function test_wp_kses_bad_protocol()
{
$bad = array('dummy:alert(1)', 'javascript:alert(1)', 'JaVaScRiPt:alert(1)', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert('XSS')', 'jav ascript:alert(1);', 'jav	ascript:alert(1);', 'jav
ascript:alert(1);', 'jav
ascript:alert(1);', '  javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:alert(1)//?:', 'feed:javascript:alert(1)', 'feed:javascript:feed:javascript:feed:javascript:alert(1)');
foreach ($bad as $k => $x) {
$result = wp_kses_bad_protocol(wp_kses_normalize_entities($x), wp_allowed_protocols());
if (!empty($result) && $result != 'alert(1);' && $result != 'alert(1)') {
switch ($k) {
case 6:
$this->assertEquals('javascript&#0000058alert(1);', $result);
break;
case 12:
$this->assertEquals(str_replace('&', '&', $x), $result);
break;
case 22:
$this->assertEquals('javascript&#0000058alert(1);', $result);
break;
case 23:
$this->assertEquals('javascript&#0000058alert(1)//?:', $result);
break;
case 24:
$this->assertEquals('feed:alert(1)', $result);
break;
default:
$this->fail("wp_kses_bad_protocol failed on {$x}. Result: {$result}");
}
}
}
$safe = array('dummy:alert(1)', 'HTTP://example.org/', 'http://example.org/', 'http://example.org/', 'http://example.org/', 'https://example.org', 'http://example.org/wp-admin/post.php?post=2&action=edit', 'http://example.org/index.php?test='blah'');
foreach ($safe as $x) {
$result = wp_kses_bad_protocol(wp_kses_normalize_entities($x), array('http', 'https', 'dummy'));
if ($result != $x && $result != 'http://example.org/') {
$this->fail("wp_kses_bad_protocol incorrectly blocked {$x}");
}
}
}
private static function get_allowed_protocols()
{
if (isset(self::$allowed_protocols)) {
return self::$allowed_protocols;
}
$blacklisted_protocols = self::get_blacklisted_protocols();
$allowed_protocols = wp_allowed_protocols();
$allowed_protocols = array_diff_key($allowed_protocols, array_fill_keys($blacklisted_protocols, false));
self::$allowed_protocols = $allowed_protocols;
return $allowed_protocols;
}
/**
* Filters content and keeps only allowable HTML elements.
*
* This function makes sure that only the allowed HTML element names, attribute
* names and attribute values plus only sane HTML entities will occur in
* $string. You have to remove any slashes from PHP's magic quotes before you
* call this function.
*
* The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
* 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
* covers all common link protocols, except for 'javascript' which should not
* be allowed for untrusted users.
*
* @since 1.0.0
*
* @param string $string Content to filter through kses
* @param array $allowed_html List of allowed HTML elements
* @param array $allowed_protocols Optional. Allowed protocol in links.
* @return string Filtered content with only allowed HTML elements
*/
function wp_kses($string, $allowed_html, $allowed_protocols = array())
{
if (empty($allowed_protocols)) {
$allowed_protocols = wp_allowed_protocols();
}
$string = wp_kses_no_null($string);
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$allowed_html_fixed = wp_kses_array_lc($allowed_html);
$string = wp_kses_hook($string, $allowed_html_fixed, $allowed_protocols);
// WP changed the order of these funcs and added args to wp_kses_hook
return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols);
}
function test_protocol()
{
$this->assertEquals('http://example.com', esc_url('http://example.com'));
$this->assertEquals('', esc_url('nasty://example.com/'));
$this->assertEquals('', esc_url('example.com', array('https')));
$this->assertEquals('', esc_url('http://example.com', array('https')));
$this->assertEquals('https://example.com', esc_url('https://example.com', array('http', 'https')));
foreach (wp_allowed_protocols() as $scheme) {
$this->assertEquals("{$scheme}://example.com", esc_url("{$scheme}://example.com"), $scheme);
$this->assertEquals("{$scheme}://example.com", esc_url("{$scheme}://example.com", array($scheme)), $scheme);
}
$this->assertTrue(!in_array('data', wp_allowed_protocols(), true));
$this->assertEquals('', esc_url('data:text/plain;base64,SGVsbG8sIFdvcmxkIQ%3D%3D'));
$this->assertTrue(!in_array('foo', wp_allowed_protocols(), true));
$this->assertEquals('foo://example.com', esc_url('foo://example.com', array('foo')));
}
function nextgen_esc_url($url, $protocols = null, $_context = 'display')
{
$original_url = $url;
if ('' == $url) {
return $url;
}
$url = preg_replace('|[^a-z0-9 \\-~+_.?#=!&;,/:%@$\\|*\'()\\x80-\\xff]|i', '', $url);
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = _deep_replace($strip, $url);
$url = str_replace(';//', '://', $url);
/* If the URL doesn't appear to contain a scheme, we
* presume it needs http:// appended (unless a relative
* link starting with /, # or ? or a php file).
