/**
* Normalize Elementor post meta on import,
* We need the `wp_slash` in order to avoid the unslashing during the `add_post_meta`
*
* @param array $post_meta
*
* @return array
*/
public static function on_wp_import_post_meta($post_meta)
{
foreach ($post_meta as &$meta) {
if ('_elementor_data' === $meta['key']) {
$meta['value'] = wp_slash($meta['value']);
break;
}
}
return $post_meta;
}
/**
* Get the source's images and save them locally, for posterity, unless we can't.
*
* @since 4.2.0
* @access public
*
* @param int $post_id Post ID.
* @param string $content Optional. Current expected markup for Press This. Expects slashed. Default empty.
* @return string New markup with old image URLs replaced with the local attachment ones if swapped.
*/
public function side_load_images($post_id, $content = '')
{
$content = wp_unslash($content);
if (preg_match_all('/<img [^>]+>/', $content, $matches) && current_user_can('upload_files')) {
foreach ((array) $matches[0] as $image) {
// This is inserted from our JS so HTML attributes should always be in double quotes.
if (!preg_match('/src="([^"]+)"/', $image, $url_matches)) {
continue;
}
$image_src = $url_matches[1];
// Don't try to sideload a file without a file extension, leads to WP upload error.
if (!preg_match('/[^\\?]+\\.(?:jpe?g|jpe|gif|png)(?:\\?|$)/i', $image_src)) {
continue;
}
// Sideload image, which gives us a new image src.
$new_src = media_sideload_image($image_src, $post_id, null, 'src');
if (!is_wp_error($new_src)) {
// Replace the POSTED content <img> with correct uploaded ones.
// Need to do it in two steps so we don't replace links to the original image if any.
$new_image = str_replace($image_src, $new_src, $image);
$content = str_replace($image, $new_image, $content);
}
}
}
// Edxpected slashed
return wp_slash($content);
}
/**
* Update the client's post.
*
* @param array $params Parameters to update.
* @return bool|WP_Error True on success, error object otherwise.
*/
public function update($params)
{
$data = array();
if (isset($params['name'])) {
$data['post_title'] = $params['name'];
}
if (isset($params['description'])) {
$data['post_content'] = $params['description'];
}
// Are we updating the post itself?
if (!empty($data)) {
$data['ID'] = $this->post->ID;
$result = wp_update_post(wp_slash($data), true);
if (is_wp_error($result)) {
return $result;
}
// Reload the post property
$this->post = get_post($this->post->ID);
}
// Are we updating any meta?
if (!empty($params['meta'])) {
$meta = $params['meta'];
foreach ($meta as $key => $value) {
$existing = get_post_meta($this->post->ID, $key, true);
if ($existing === $value) {
continue;
}
$did_update = update_post_meta($this->post->ID, $key, wp_slash($value));
if (!$did_update) {
return new WP_Error('rest_client_update_meta_failed', __('Could not update client metadata.', 'rest_oauth'));
}
}
}
return true;
}
/**
* Save builder method.
*
* @since 1.0.0
* @param int $post_id
* @param array $posted
* @param string $revision
*
* @return void
*/
public function save_editor($post_id, $posted, $revision = self::REVISION_PUBLISH)
{
// Change the global post to current library post, so widgets can use `get_the_ID` and other post data
if (isset($GLOBALS['post'])) {
$global_post = $GLOBALS['post'];
}
$GLOBALS['post'] = get_post($post_id);
$editor_data = $this->_get_editor_data($posted);
// We need the `wp_slash` in order to avoid the unslashing during the `update_post_meta`
$json_value = wp_slash(wp_json_encode($editor_data));
if (self::REVISION_PUBLISH === $revision) {
$this->remove_draft($post_id);
update_post_meta($post_id, '_elementor_data', $json_value);
$this->_save_plain_text($post_id);
} else {
update_post_meta($post_id, '_elementor_draft_data', $json_value);
}
update_post_meta($post_id, '_elementor_version', self::DB_VERSION);
// Restore global post
if (isset($global_post)) {
$GLOBALS['post'] = $global_post;
} else {
unset($GLOBALS['post']);
}
}
/**
* Encodes Page Builder Meta Data to json format to handle PHP `serialize` issues with UTF8 characters
* WordPress `update_post_meta` serializes the data and in some cases (probably depends on hostng env.)
