Use wp_unslash() instead of stripslashes() and stripslashes_deep(). U…

…se wp_slash() instead of add_magic_quotes().

git-svn-id: http://core.svn.wordpress.org/trunk@23567 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/edit-comments.php

@@ -20,8 +20,8 @@
 	check_admin_referer( 'bulk-comments' );
 
 	if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
-		$comment_status = $_REQUEST['comment_status'];
-		$delete_time = $_REQUEST['pagegen_timestamp'];
+		$comment_status = wp_unslash( $_REQUEST['comment_status'] );
+		$delete_time = wp_unslash ( $_REQUEST['pagegen_timestamp'] );
 		$comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
 		$doaction = 'delete';
 	} elseif ( isset( $_REQUEST['delete_comments'] ) ) {

wp-admin/includes/template.php

@@ -1333,7 +1333,7 @@ function _draft_or_post_title( $post = 0 ) {
  *
  */
 function _admin_search_query() {
-	echo isset($_REQUEST['s']) ? esc_attr( stripslashes( $_REQUEST['s'] ) ) : '';
+	echo isset($_REQUEST['s']) ? esc_attr( wp_unslash( $_REQUEST['s'] ) ) : '';
 }
 
 /**

wp-admin/includes/theme-install.php

@@ -50,8 +50,8 @@ function install_themes_feature_list() {
  * @since 2.8.0
  */
 function install_theme_search_form( $type_selector = true ) {
-	$type = isset( $_REQUEST['type'] ) ? stripslashes( $_REQUEST['type'] ) : 'term';
-	$term = isset( $_REQUEST['s'] ) ? stripslashes( $_REQUEST['s'] ) : '';
+	$type = isset( $_REQUEST['type'] ) ? wp_unslash( $_REQUEST['type'] ) : 'term';
+	$term = isset( $_REQUEST['s'] ) ? wp_unslash( $_REQUEST['s'] ) : '';
 	if ( ! $type_selector )
 		echo '<p class="install-help">' . __( 'Search for themes by keyword.' ) . '</p>';
 	?>
@@ -179,7 +179,7 @@ function display_themes() {
 function install_theme_information() {
 	global $tab, $themes_allowedtags, $wp_list_table;
 
-	$theme = themes_api( 'theme_information', array( 'slug' => stripslashes( $_REQUEST['theme'] ) ) );
+	$theme = themes_api( 'theme_information', array( 'slug' => wp_unslash( $_REQUEST['theme'] ) ) );
 
 	if ( is_wp_error( $theme ) )
 		wp_die( $theme );

wp-admin/includes/upgrade.php

@@ -132,7 +132,7 @@ function wp_install_defaults($user_id) {
 		$first_post = get_site_option( 'first_post' );
 
 		if ( empty($first_post) )
-			$first_post = stripslashes( __( 'Welcome to <a href="SITE_URL">SITE_NAME</a>. This is your first post. Edit or delete it, then start blogging!' ) );
+			$first_post = __( 'Welcome to <a href="SITE_URL">SITE_NAME</a>. This is your first post. Edit or delete it, then start blogging!' );
 