*/
if (strpos($url, ':') === false && !in_array($url[0], array('/', '#', '?')) && !preg_match('/^[a-z0-9-]+?\\.php/i', $url)) {
$url = 'http://' . $url;
}
// Replace ampersands and single quotes only when displaying.
if ('display' == $_context) {
$url = wp_kses_normalize_entities($url);
$url = str_replace('&', '&', $url);
$url = str_replace("'", ''', $url);
$url = str_replace('%', '%25', $url);
$url = str_replace(' ', '%20', $url);
}
if ('/' === $url[0]) {
$good_protocol_url = $url;
} else {
if (!is_array($protocols)) {
$protocols = wp_allowed_protocols();
}
$good_protocol_url = wp_kses_bad_protocol($url, $protocols);
if (strtolower($good_protocol_url) != strtolower($url)) {
return '';
}
}
return apply_filters('clean_url', $good_protocol_url, $original_url, $_context);
}
/**
* Save section data
*
* @since 0.2.0
*
* @param WP_User $user
*/
public function save($user = null)
{
// User Login
if (isset($_POST['user_login'])) {
// Set the login
$user->user_login = sanitize_user($_POST['user_login'], true);
// Invalid login
if (!validate_username($user->user_login)) {
$this->errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.'));
}
// Login already exists
if (username_exists($user->user_login)) {
$this->errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.'));
}
// Checking that username has been typed
if (empty($user->user_login)) {
$this->errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.'));
}
// Return if errored
if ($this->errors->get_error_code()) {
return $this->errors;
}
}
// First
$user->first_name = isset($_POST['first_name']) ? sanitize_text_field($_POST['first_name']) : '';
// Last
$user->last_name = isset($_POST['last_name']) ? sanitize_text_field($_POST['last_name']) : '';
// Nickname
if (isset($_POST['nickname'])) {
// Set the nick
$user->nickname = sanitize_text_field($_POST['nickname']);
// Nickname was empty
if (empty($user->nickname)) {
$this->errors->add('nickname', __('<strong>ERROR</strong>: Please enter a nickname.'));
return $this->errors;
}
}
// Display
$user->display_name = isset($_POST['display_name']) ? sanitize_text_field($_POST['display_name']) : '';
// Description
$user->description = isset($_POST['description']) ? trim($_POST['description']) : '';
// Website
if (isset($_POST['url'])) {
// Emptying URL
if (empty($_POST['url']) || in_array($_POST['url'], wp_allowed_protocols(), true)) {
$user->user_url = '';
// Validate
} else {
$user->user_url = esc_url_raw($_POST['url']);
$protocols = implode('|', array_map('preg_quote', wp_allowed_protocols()));
$user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url;
}
}
// Look for contact methods
$methods = wp_get_user_contact_methods($user);
// Contact methods
foreach (array_keys($methods) as $method) {
if (isset($_POST[$method])) {
$user->{$method} = sanitize_text_field($_POST[$method]);
}
}
// Allow third party plugins to save data in this section
parent::save($user);
}
/**
* Sanitize the field choices property.
*
* @param array|null $choices The field choices property.
*
* @return array|null
*/
public function sanitize_settings_choices($choices = null)
{
if (is_null($choices)) {
$choices =& $this->choices;
}
if (!is_array($choices)) {
return $choices;
}
foreach ($choices as &$choice) {
if (isset($choice['isSelected'])) {
$choice['isSelected'] = (bool) $choice['isSelected'];
}
if (isset($choice['price']) && !empty($choice['price'])) {
$price_number = GFCommon::to_number($choice['price']);
$choice['price'] = GFCommon::to_money($price_number);
}
if (isset($choice['text'])) {
$choice['text'] = $this->maybe_wp_kses($choice['text']);
}
if (isset($choice['value'])) {
// Strip scripts but don't encode
$allowed_protocols = wp_allowed_protocols();
$choice['value'] = wp_kses_no_null($choice['value'], array('slash_zero' => 'keep'));
$choice['value'] = wp_kses_hook($choice['value'], 'post', $allowed_protocols);
$choice['value'] = wp_kses_split($choice['value'], 'post', $allowed_protocols);
}
}
return $choices;
}
function test_allowed_protocols()
{
$allowed = array('skype', 'tel', 'mailto');
foreach ($allowed as $protocol) {
$this->assertContains($protocol, wp_allowed_protocols(), "{$protocol} should be also allowed protocol");
}
}
/**
* Filters one attribute only and ensures its value is allowed.