* the serialized data is not being unserialized
* Uses `json_encode`
*
* @since 1.2.5
*
* @return string
*/
public static function encode_pb_section_metadata($meta)
{
if (!is_array($meta)) {
return wp_slash($meta);
}
return wp_slash(json_encode(self::sanitize_meta_data($meta)));
}
/**
* When we save the post we don't want the extra embeds to be lingering outside
* of the [simple-links] shortcode.
* We strip them out here as the post saves so anywhere else is none the wiser
* that the embeds ever existed
*
* @param array $post_data - wp_slashed array of post data
*
* @return array
*/
public function strip_embed_wraps_upon_save($post_data)
{
$content = wp_unslash($post_data['post_content']);
$content = preg_replace("/\\[embed\\](\\[simple-links([^\\]]*)\\])\\[\\/embed\\]/", "\$1", $content);
$post_data['post_content'] = wp_slash($content);
return $post_data;
}
/**
* If a JSON blob of navigation menu data is in POST data, expand it and inject
* it into `$_POST` to avoid PHP `max_input_vars` limitations. See #14134.
*
* @ignore
* @since 4.5.3
* @access private
*/
function _wp_expand_nav_menu_post_data()
{
if (!isset($_POST['nav-menu-data'])) {
return;
}
$data = json_decode(stripslashes($_POST['nav-menu-data']));
if (!is_null($data) && $data) {
foreach ($data as $post_input_data) {
// For input names that are arrays (e.g. `menu-item-db-id[3][4][5]`),
// derive the array path keys via regex and set the value in $_POST.
preg_match('#([^\\[]*)(\\[(.+)\\])?#', $post_input_data->name, $matches);
$array_bits = array($matches[1]);
if (isset($matches[3])) {
$array_bits = array_merge($array_bits, explode('][', $matches[3]));
}
$new_post_data = array();
// Build the new array value from leaf to trunk.
for ($i = count($array_bits) - 1; $i >= 0; $i--) {
if ($i == count($array_bits) - 1) {
$new_post_data[$array_bits[$i]] = wp_slash($post_input_data->value);
} else {
$new_post_data = array($array_bits[$i] => $new_post_data);
}
}
$_POST = array_replace_recursive($_POST, $new_post_data);
}
}
}
/**
* Save keychain details
*/
function orbis_save_keychain_details($post_id, $post)
{
// Doing autosave
if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) {
return;
}
// Verify nonce
$nonce = filter_input(INPUT_POST, 'orbis_keychain_details_meta_box_nonce', FILTER_SANITIZE_STRING);
if (!wp_verify_nonce($nonce, 'orbis_save_keychain_details')) {
return;
}
// Check permissions
if (!($post->post_type == 'orbis_keychain' && current_user_can('edit_post', $post_id))) {
return;
}
// OK
$definition = array('_orbis_keychain_url' => FILTER_VALIDATE_URL, '_orbis_keychain_email' => FILTER_VALIDATE_EMAIL, '_orbis_keychain_username' => FILTER_SANITIZE_STRING, '_orbis_keychain_password' => FILTER_UNSAFE_RAW);
$data = wp_slash(filter_input_array(INPUT_POST, $definition));
// Pasword
$password_old = get_post_meta($post_id, '_orbis_keychain_password', true);
$password_new = $data['_orbis_keychain_password'];
foreach ($data as $key => $value) {
if (empty($value)) {
delete_post_meta($post_id, $key);
} else {
update_post_meta($post_id, $key, $value);
}
}
// Action
if ($post->post_status == 'publish' && !empty($password_old) && $password_old != $password_new) {
// @see https://github.com/woothemes/woocommerce/blob/v2.1.4/includes/class-wc-order.php#L1274
do_action('orbis_keychain_password_update', $post_id, $password_old, $password_new);
}
}
/**
* Records a new history entry for the current post.
