @@
</span><span class="cx"> $blog_name = mb_convert_encoding($blog_name, get_option('blog_charset'), $charset);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-// Now that mb_convert_encoding() has been given a swing, we need to escape these three
-$title = $wpdb->escape($title);
-$excerpt = $wpdb->escape($excerpt);
-$blog_name = $wpdb->escape($blog_name);
-
</del><span class="cx"> if ( is_single() || is_page() )
</span><span class="cx"> $tb_id = $posts[0]->ID;
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>