*
* This function has the advantage of being more secure than esc_attr() and can
* escape data in some situations where wp_kses() must strip the whole attribute.
*
* @since 4.2.3
*
* @param string $string The 'whole' attribute, including name and value.
* @param string $element The element name to which the attribute belongs.
* @return string Filtered attribute.
*/
function wp_kses_one_attr($string, $element)
{
$uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
$allowed_html = wp_kses_allowed_html('post');
$allowed_protocols = wp_allowed_protocols();
$string = wp_kses_no_null($string, array('slash_zero' => 'keep'));
$string = wp_kses_js_entities($string);
// Preserve leading and trailing whitespace.
$matches = array();
preg_match('/^\\s*/', $string, $matches);
$lead = $matches[0];
preg_match('/\\s*$/', $string, $matches);
$trail = $matches[0];
if (empty($trail)) {
$string = substr($string, strlen($lead));
} else {
$string = substr($string, strlen($lead), -strlen($trail));
}
// Parse attribute name and value from input.
$split = preg_split('/\\s*=\\s*/', $string, 2);
$name = $split[0];
if (count($split) == 2) {
$value = $split[1];
// Remove quotes surrounding $value.
// Also guarantee correct quoting in $string for this one attribute.
if ('' == $value) {
$quote = '';
} else {
$quote = $value[0];
}
if ('"' == $quote || "'" == $quote) {
if (substr($value, -1) != $quote) {
return '';
}
$value = substr($value, 1, -1);
} else {
$quote = '"';
}
// Sanitize quotes, angle braces, and entities.
$value = esc_attr($value);
// Sanitize URI values.
if (in_array(strtolower($name), $uris)) {
$value = wp_kses_bad_protocol($value, $allowed_protocols);
}
$string = "{$name}={$quote}{$value}{$quote}";
$vless = 'n';
} else {
$value = '';
$vless = 'y';
}
// Sanitize attribute by name.
wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html);
// Restore whitespace.
return $lead . $string . $trail;
}
/**
* Override this method to implement the appropriate sanitization specific to the field type before the value is saved.
*
* This base method provides a generic sanitization similar to wp_kses but values are not encoded.
* Scripts are stripped out leaving allowed tags if HTMl is allowed.
*
* @param string $value The field value to be processed.
* @param int $form_id The ID of the form currently being processed.
*
* @return string
*/
public function sanitize_entry_value($value, $form_id)
{
if (is_array($value)) {
return '';
}
//allow HTML for certain field types
$allow_html = $this->allow_html();
$allowable_tags = gf_apply_filters(array('gform_allowable_tags', $form_id), $allow_html, $this, $form_id);
if ($allowable_tags !== true) {
$value = strip_tags($value, $allowable_tags);
}
$allowed_protocols = wp_allowed_protocols();
$value = wp_kses_no_null($value, array('slash_zero' => 'keep'));
$value = wp_kses_hook($value, 'post', $allowed_protocols);
$value = wp_kses_split($value, 'post', $allowed_protocols);
return $value;
}
/**
* @ticket 19354
*/
function test_data_is_not_an_allowed_protocol()
{
$this->assertNotContains('data', wp_allowed_protocols());
}
/**
* Override this method to implement the appropriate sanitization specific to the field type before the value is saved.
*
* This base method provides a generic sanitization similar to wp_kses but values are not encoded.
* Scripts are stripped out leaving tags allowed by the gform_allowable_tags filter.
*
* @param string $value The field value to be processed.
* @param int $form_id The ID of the form currently being processed.
*
* @return string
*/
public function sanitize_entry_value($value, $form_id)
{
if (is_array($value)) {
return '';
}
/**
* Provisional filter - may be subject to change or removal.