*
* @param string $message
* @param array $data
*/
public function add_entry($message, array $data = array())
{
$datetime = current_time('mysql');
$checksum = uniqid(substr(hash('md5', $datetime . $message . serialize($data)), 0, 8) . '_');
$log_entry = wp_slash(json_encode(array('datetime' => $datetime, 'message' => $message, 'data' => $data, 'checksum' => $checksum)));
add_post_meta($this->post_id, self::HISTORY_KEY, $log_entry);
}
/**
* @ticket 35795
*/
public function test_slashed_key_for_existing_metadata()
{
global $wpdb;
add_metadata('post', 123, wp_slash('foo\\foo'), 'bar');
update_metadata('post', 123, wp_slash('foo\\foo'), 'baz');
$found = get_metadata('post', 123, 'foo\\foo', true);
$this->assertSame('baz', $found);
}
public function setAttribute($key, $value)
{
// fix double quote slash
if (is_string($value)) {
$value = wp_slash($value);
}
update_post_meta($this->getId(), $key, $value);
return $this;
}
/**
* fix importing Builder contents using WP_Import
*/
function import_post_meta($post_id, $key, $value)
{
if ($key == $this->meta_key) {
/* slashes are removed by update_post_meta, add it to protect the data */
$builder_data = wp_slash($value);
/* save the data in json format */
update_post_meta($post_id, $this->meta_key, $builder_data);
}
}
/**
* Update the value of a WP User Option with the WP User Options API.
*
* @since 1.0.0
*
* @param string $option_name Name of the WP User Option.
* @param string $new_value New value of the WP User Option (not slashed).
* @return bool True on success, false on failure.
*/
protected function _update_option($option_name, $new_value)
{
// Non-logged-in user can never have a saved option value to be updated.
if (!is_user_logged_in()) {
return false;
}
// WP expects a slashed value.
$new_value = wp_slash($new_value);
return update_user_option(get_current_user_id(), $option_name, $new_value, false);
}
function column_action($item)
{
$paged = $this->get_pagenum();
$paged_arg = (int) $paged > 1 ? '&paged=' . $paged : '';
$buttons = '';
if (current_user_can('duplicate_masterslider') || apply_filters('masterslider_admin_display_duplicate_btn', 0)) {
$buttons .= sprintf('<a class="action-duplicate msp-ac-btn msp-btn-gray msp-iconic" href="?page=%s&action=%s&slider_id=%s%s"><span></span>%s</a>', $_REQUEST['page'], 'duplicate', $item['ID'], $paged_arg, __('duplicate'));
}
if (current_user_can('delete_masterslider') || apply_filters('masterslider_admin_display_delete_btn', 0)) {
$buttons .= sprintf('<a class="action-delete msp-ac-btn msp-btn-red msp-iconic" href="?page=%s&action=%s&slider_id=%s%s" onClick="return confirm(\'%s\');" ><span></span>%s</a>', $_REQUEST['page'], 'delete', $item['ID'], $paged_arg, wp_slash(apply_filters('masterslider_admin_delete_btn_alert_message', __('Are you sure you want to delete this slider?', 'master-slider'))), __('delete'));
}
$buttons .= sprintf('<a class="action-preview msp-ac-btn msp-btn-blue msp-iconic" href="?page=%s&action=%s&slider_id=%s" onClick="lunchMastersliderPreviewBySliderID(%s);return false;" ><span></span>%s</a>', $_REQUEST['page'], 'preview', $item['ID'], $item['ID'], __('preview'));
return $buttons;
}
function column_action($item)
{
$paged = $this->get_pagenum();
$paged_arg = (int) $paged > 1 ? '&paged=' . $paged : '';
$buttons = '';
if (current_user_can('duplicate_masterslider') || apply_filters('masterslider_admin_display_duplicate_btn', 0)) {
$buttons .= sprintf('<a class="action-duplicate msp-ac-btn msp-btn-gray msp-iconic" href="%s"><span></span>%s</a>', esc_url(add_query_arg(array('page' => $_GET['page'], 'action' => 'duplicate', 'slider_id' => $item['ID'], 'paged' => $paged))), __('duplicate', MSWP_TEXT_DOMAIN));
}
if (current_user_can('delete_masterslider') || apply_filters('masterslider_admin_display_delete_btn', 0)) {