 		$first_post = str_replace( "SITE_URL", esc_url( network_home_url() ), $first_post );
 		$first_post = str_replace( "SITE_NAME", $current_site->site_name, $first_post );
@@ -636,23 +636,23 @@ function upgrade_160() {
 	$users = $wpdb->get_results("SELECT * FROM $wpdb->users");
 	foreach ( $users as $user ) :
 		if ( !empty( $user->user_firstname ) )
-			update_user_meta( $user->ID, 'first_name', $wpdb->escape($user->user_firstname) );
+			update_user_meta( $user->ID, 'first_name', wp_slash($user->user_firstname) );
 		if ( !empty( $user->user_lastname ) )
-			update_user_meta( $user->ID, 'last_name', $wpdb->escape($user->user_lastname) );
+			update_user_meta( $user->ID, 'last_name', wp_slash($user->user_lastname) );
 		if ( !empty( $user->user_nickname ) )
-			update_user_meta( $user->ID, 'nickname', $wpdb->escape($user->user_nickname) );
+			update_user_meta( $user->ID, 'nickname', wp_slash($user->user_nickname) );
 		if ( !empty( $user->user_level ) )
 			update_user_meta( $user->ID, $wpdb->prefix . 'user_level', $user->user_level );
 		if ( !empty( $user->user_icq ) )
-			update_user_meta( $user->ID, 'icq', $wpdb->escape($user->user_icq) );
+			update_user_meta( $user->ID, 'icq', wp_slash($user->user_icq) );
 		if ( !empty( $user->user_aim ) )
-			update_user_meta( $user->ID, 'aim', $wpdb->escape($user->user_aim) );
+			update_user_meta( $user->ID, 'aim', wp_slash($user->user_aim) );
 		if ( !empty( $user->user_msn ) )
-			update_user_meta( $user->ID, 'msn', $wpdb->escape($user->user_msn) );
+			update_user_meta( $user->ID, 'msn', wp_slash($user->user_msn) );
 		if ( !empty( $user->user_yim ) )
-			update_user_meta( $user->ID, 'yim', $wpdb->escape($user->user_icq) );
+			update_user_meta( $user->ID, 'yim', wp_slash($user->user_icq) );
 		if ( !empty( $user->user_description ) )
-			update_user_meta( $user->ID, 'description', $wpdb->escape($user->user_description) );
+			update_user_meta( $user->ID, 'description', wp_slash($user->user_description) );
 
 		if ( isset( $user->user_idmode ) ):
 			$idmode = $user->user_idmode;
@@ -854,7 +854,7 @@ function upgrade_230() {
 		foreach ( $link_cats as $category) {
 			$cat_id = (int) $category->cat_id;
 			$term_id = 0;
-			$name = $wpdb->escape($category->cat_name);
+			$name = wp_slash($category->cat_name);
 			$slug = sanitize_title($name);
 			$term_group = 0;
 

wp-admin/includes/user.php

@@ -34,7 +34,7 @@ function edit_user( $user_id = 0 ) {
 		$update = true;
 		$user->ID = (int) $user_id;
 		$userdata = get_userdata( $user_id );
-		$user->user_login = $wpdb->escape( $userdata->user_login );
+		$user->user_login = wp_slash( $userdata->user_login );
 	} else {
 		$update = false;
 	}

wp-admin/install.php

@@ -84,10 +84,10 @@ function display_setup_form( $error = null ) {
 	if ( ! empty( $_POST ) )
 		$blog_public = isset( $_POST['blog_public'] );
 
-	$weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';
-	$user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';
-	$admin_password = isset($_POST['admin_password']) ? trim( stripslashes( $_POST['admin_password'] ) ) : '';
-	$admin_email  = isset( $_POST['admin_email']  ) ? trim( stripslashes( $_POST['admin_email'] ) ) : '';
+	$weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : '';
+	$user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin';
+	$admin_password = isset($_POST['admin_password']) ? trim( wp_unslash( $_POST['admin_password'] ) ) : '';
+	$admin_email  = isset( $_POST['admin_email']  ) ? trim( wp_unslash( $_POST['admin_email'] ) ) : '';
 
 	if ( ! is_null( $error ) ) {
 ?>
@@ -189,11 +189,11 @@ function display_setup_form( $error = null ) {
 