*
* @param bool
* @param int $form_id
* @para GF_Field $this
*/
$sanitize = apply_filters('gform_sanitize_entry_value', true, $form_id, $this);
if (!$sanitize) {
return $value;
}
//allow HTML for certain field types
$allow_html = $this->allow_html();
$allowable_tags = gf_apply_filters(array('gform_allowable_tags', $form_id), $allow_html, $this, $form_id);
if ($allowable_tags !== true) {
$value = strip_tags($value, $allowable_tags);
}
$allowed_protocols = wp_allowed_protocols();
$value = wp_kses_no_null($value, array('slash_zero' => 'keep'));
$value = wp_kses_hook($value, 'post', $allowed_protocols);
$value = wp_kses_split($value, 'post', $allowed_protocols);
return $value;
}
function ipin_edit_user($user_id = 0)
{
global $wp_roles, $wpdb;
$user = new stdClass();
if ($user_id) {
$update = true;
$user->ID = (int) $user_id;
$userdata = get_userdata($user_id);
$user->user_login = wp_slash($userdata->user_login);
} else {
$update = false;
}
if (!$update && isset($_POST['user_login'])) {
$user->user_login = sanitize_user($_POST['user_login'], true);
}
$pass1 = $pass2 = '';
if (isset($_POST['pass1'])) {
$pass1 = $_POST['pass1'];
}
if (isset($_POST['pass2'])) {
$pass2 = $_POST['pass2'];
}
if (isset($_POST['role']) && current_user_can('edit_users')) {
$new_role = sanitize_text_field($_POST['role']);
$potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false;
// Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
// Multisite super admins can freely edit their blog roles -- they possess all caps.
if (is_multisite() && current_user_can('manage_sites') || $user_id != get_current_user_id() || $potential_role && $potential_role->has_cap('edit_users')) {
$user->role = $new_role;
}
// If the new role isn't editable by the logged-in user die with error
$editable_roles = get_editable_roles();
if (!empty($new_role) && empty($editable_roles[$new_role])) {
wp_die(__('You can’t give users that role.', 'ipin'));
}
}
//edited: store the original email
$original_user_email = $userdata->user_email;
if (isset($_POST['email'])) {
$user->user_email = sanitize_text_field($_POST['email']);
}
if (isset($_POST['url'])) {
if (empty($_POST['url']) || $_POST['url'] == 'http://') {
$user->user_url = '';
} else {
$user->user_url = esc_url_raw($_POST['url']);
$protocols = implode('|', array_map('preg_quote', wp_allowed_protocols()));
$user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url;
}
}
if (isset($_POST['first_name'])) {
$user->first_name = sanitize_text_field($_POST['first_name']);
}
if (isset($_POST['last_name'])) {
$user->last_name = sanitize_text_field($_POST['last_name']);
}
if (isset($_POST['nickname'])) {
$user->nickname = sanitize_text_field($_POST['nickname']);
}
if (isset($_POST['display_name'])) {
$user->display_name = sanitize_text_field($_POST['display_name']);
}
if (isset($_POST['description'])) {
$user->description = trim($_POST['description']);
}
foreach (wp_get_user_contact_methods($user) as $method => $name) {
if (isset($_POST[$method])) {
$user->{$method} = sanitize_text_field($_POST[$method]);
}
}
if ($update) {
$user->rich_editing = isset($_POST['rich_editing']) && 'false' == $_POST['rich_editing'] ? 'false' : 'true';
$user->admin_color = isset($_POST['admin_color']) ? sanitize_text_field($_POST['admin_color']) : 'fresh';
$user->show_admin_bar_front = isset($_POST['admin_bar_front']) ? 'true' : 'false';
}
$user->comment_shortcuts = isset($_POST['comment_shortcuts']) && 'true' == $_POST['comment_shortcuts'] ? 'true' : '';
$user->use_ssl = 0;
if (!empty($_POST['use_ssl'])) {
$user->use_ssl = 1;
}
$errors = new WP_Error();
/* checking that username has been typed */
if ($user->user_login == '') {
$errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.', 'ipin'));
}
/* checking the password has been typed twice */
do_action_ref_array('check_passwords', array($user->user_login, &$pass1, &$pass2));
if ($update) {
if (empty($pass1) && !empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.', 'ipin'), array('form-field' => 'pass1'));
} elseif (!empty($pass1) && empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.', 'ipin'), array('form-field' => 'pass2'));
}
//edited: added to check password length
if (!empty($pass1) && !empty($pass2)) {
if (strlen($pass1) < 6) {
$errors->add('password_too_short', "<strong>ERROR</strong>: Passwords must be at least 6 characters long", 'ipin');
}
}
} else {
if (empty($pass1)) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter your password.', 'ipin'), array('form-field' => 'pass1'));
} elseif (empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter your password twice.', 'ipin'), array('form-field' => 'pass2'));
}
}
/* Check for "\" in password */