$buttons .= sprintf('<a class="action-delete msp-ac-btn msp-btn-red msp-iconic" href="%s" onClick="return confirm(\'%s\');" ><span></span>%s</a>', esc_url(add_query_arg(array('page' => $_GET['page'], 'action' => 'delete', 'slider_id' => $item['ID'], 'paged' => $paged))), wp_slash(apply_filters('masterslider_admin_delete_btn_alert_message', __('Are you sure you want to delete this slider?', MSWP_TEXT_DOMAIN))), __('delete', MSWP_TEXT_DOMAIN));
}
$buttons .= sprintf('<a class="action-preview msp-ac-btn msp-btn-blue msp-iconic" href="%s" onClick="lunchMastersliderPreviewBySliderID(%s);return false;" ><span></span>%s</a>', esc_url(add_query_arg(array('page' => $_GET['page'], 'action' => 'preview', 'slider_id' => $item['ID']))), $item['ID'], __('preview', MSWP_TEXT_DOMAIN));
return $buttons;
}
/**
* Add slashes to a string or array of strings.
*
* This should be used when preparing data for core API that expects slashed data.
* This should not be used to escape data going directly into an SQL query.
*
* @since 3.6.0
*
* @param string|array $value String or array of strings to slash.
* @return string|array Slashed $value
*/
function wp_slash($value)
{
if (is_array($value)) {
foreach ($value as $k => $v) {
if (is_array($v)) {
$value[$k] = wp_slash($v);
} else {
$value[$k] = addslashes($v);
}
}
} else {
$value = addslashes($value);
}
return $value;
}
function extra_add_post_rating($post_id, $rating)
{
if (extra_get_user_post_rating($post_id)) {
return array();
}
$commentdata = array('comment_type' => EXTRA_RATING_COMMENT_TYPE, 'comment_author' => '', 'comment_author_url' => '', 'comment_author_email' => '', 'comment_post_ID' => absint($post_id), 'comment_content' => abs(floatval($rating)));
$user = wp_get_current_user();
if ($user->exists()) {
$commentdata['comment_author'] = wp_slash($user->display_name);
$commentdata['user_ID'] = $user->ID;
}
// prevent notifications
add_filter('extra_rating_notify_intercept', '__return_zero');
wp_new_comment($commentdata);
return array('rating' => $rating, 'average' => extra_set_post_rating_average($post_id));
}
/**
* Test the WP_Customize_Manager::post_value() method
*
* @ticket 30988
*/
function test_post_value() {
$posted_settings = array(
'foo' => 'OOF',
);
$_POST['customized'] = wp_slash( wp_json_encode( $posted_settings ) );
$manager = $this->instantiate();
$manager->add_setting( 'foo', array( 'default' => 'foo_default' ) );
$foo_setting = $manager->get_setting( 'foo' );
$this->assertEquals( 'foo_default', $manager->get_setting( 'foo' )->value(), 'Expected non-previewed setting to return default when value() method called.' );
$this->assertEquals( $posted_settings['foo'], $manager->post_value( $foo_setting, 'post_value_foo_default' ), 'Expected post_value($foo_setting) to return value supplied in $_POST[customized][foo]' );
$manager->add_setting( 'bar', array( 'default' => 'bar_default' ) );
$bar_setting = $manager->get_setting( 'bar' );
$this->assertEquals( 'post_value_bar_default', $manager->post_value( $bar_setting, 'post_value_bar_default' ), 'Expected post_value($bar_setting, $default) to return $default since no value supplied in $_POST[customized][bar]' );
}
/**
* Save a form
*
* @since 1.0.0
*/
function wpforms_save_form()
{
// Run a security check
check_ajax_referer('wpforms-builder', 'nonce');
// Check for permissions
if (!current_user_can(apply_filters('wpforms_manage_cap', 'manage_options'))) {
die(__('You do no have permission.', 'wpforms'));
}
// Check for form data
if (empty($_POST['data'])) {
die(__('No data provided', 'wpforms'));
}
$form_post = json_decode(stripslashes($_POST['data']));
$data = array();
if (!is_null($form_post) && $form_post) {
foreach ($form_post as $post_input_data) {
// For input names that are arrays (e.g. `menu-item-db-id[3][4][5]`),
// derive the array path keys via regex and set the value in $_POST.