 		display_header();
 		// Fill in the data we gathered
-		$weblog_title = isset( $_POST['weblog_title'] ) ? trim( stripslashes( $_POST['weblog_title'] ) ) : '';
-		$user_name = isset($_POST['user_name']) ? trim( stripslashes( $_POST['user_name'] ) ) : 'admin';
-		$admin_password = isset($_POST['admin_password']) ? $_POST['admin_password'] : '';
-		$admin_password_check = isset($_POST['admin_password2']) ? $_POST['admin_password2'] : '';
-		$admin_email  = isset( $_POST['admin_email']  ) ?trim( stripslashes( $_POST['admin_email'] ) ) : '';
+		$weblog_title = isset( $_POST['weblog_title'] ) ? trim( wp_unslash( $_POST['weblog_title'] ) ) : '';
+		$user_name = isset($_POST['user_name']) ? trim( wp_unslash( $_POST['user_name'] ) ) : 'admin';
+		$admin_password = isset($_POST['admin_password']) ? wp_unslash( $_POST['admin_password'] ) : '';
+		$admin_password_check = isset($_POST['admin_password2']) ? wp_unslash( $_POST['admin_password2'] ) : '';
+		$admin_email  = isset( $_POST['admin_email']  ) ?trim( wp_unslash( $_POST['admin_email'] ) ) : '';
 		$public       = isset( $_POST['blog_public']  ) ? (int) $_POST['blog_public'] : 0;
 		// check e-mail address
 		$error = false;

wp-admin/link-manager.php

@@ -31,7 +31,7 @@
 		exit;
 	}
 } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
-	 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
+	 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
 	 exit;
 }
 
@@ -72,7 +72,7 @@
 <?php screen_icon(); ?>
 <h2><?php echo esc_html( $title ); ?> <a href="link-add.php" class="add-new-h2"><?php echo esc_html_x('Add New', 'link'); ?></a> <?php
 if ( !empty($_REQUEST['s']) )
-	printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_REQUEST['s']) ) ); ?>
+	printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( wp_unslash($_REQUEST['s']) ) ); ?>
 </h2>
 
 <?php

wp-admin/network.php

@@ -520,7 +520,7 @@ function network_step2( $errors = false ) {
 	$base              = parse_url( trailingslashit( get_option( 'home' ) ), PHP_URL_PATH );
 	$subdomain_install = allow_subdomain_install() ? !empty( $_POST['subdomain_install'] ) : false;
 	if ( ! network_domain_check() ) {
-		$result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), stripslashes( $_POST['sitename'] ), $base, $subdomain_install );
+		$result = populate_network( 1, get_clean_basedomain(), sanitize_email( $_POST['email'] ), wp_unslash( $_POST['sitename'] ), $base, $subdomain_install );
 		if ( is_wp_error( $result ) ) {
 			if ( 1 == count( $result->get_error_codes() ) && 'no_wildcard_dns' == $result->get_error_code() )
 				network_step2( $result );

wp-admin/network/site-info.php

@@ -62,7 +62,7 @@
 	delete_option( 'rewrite_rules' );
 
 	// update blogs table
-	$blog_data = stripslashes_deep( $_POST['blog'] );
+	$blog_data = wp_unslash( $_POST['blog'] );
 	$existing_details = get_blog_details( $id, false );
 	$blog_data_checkboxes = array( 'public', 'archived', 'spam', 'mature', 'deleted' );
 	foreach ( $blog_data_checkboxes as $c ) {

wp-admin/network/site-new.php

@@ -88,7 +88,7 @@
 		$content_mail = sprintf( __( 'New site created by %1$s
 
 Address: %2$s
-Name: %3$s' ), $current_user->user_login , get_site_url( $id ), stripslashes( $title ) );
+Name: %3$s' ), $current_user->user_login , get_site_url( $id ), wp_unslash( $title ) );
 		wp_mail( get_site_option('admin_email'), sprintf( __( '[%s] New Site Created' ), $current_site->site_name ), $content_mail, 'From: "Site Admin" <' . get_site_option( 'admin_email' ) . '>' );
 		wpmu_welcome_notification( $id, $user_id, $password, $title, array( 'public' => 1 ) );
 		wp_redirect( add_query_arg( array( 'update' => 'added', 'id' => $id ), 'site-new.php' ) );