if (false !== strpos(wp_unslash($pass1), "\\")) {
$errors->add('pass', __('<strong>ERROR</strong>: Passwords may not contain the character "\\".', 'ipin'), array('form-field' => 'pass1'));
}
/* checking the password has been typed twice the same */
if ($pass1 != $pass2) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter the same password in the two password fields.', 'ipin'), array('form-field' => 'pass1'));
}
if (!empty($pass1)) {
$user->user_pass = $pass1;
}
if (!$update && isset($_POST['user_login']) && !validate_username($_POST['user_login'])) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.', 'ipin'));
}
if (!$update && username_exists($user->user_login)) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.', 'ipin'));
}
/* checking e-mail address */
$verify_new_email = $user_id;
if (empty($user->user_email)) {
$errors->add('empty_email', __('<strong>ERROR</strong>: Please enter an email address.', 'ipin'), array('form-field' => 'email'));
} elseif (!is_email($user->user_email)) {
$errors->add('invalid_email', __('<strong>ERROR</strong>: The email address isn’t correct.', 'ipin'), array('form-field' => 'email'));
} elseif (($owner_id = email_exists($user->user_email)) && (!$update || $owner_id != $user->ID)) {
$errors->add('email_exists', __('<strong>ERROR</strong>: This email is already registered, please choose another one.', 'ipin'), array('form-field' => 'email'));
//edited: requires email verification if email is changed
} elseif ($userdata->user_email != $_POST['email'] && !current_user_can('administrator') && !current_user_can('editor')) {
//store new email temporarily
update_user_meta($user_id, '_new_email', $user->user_email);
$new_email_key = wp_generate_password(20, false);
update_user_meta($user_id, '_new_email_key', $new_email_key);
$blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
$message .= __('Please click the link to verify your email:', 'ipin') . "\r\n";
$message .= home_url('/settings/');
$message .= sprintf('?email=verify&login=%s&key=%s', rawurlencode($user->user_login), $new_email_key);
wp_mail($user->user_email, sprintf(__('[%s] Email Verification', 'ipin'), $blogname), $message);
$user->user_email = $original_user_email;
$verify_new_email = 'verify_new_email';
}
// Allow plugins to return their own errors.
do_action_ref_array('user_profile_update_errors', array(&$errors, $update, &$user));
if ($errors->get_error_codes()) {
return $errors;
}
if ($update) {
$user_id = wp_update_user($user);
} else {
$user_id = wp_insert_user($user);
wp_new_user_notification($user_id, isset($_POST['send_password']) ? wp_unslash($pass1) : '');
}
return $verify_new_email;
}
/**
* Escapes the given string for the KSES filter with the criteria of allowing/disallowing tags and the protocol.
*
* @remark Attributes are not supported at this moment.
* @param array $aAllowedTags e.g. array( 'noscript', 'style', )
* @param array $aDisallowedTags e.g. array( 'table', 'tbody', 'thoot', 'thead', 'th', 'tr' )
* @since 2.0.0
*/
public static function escapeKSESFilter($sString, $aAllowedTags = array(), $aDisallowedTags = array(), $aAllowedProtocols = array())
{
foreach ($aAllowedTags as $sTag) {
$aFormatAllowedTags[$sTag] = array();
// activate the inline style attribute.
}
$aAllowedHTMLTags = AmazonAutoLinks_Utility::uniteArrays($aFormatAllowedTags, $GLOBALS['allowedposttags']);
// the first parameter takes over the second.
foreach ($aDisallowedTags as $sTag) {
if (isset($aAllowedHTMLTags[$sTag])) {
unset($aAllowedHTMLTags[$sTag]);
}
}
if (empty($aAllowedProtocols)) {
$aAllowedProtocols = wp_allowed_protocols();
}
$sString = addslashes($sString);
// the original function call was doing this - could be redundant but haven't fully tested it
$sString = stripslashes($sString);
// wp_filter_post_kses()
$sString = wp_kses_no_null($sString);
// wp_kses()
$sString = wp_kses_js_entities($sString);
// wp_kses()
$sString = wp_kses_normalize_entities($sString);
// wp_kses()
$sString = wp_kses_hook($sString, $aAllowedHTMLTags, $aAllowedProtocols);
// WP changed the order of these funcs and added args to wp_kses_hook
$sString = wp_kses_split($sString, $aAllowedHTMLTags, $aAllowedProtocols);
$sString = addslashes($sString);
// wp_filter_post_kses()
$sString = stripslashes($sString);
// the original function call was doing this - could be redundant but haven't fully tested it
return $sString;
}
/**
* Edit user settings based on contents of $_POST
*
* Largely based on the edit_user() function, this function only throws errors
* when the user has posted invalid data, vs. when the mock user object does not
* contain it.
*
* @since 0.1.0
*
* @param int $user_id Optional. User ID.