preg_match('#([^\\[]*)(\\[(.+)\\])?#', $post_input_data->name, $matches);
$array_bits = array($matches[1]);
if (isset($matches[3])) {
$array_bits = array_merge($array_bits, explode('][', $matches[3]));
}
$new_post_data = array();
// Build the new array value from leaf to trunk.
for ($i = count($array_bits) - 1; $i >= 0; $i--) {
if ($i == count($array_bits) - 1) {
$new_post_data[$array_bits[$i]] = wp_slash($post_input_data->value);
} else {
$new_post_data = array($array_bits[$i] => $new_post_data);
}
}
$data = array_replace_recursive($data, $new_post_data);
}
}
$form_id = wpforms()->form->update($data['id'], $data);
do_action('wpforms_builder_save_form', $form_id, $data);
if (!$form_id) {
die(__('An error occured and the form could not be saved', 'wpforms'));
} else {
$data = array('form_name' => esc_html($data['settings']['form_title']), 'form_desc' => $data['settings']['form_desc'], 'redirect' => admin_url('admin.php?page=wpforms-overview'));
wp_send_json_success($data);
}
}
/**
* Helper function to update post meta data
*
* @param int $post_id
* @param array $data
*/
function pronamic_pay_update_post_meta_data($post_id, array $data)
{
/*
* Post meta values are passed through the stripslashes() function
* upon being stored, so you will need to be careful when passing
* in values (such as JSON) that might include \ escaped characters.
*
* @see http://codex.wordpress.org/Function_Reference/update_post_meta
*/
$data = wp_slash($data);
// Meta
foreach ($data as $key => $value) {
if (isset($value) && '' !== $value) {
update_post_meta($post_id, $key, $value);
} else {
delete_post_meta($post_id, $key);
}
}
}
function wp_update_post($postarr = array(), $wp_error = false)
{
if (is_object($postarr)) {
// Non-escaped post was passed.
$postarr = get_object_vars($postarr);
$postarr = wp_slash($postarr);
}
// First, get all of the original fields.
$post = get_post($postarr['ID'], ARRAY_A);
if (is_null($post)) {
if ($wp_error) {
return new WP_Error('invalid_post', __('Invalid post ID.'));
}
return 0;
}
// Escape data pulled from DB.
$post = wp_slash($post);
// Passed post category list overwrites existing category list if not empty.
if (isset($postarr['post_category']) && is_array($postarr['post_category']) && 0 != count($postarr['post_category'])) {
$post_cats = $postarr['post_category'];
} else {
$post_cats = $post['post_category'];
}
// Drafts shouldn't be assigned a date unless explicitly done so by the user.
if (isset($post['post_status']) && in_array($post['post_status'], array('draft', 'pending', 'auto-draft')) && empty($postarr['edit_date']) && '0000-00-00 00:00:00' == $post['post_date_gmt']) {
$clear_date = true;
} else {
$clear_date = false;
}
// Merge old and new fields with new fields overwriting old ones.