wp-admin/network/site-settings.php

@@ -53,12 +53,14 @@
 	$count = count( $_POST['option'] );
 	$skip_options = array( 'allowedthemes' ); // Don't update these options since they are handled elsewhere in the form.
 	foreach ( (array) $_POST['option'] as $key => $val ) {
+		$key = wp_unslash( $key );
+		$val = wp_unslash( $val );
 		if ( $key === 0 || is_array( $val ) || in_array($key, $skip_options) )
 			continue; // Avoids "0 is a protected WP option and may not be modified" error when edit blog options
 		if ( $c == $count )
-			update_option( $key, stripslashes( $val ) );
+			update_option( $key, $val );
 		else
-			update_option( $key, stripslashes( $val ), false ); // no need to refresh blog details yet
+			update_option( $key, $val, false ); // no need to refresh blog details yet
 		$c++;
 	}
 

wp-admin/network/sites.php

@@ -79,7 +79,7 @@
 					<input type="hidden" name="id" value="<?php echo esc_attr( $id ); ?>" />
 					<input type="hidden" name="_wp_http_referer" value="<?php echo esc_attr( wp_get_referer() ); ?>" />
 					<?php wp_nonce_field( $_GET['action2'], '_wpnonce', false ); ?>
-					<p><?php echo esc_html( stripslashes( $_GET['msg'] ) ); ?></p>
+					<p><?php echo esc_html( wp_unslash( $_GET['msg'] ) ); ?></p>
 					<?php submit_button( __('Confirm'), 'button' ); ?>
 				</form>
 			</body>

wp-admin/options-head.php

@@ -2,8 +2,7 @@
 /**
  * WordPress Options Header.
  *
- * Resets variables: 'action', 'standalone', and 'option_group_id'. Displays
- * updated message, if updated variable is part of the URL query.
+ * Displays updated message, if updated variable is part of the URL query.
  *
  * @package WordPress
  * @subpackage Administration

wp-admin/options.php

@@ -120,16 +120,16 @@
 	if ( 'options' == $option_page ) {
 		if ( is_multisite() && ! is_super_admin() )
 			wp_die( __( 'You do not have sufficient permissions to modify unregistered settings for this site.' ) );
-		$options = explode( ',', stripslashes( $_POST[ 'page_options' ] ) );
+		$options = explode( ',', wp_unslash( $_POST[ 'page_options' ] ) );
 	} else {
 		$options = $whitelist_options[ $option_page ];
 	}
 
 	// Handle custom date/time formats
 	if ( 'general' == $option_page ) {
-		if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['date_format'] ) )
+		if ( !empty($_POST['date_format']) && isset($_POST['date_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['date_format'] ) )
 			$_POST['date_format'] = $_POST['date_format_custom'];
-		if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == stripslashes( $_POST['time_format'] ) )
+		if ( !empty($_POST['time_format']) && isset($_POST['time_format_custom']) && '\c\u\s\t\o\m' == wp_unslash( $_POST['time_format'] ) )
 			$_POST['time_format'] = $_POST['time_format_custom'];
 		// Map UTC+- timezones to gmt_offsets and set timezone_string to empty.
 		if ( !empty($_POST['timezone_string']) && preg_match('/^UTC[+-]/', $_POST['timezone_string']) ) {
@@ -150,7 +150,7 @@
 				$value = $_POST[ $option ];
 				if ( ! is_array( $value ) )
 					$value = trim( $value );
-				$value = stripslashes_deep( $value );
+				$value = wp_unslash( $value );
 			}
 			update_option( $option, $value );
 		}

wp-admin/plugin-editor.php

@@ -28,7 +28,7 @@
 	wp_die( __('There are no plugins installed on this site.') );
 
 if ( isset($_REQUEST['file']) )
-	$plugin = stripslashes($_REQUEST['file']);
+	$plugin = wp_unslash($_REQUEST['file']);
 
 if ( empty($plugin) ) {
 	$plugin = array_keys($plugins);
@@ -39,8 +39,6 @@
 
 if ( empty($file) )
 	$file = $plugin_files[0];
-else
-	$file = stripslashes($file);
 