* @return int|WP_Error user id of the updated user
*/
function wp_user_profiles_edit_user($user_id = 0)
{
// Bail if no user ID
if (empty($user_id)) {
return;
}
// Setup the user being saved
$user = new stdClass();
$user->ID = (int) $user_id;
$userdata = get_userdata($user_id);
// Setup the user login
if (isset($_POST['user_login'])) {
$user->user_login = sanitize_user($_POST['user_login'], true);
} else {
$user->user_login = wp_slash($userdata->user_login);
}
// Password changes
$pass1 = isset($_POST['pass1']) ? $_POST['pass1'] : '';
$pass2 = isset($_POST['pass2']) ? $_POST['pass2'] : '';
// Role changes
if (isset($_POST['role']) && current_user_can('edit_users')) {
// New roles
$new_roles = $_POST['role'];
// Loop through new roles
foreach ($new_roles as $blog_id => $new_role) {
// Switch to the blog
switch_to_blog($blog_id);
// If the new role isn't editable by the logged-in user die with error
$editable_roles = get_editable_roles();
if (!empty($new_role) && !empty($editable_roles[$new_role])) {
$update_role = get_userdata($user_id);
$update_role->set_role($new_role);
}
// Switch back
restore_current_blog();
}
}
// Email
if (isset($_POST['email'])) {
$user->user_email = sanitize_text_field(wp_unslash($_POST['email']));
}
// Website
if (isset($_POST['url'])) {
if (empty($_POST['url']) || $_POST['url'] == 'http://') {
$user->user_url = '';
} else {
$user->user_url = esc_url_raw($_POST['url']);
$protocols = implode('|', array_map('preg_quote', wp_allowed_protocols()));
$user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url;
}
}
// First
if (isset($_POST['first_name'])) {
$user->first_name = sanitize_text_field($_POST['first_name']);
}
// Last
if (isset($_POST['last_name'])) {
$user->last_name = sanitize_text_field($_POST['last_name']);
}
// Nick
if (isset($_POST['nickname'])) {
$user->nickname = sanitize_text_field($_POST['nickname']);
}
// Display
if (isset($_POST['display_name'])) {
$user->display_name = sanitize_text_field($_POST['display_name']);
}
// Description
if (isset($_POST['description'])) {
$user->description = trim($_POST['description']);
}
// Contact methods
foreach (wp_get_user_contact_methods($user) as $method => $name) {
if (isset($_POST[$method])) {
$user->{$method} = sanitize_text_field($_POST[$method]);
}
}
// Options
$user->rich_editing = isset($_POST['rich_editing']) && 'false' === $_POST['rich_editing'] ? 'false' : 'true';
$user->admin_color = isset($_POST['admin_color']) ? sanitize_text_field($_POST['admin_color']) : 'fresh';
$user->show_admin_bar_front = isset($_POST['admin_bar_front']) ? 'true' : 'false';
$user->comment_shortcuts = isset($_POST['comment_shortcuts']) && 'true' === $_POST['comment_shortcuts'] ? 'true' : '';
$user->use_ssl = 0;
if (!empty($_POST['use_ssl'])) {
$user->use_ssl = 1;
}
// Error checking
$errors = new WP_Error();
// Checking that username has been typed
if (isset($_POST['user_login']) && empty($user->user_login)) {
$errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.'));
}
// Checking that nickname has been typed
if (isset($_POST['nickname']) && empty($user->nickname)) {
$errors->add('nickname', __('<strong>ERROR</strong>: Please enter a nickname.'));
}
/**
* Fires before the password and confirm password fields are checked for congruity.
*
* @since 1.5.1
*
* @param string $user_login The username.
* @param string &$pass1 The password, passed by reference.
* @param string &$pass2 The confirmed password, passed by reference.
*/
do_action_ref_array('check_passwords', array($user->user_login, &$pass1, &$pass2));
// Check for "\" in password
if (false !== strpos(wp_unslash($pass1), "\\")) {
$errors->add('pass', __('<strong>ERROR</strong>: Passwords may not contain the character "\\".'), array('form-field' => 'pass1'));
}
// Checking the password has been typed twice the same
if ($pass1 !== $pass2) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter the same password in both password fields.'), array('form-field' => 'pass1'));
}
if (!empty($pass1)) {
$user->user_pass = $pass1;
}
if (isset($_POST['user_login'])) {
if (!validate_username($_POST['user_login'])) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.'));
}
if (isset($_POST['user_login']) && username_exists($user->user_login)) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.'));
}
}
// Checking email address
if (isset($_POST['email'])) {
if (empty($user->user_email)) {
$errors->add('empty_email', __('<strong>ERROR</strong>: Please enter an email address.'), array('form-field' => 'email'));
} elseif (!is_email($user->user_email)) {
$errors->add('invalid_email', __('<strong>ERROR</strong>: The email address is not correct.'), array('form-field' => 'email'));
} elseif (($owner_id = email_exists($user->user_email)) && $owner_id !== $user->ID) {
$errors->add('email_exists', __('<strong>ERROR</strong>: This email is already in use.'), array('form-field' => 'email'));
}
}
/**
* Fires before user profile update errors are returned.