$postarr = array_merge($post, $postarr);
$postarr['post_category'] = $post_cats;
if ($clear_date) {
$postarr['post_date'] = current_time('mysql');
$postarr['post_date_gmt'] = '';
}
if ($postarr['post_type'] == 'attachment') {
return wp_insert_attachment($postarr);
}
return wp_insert_post($postarr, $wp_error);
}
/**
* Filter input and return sanitized output
*
* @param mixed $input The string, array, or object to sanitize
* @param array $params Additional options
*
* @return array|mixed|object|string|void
*
* @since 1.1.10
*
*/
public static function sanitize($input, $params = array())
{
$input = stripslashes_deep($input);
if ('' === $input || is_int($input) || is_float($input) || empty($input)) {
return $input;
}
$output = array();
$defaults = array('nested' => false, 'type' => null);
if (!is_array($params)) {
$defaults['type'] = $params;
$params = $defaults;
} else {
$params = array_merge($defaults, (array) $params);
}
if (is_object($input)) {
$input = get_object_vars($input);
$n_params = $params;
$n_params['nested'] = true;
foreach ($input as $key => $val) {
$output[self::sanitize($key)] = self::sanitize($val, $n_params);
}
$output = (object) $output;
} elseif (is_array($input)) {
$n_params = $params;
$n_params['nested'] = true;
foreach ($input as $key => $val) {
$output[self::sanitize($key)] = self::sanitize($val, $n_params);
}
} elseif (!empty($params['type']) && false !== strpos($params['type'], '%')) {
/**
* @var $wpdb wpdb
*/
global $wpdb;
$output = $wpdb->prepare($params['type'], $output);
} else {
$output = wp_slash($input);
}
return $output;
}
function callback($path = '', $blog_id = 0, $post_id = 0)
{
$blog_id = $this->api->switch_to_blog_and_validate_user($this->api->get_blog_id($blog_id));
if (is_wp_error($blog_id)) {
return $blog_id;
}
$args = $this->query_args();
$input = $this->input(false);
if (!is_array($input) || !$input) {
return new WP_Error('invalid_input', 'Invalid request input', 400);
}
$post = get_post($post_id);
if (!$post || is_wp_error($post)) {
return new WP_Error('unknown_post', 'Unknown post', 404);
}
if (!current_user_can('edit_post', $post->ID)) {
return new WP_Error('unauthorized', 'User cannot edit post', 403);
}
$post_data = array('post_ID' => $post_id, 'post_title' => $input['title'], 'post_content' => $input['content'], 'post_excerpt' => $input['excerpt']);
$preview_url = add_query_arg('preview', 'true', get_permalink($post->ID));
if (!wp_check_post_lock($post->ID) && get_current_user_id() == $post->post_author && ('auto-draft' == $post->post_status || 'draft' == $post->post_status)) {
// Drafts and auto-drafts are just overwritten by autosave for the same user if the post is not locked
$auto_ID = edit_post(wp_slash($post_data));
} else {
// Non drafts or other users drafts are not overwritten. The autosave is stored in a special post revision for each user.
$auto_ID = wp_create_post_autosave(wp_slash($post_data));
$nonce = wp_create_nonce('post_preview_' . $post->ID);
$preview_url = add_query_arg(array('preview_id' => $auto_ID, 'preview_nonce' => $nonce), $preview_url);
}
$updated_post = get_post($auto_ID);
if ($updated_post && $updated_post->ID && $updated_post->post_modified) {
return array('ID' => $auto_ID, 'post_ID' => $post->ID, 'modified' => $this->format_date($updated_post->post_modified), 'preview_URL' => $preview_url);
} else {
return new WP_Error('autosave_error', __('Autosave encountered an unexpected error', 'jetpack'), 500);
}
}
public function getFrontendTemplates()
{
if ($this->allowed_templates !== null) {
return $this->allowed_templates;
}
$content_template_usages = $this->getUsages();
$theme_template_files = (array) wp_get_theme()->get_files('php', 1, true);