 $file = validate_file_to_edit($file, $plugin_files);
 $real_file = WP_PLUGIN_DIR . '/' . $file;
@@ -52,7 +50,7 @@
 
 	check_admin_referer('edit-plugin_' . $file);
 
-	$newcontent = stripslashes($_POST['newcontent']);
+	$newcontent = wp_unslash( $_POST['newcontent'] );
 	if ( is_writeable($real_file) ) {
 		$f = fopen($real_file, 'w+');
 		fwrite($f, $newcontent);

wp-admin/press-this.php

@@ -91,11 +91,11 @@ function press_it() {
 }
 
 // Set Variables
-$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( stripslashes( $_GET['t'] ) , ENT_QUOTES) ) ) : '';
+$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( wp_unslash( $_GET['t'] ) , ENT_QUOTES) ) ) : '';
 
 $selection = '';
 if ( !empty($_GET['s']) ) {
-	$selection = str_replace(''', "'", stripslashes($_GET['s']));
+	$selection = str_replace(''', "'", wp_unslash($_GET['s']));
 	$selection = trim( htmlspecialchars( html_entity_decode($selection, ENT_QUOTES) ) );
 }
 

wp-admin/setup-config.php

@@ -164,7 +164,7 @@ function setup_config_display_header() {
 
 	case 2:
 	foreach ( array( 'dbname', 'uname', 'pwd', 'dbhost', 'prefix' ) as $key )
-		$$key = trim( stripslashes( $_POST[ $key ] ) );
+		$$key = trim( wp_unslash( $_POST[ $key ] ) );
 
 	$tryagain_link = '</p><p class="step"><a href="setup-config.php?step=1" onclick="javascript:history.go(-1);return false;" class="button button-large">' . __( 'Try again' ) . '</a>';
 

wp-admin/theme-editor.php

@@ -68,7 +68,7 @@
 	$relative_file = 'style.css';
 	$file = $allowed_files['style.css'];
 } else {
-	$relative_file = stripslashes( $file );
+	$relative_file = wp_unslash( $file );
 	$file = $theme->get_stylesheet_directory() . '/' . $relative_file;
 }
 
@@ -78,7 +78,7 @@
 switch( $action ) {
 case 'update':
 	check_admin_referer( 'edit-theme_' . $file . $stylesheet );
-	$newcontent = stripslashes( $_POST['newcontent'] );
+	$newcontent = wp_unslash( $_POST['newcontent'] );
 	$location = 'theme-editor.php?file=' . urlencode( $relative_file ) . '&theme=' . urlencode( $stylesheet ) . '&scrollto=' . $scrollto;
 	if ( is_writeable( $file ) ) {
 		//is_writable() not always reliable, check return value. see comments @ http://uk.php.net/is_writable

wp-admin/upgrade.php

@@ -77,7 +77,7 @@
 <?php else :
 switch ( $step ) :
 	case 0:
-		$goback = stripslashes( wp_get_referer() );
+		$goback = wp_unslash( wp_get_referer() );
 		$goback = esc_url_raw( $goback );
 		$goback = urlencode( $goback );
 ?>
@@ -90,7 +90,7 @@
 	case 1:
 		wp_upgrade();
 
-			$backto = !empty($_GET['backto']) ? stripslashes( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/';
+			$backto = !empty($_GET['backto']) ? wp_unslash( urldecode( $_GET['backto'] ) ) : __get_option( 'home' ) . '/';
 			$backto = esc_url( $backto );
 			$backto = wp_validate_redirect($backto, __get_option( 'home' ) . '/');
 ?>

wp-admin/upload.php

@@ -132,7 +132,7 @@
 	wp_redirect( $location );
 	exit;
 } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
-	 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
+	 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
 	 exit;
 }