*
* @since 2.8.0
*
* @param WP_Error &$errors WP_Error object, passed by reference.
* @param bool $update Whether this is a user update.
* @param WP_User &$user WP_User object, passed by reference.
*/
do_action_ref_array('user_profile_update_errors', array(&$errors, true, &$user));
// Return errors if there are any
if ($errors->get_error_codes()) {
return $errors;
}
// Maybe save user status
if (!empty($_POST['user_status'])) {
wp_user_profiles_update_user_status($user, sanitize_key($_POST['user_status']));
}
return wp_update_user($user);
}
function update($new_instance, $old_instance)
{
$instance = $old_instance;
$instance['title'] = strip_tags($new_instance['title']);
$instance['content'] = $new_instance['content'];
$instance['style'] = $new_instance['style'];
$instance['size'] = absint($new_instance['size']);
$instance['target'] = $new_instance['target'];
$instance['social'] = array();
if (!empty($new_instance['social_icon'])) {
$protocols = wp_allowed_protocols();
$protocols[] = 'skype';
//allow skype call protocol
for ($i = 0; $i < count($new_instance['social_icon']) - 1; $i++) {
$temp = array('icon' => $new_instance['social_icon'][$i], 'url' => esc_url($new_instance['social_url'][$i], $protocols));
$instance['social'][] = $temp;
}
}
return $instance;
}
function EscapeAndFilterPostKSES($strString, $arrAllowedTags = array(), $arrDisallowedTags = array(), $arrAllowedProtocols = array())
{
// $arrAllowedTags : e.g. array( 'noscript' => array(), 'style' => array() );
// $arrDisallowedTags : e.g. array( 'table', 'tbody', 'thoot', 'thead', 'th', 'tr' );
global $allowedposttags;
// $arrAllowedHTML = array_replace_recursive( $allowedposttags, $arrAllowedTags ); // the second parameter takes over the first.
// $arrAllowedHTML = wp_parse_args( $arrAllowedTags, $allowedposttags ); // the first parameter takes over the second.
$arrAllowedHTML = $this->oUtil->UniteArraysRecursive($arrAllowedTags, $allowedposttags);
// the first parameter takes over the second.
foreach ($arrDisallowedTags as $strTag) {
if (isset($arrAllowedHTML[$strTag])) {
unset($arrAllowedHTML[$strTag]);
}
}
if (empty($arrAllowedProtocols)) {
$arrAllowedProtocols = wp_allowed_protocols();
}
$strString = addslashes($strString);
// the original function call was doing this - could be redundant but haven't fully tested it
$strString = stripslashes($strString);
// wp_filter_post_kses()
$strString = wp_kses_no_null($strString);
// wp_kses()
$strString = wp_kses_js_entities($strString);
// wp_kses()
$strString = wp_kses_normalize_entities($strString);
// wp_kses()
$strString = wp_kses_hook($strString, $arrAllowedHTML, $arrAllowedProtocols);
// WP changed the order of these funcs and added args to wp_kses_hook
$strString = wp_kses_split($strString, $arrAllowedHTML, $arrAllowedProtocols);
$strString = addslashes($strString);
// wp_filter_post_kses()
$strString = stripslashes($strString);
// the original function call was doing this - could be redundant but haven't fully tested it
return $strString;
}
/**
* Filters content and keeps only allowable HTML elements.
*
* This function makes sure that only the allowed HTML element names, attribute
* names and attribute values plus only sane HTML entities will occur in
* $string. You have to remove any slashes from PHP's magic quotes before you
* call this function.
*
* The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
* 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
* covers all common link protocols, except for 'javascript' which should not
* be allowed for untrusted users.
*
* @since 1.0.0
*
* @param string $string Content to filter through kses
* @param array $allowed_html List of allowed HTML elements
* @param array $allowed_protocols Optional. Allowed protocol in links.