$wpv_options_patterns = array('views_template_for_' => array('label' => __('Single page', 'wpv-views'), 'domain' => 'post', 'template_hierarchy' => array('single-%NAME%.php', 'single.php', 'singular.php', 'index.php')), 'views_template_archive_for_' => array('label' => __('Post archive', 'wpv-views'), 'domain' => 'post', 'template_hierarchy' => array('archive-%NAME%.php', 'archive.php', 'index.php')), 'views_template_loop_' => array('label' => __('Taxonomy archive', 'wpv-views'), 'domain' => 'taxonomy', 'template_hierarchy' => array('taxonomy-%NAME%.php', 'taxonomy.php', 'archive.php', 'index.php')), 'view_loop_preview_post_type_' => array('label' => __('View loop', 'wpv-views'), 'domain' => 'post', 'template_hierarchy' => array('single-%NAME%.php', 'single.php', 'singular.php', 'index.php')), 'view_wpa_loop_preview_post_type_' => array('label' => __('WordPress Archive loop', 'wpv-views'), 'domain' => 'post', 'template_hierarchy' => array('archive-%NAME%.php', 'archive.php', 'index.php')), 'view_wpa_loop_preview_taxonomy_' => array('label' => __('WordPress Archive loop', 'wpv-views'), 'domain' => 'taxonomy', 'template_hierarchy' => array('taxonomy-%NAME%.php', 'taxonomy.php', 'archive.php', 'index.php')));
$this->allowed_templates = array();
foreach ($content_template_usages as $usage => $ct_id) {
foreach ($wpv_options_patterns as $pattern => $settings) {
if (strpos($usage, $pattern) !== false) {
$type_name = str_replace($pattern, '', $usage);
$type_object = $settings['domain'] == 'post' ? get_post_type_object($type_name) : get_taxonomy($type_name);
foreach ($settings['template_hierarchy'] as $template_file) {
$template_file = str_replace('%NAME%', $type_object->name, $template_file);
if (array_key_exists($template_file, $theme_template_files)) {
$this->allowed_templates[] = array('slug' => $type_object->name, 'domain' => $settings['domain'], 'form-option-label' => $settings['label'] . ' ' . $type_object->labels->name, 'path' => $theme_template_files[$template_file]);
break;
}
}
}
}
}
// Make sure that the stored template path is in the allowed ones, or force it otherwise
$allowed_paths = wp_list_pluck($this->allowed_templates, 'path');
$current_template = get_post_meta($_GET['ct_id'], $this->manager->getActiveEditor()->getOptionName(), true);
if (isset($_GET['ct_id']) && !empty($allowed_paths) && (!isset($current_template['template_path']) || !in_array($current_template['template_path'], $allowed_paths))) {
$slide_allowed_template = array_slice($this->allowed_templates, 0, 1);
$first_allowed_template = array_shift($slide_allowed_template);
$settings_to_store = array('template_path' => wp_slash($first_allowed_template['path']), 'preview_domain' => $first_allowed_template['domain'], 'preview_slug' => $first_allowed_template['slug']);
update_post_meta($_GET['ct_id'], $this->manager->getActiveEditor()->getOptionName(), $settings_to_store);
$stored = get_post_meta($_GET['ct_id'], $this->manager->getActiveEditor()->getOptionName(), true);
}
return $this->allowed_templates;
}
public function test_serve_request_headers_are_unslashed()
{
$this->server->register_route('test', '/test', array(array('methods' => WP_REST_Server::READABLE, 'callback' => '__return_false', 'args' => array('data' => array()))));
// WordPress internally will slash the superglobals on bootstrap
$_SERVER['HTTP_X_MY_HEADER'] = wp_slash('data\\with\\slashes');
$result = $this->server->serve_request('/test/data\\with\\slashes');
$this->assertEquals('data\\with\\slashes', $this->server->last_request->get_header('x_my_header'));
}
/**
* A simpler way of inserting a user into the database.
*
* Creates a new user with just the username, password, and email. For more
* complex user creation use {@see wp_insert_user()} to specify more information.
*
* @since 2.0.0
* @see wp_insert_user() More complete way to create a new user
*
* @param string $username The user's username.
* @param string $password The user's password.
* @param string $email Optional. The user's email. Default empty.
* @return int|WP_Error The newly created user's ID or a WP_Error object if the user could not
* be created.
*/
function wp_create_user($username, $password, $email = '')
{
$user_login = wp_slash($username);
$user_email = wp_slash($email);
$user_pass = $password;
$userdata = compact('user_login', 'user_email', 'user_pass');
return wp_insert_user($userdata);
}
/**
* Escape string or array of strings for database.
*
* @since 1.5.2
*
* @param string|array $data Escape single string or array of strings.
* @return string|array Type matches $data and sanitized for the database.
*/
public function escape(&$data)
{
if (!is_array($data)) {
return wp_slash($data);
}
foreach ($data as &$v) {
if (is_array($v)) {
$this->escape($v);
} elseif (!is_object($v)) {
$v = wp_slash($v);
}
}
}
/**
* Ajax handler for updating attachment attributes.
*
* @since 3.5.0
*/
function wp_ajax_save_attachment()
{
if (!isset($_REQUEST['id']) || !isset($_REQUEST['changes'])) {
wp_send_json_error();
}
if (!($id = absint($_REQUEST['id']))) {
wp_send_json_error();
}
check_ajax_referer('update-post_' . $id, 'nonce');
if (!current_user_can('edit_post', $id)) {
wp_send_json_error();
}
$changes = $_REQUEST['changes'];
$post = get_post($id, ARRAY_A);
if ('attachment' != $post['post_type']) {
wp_send_json_error();
}
if (isset($changes['parent'])) {
$post['post_parent'] = $changes['parent'];
}
if (isset($changes['title'])) {
$post['post_title'] = $changes['title'];
}
if (isset($changes['caption'])) {
$post['post_excerpt'] = $changes['caption'];
}
if (isset($changes['description'])) {
$post['post_content'] = $changes['description'];
}
if (MEDIA_TRASH && isset($changes['status'])) {
$post['post_status'] = $changes['status'];
}
if (isset($changes['alt'])) {
$alt = wp_unslash($changes['alt']);
if ($alt != get_post_meta($id, '_wp_attachment_image_alt', true)) {
$alt = wp_strip_all_tags($alt, true);
update_post_meta($id, '_wp_attachment_image_alt', wp_slash($alt));
}
}
if (wp_attachment_is('audio', $post['ID'])) {
$changed = false;
$id3data = wp_get_attachment_metadata($post['ID']);
if (!is_array($id3data)) {
$changed = true;
$id3data = array();
}
foreach (wp_get_attachment_id3_keys((object) $post, 'edit') as $key => $label) {
if (isset($changes[$key])) {
$changed = true;
$id3data[$key] = sanitize_text_field(wp_unslash($changes[$key]));
}
}
if ($changed) {
wp_update_attachment_metadata($id, $id3data);
}
}
if (MEDIA_TRASH && isset($changes['status']) && 'trash' === $changes['status']) {
wp_delete_post($id);
} else {
wp_update_post($post);
}
wp_send_json_success();
}
*/
do_action('pre_comment_on_post', $comment_post_ID);
}
$comment_author = isset($_POST['author']) ? trim(strip_tags($_POST['author'])) : null;
$comment_author_email = isset($_POST['email']) ? trim($_POST['email']) : null;
$comment_author_url = isset($_POST['url']) ? trim($_POST['url']) : null;
$comment_content = isset($_POST['comment']) ? trim($_POST['comment']) : null;
// If the user is logged in
$user = wp_get_current_user();
if ($user->exists()) {
if (empty($user->display_name)) {
$user->display_name = $user->user_login;
}
$comment_author = wp_slash($user->display_name);
$comment_author_email = wp_slash($user->user_email);
$comment_author_url = wp_slash($user->user_url);
if (current_user_can('unfiltered_html')) {
if (!isset($_POST['_wp_unfiltered_html_comment']) || !wp_verify_nonce($_POST['_wp_unfiltered_html_comment'], 'unfiltered-html-comment_' . $comment_post_ID)) {
kses_remove_filters();
// start with a clean slate
kses_init_filters();
// set up the filters
}
}
} else {
if (get_option('comment_registration') || 'private' == $status) {
wp_die(__('Sorry, you must be logged in to post a comment.'), 403);
}
}
$comment_type = '';
if (get_option('require_name_email') && !$user->exists()) {
/**
* Store the export record.
*
* @param array $export
* @return bool
*/
function set_exported_menu($export)
{
//Caution: update_metadata expects slashed data.
$export = wp_slash($export);
$user = wp_get_current_user();
return update_metadata('user', $user->ID, 'custom_menu_export', $export);
}