* @return string Filtered content with only allowed HTML elements
*/
function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
if ( empty( $allowed_protocols ) )
$allowed_protocols = wp_allowed_protocols();
$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
$string = wp_kses_js_entities($string);
$string = wp_kses_normalize_entities($string);
$string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook
return wp_kses_split($string, $allowed_html, $allowed_protocols);
}
function woo_shortcode_box($atts, $content = null)
{
extract(shortcode_atts(array('type' => 'normal', 'size' => '', 'style' => '', 'border' => '', 'icon' => ''), $atts));
// "Toggle in a box" fix
$allowed_tags = wp_kses_allowed_html('post');
$allowed_tags['input'] = array('type' => true, 'name' => true, 'value' => true);
$allowed_protocols = wp_allowed_protocols();
$allowed_protocols[] = 'skype';
$class = '';
$custom = '';
if ($icon == 'none') {
$class = 'no-icon';
$custom = ' style="padding-left:15px;background-image:none;"';
} elseif ($icon) {
$class = 'custom-icon';
$custom = ' style="padding-left:50px;background-image:url( ' . esc_attr(esc_url($icon)) . ' ); background-repeat:no-repeat; background-position:20px 45%;"';
}
return '<div class="woo-sc-box ' . esc_attr($class) . ' ' . esc_attr($type) . ' ' . esc_attr($size) . ' ' . esc_attr($style) . ' ' . esc_attr($border) . '"' . $custom . '>' . wp_kses(do_shortcode(woo_remove_wpautop($content)), $allowed_tags, $allowed_protocols) . '</div>';
}
/**
* Edit user settings based on contents of $_POST
*
* Used on user-edit.php and profile.php to manage and process user options, passwords etc.
*
* @since 2.0
*
* @param int $user_id Optional. User ID.
* @return int user id of the updated user
*/
function edit_user($user_id = 0)
{
global $wp_roles, $wpdb;
$user = new stdClass();
if ($user_id) {
$update = true;
$user->ID = (int) $user_id;
$userdata = get_userdata($user_id);
$user->user_login = $wpdb->escape($userdata->user_login);
} else {
$update = false;
}
if (!$update && isset($_POST['user_login'])) {
$user->user_login = sanitize_user($_POST['user_login'], true);
}
$pass1 = $pass2 = '';
if (isset($_POST['pass1'])) {
$pass1 = $_POST['pass1'];
}
if (isset($_POST['pass2'])) {
$pass2 = $_POST['pass2'];
}
if (isset($_POST['role']) && current_user_can('edit_users')) {
$new_role = sanitize_text_field($_POST['role']);
$potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false;
// Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
// Multisite super admins can freely edit their blog roles -- they possess all caps.
if (is_multisite() && current_user_can('manage_sites') || $user_id != get_current_user_id() || $potential_role && $potential_role->has_cap('edit_users')) {
$user->role = $new_role;
}
// If the new role isn't editable by the logged-in user die with error
$editable_roles = get_editable_roles();
if (!empty($new_role) && empty($editable_roles[$new_role])) {
wp_die(__('You can’t give users that role.'));
}
}
if (isset($_POST['email'])) {
$user->user_email = sanitize_text_field($_POST['email']);
}
if (isset($_POST['url'])) {
if (empty($_POST['url']) || $_POST['url'] == 'http://') {
$user->user_url = '';
} else {
$user->user_url = esc_url_raw($_POST['url']);
$protocols = implode('|', array_map('preg_quote', wp_allowed_protocols()));
$user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url;
}
}
if (isset($_POST['first_name'])) {
$user->first_name = sanitize_text_field($_POST['first_name']);
}
if (isset($_POST['last_name'])) {
$user->last_name = sanitize_text_field($_POST['last_name']);
}
if (isset($_POST['nickname'])) {
$user->nickname = sanitize_text_field($_POST['nickname']);
}
if (isset($_POST['display_name'])) {
$user->display_name = sanitize_text_field($_POST['display_name']);
}
if (isset($_POST['description'])) {
$user->description = trim($_POST['description']);
}
foreach (_wp_get_user_contactmethods($user) as $method => $name) {
if (isset($_POST[$method])) {
$user->{$method} = sanitize_text_field($_POST[$method]);
}
}
if ($update) {
$user->rich_editing = isset($_POST['rich_editing']) && 'false' == $_POST['rich_editing'] ? 'false' : 'true';
$user->admin_color = isset($_POST['admin_color']) ? sanitize_text_field($_POST['admin_color']) : 'fresh';
$user->show_admin_bar_front = isset($_POST['admin_bar_front']) ? 'true' : 'false';
}
$user->comment_shortcuts = isset($_POST['comment_shortcuts']) && 'true' == $_POST['comment_shortcuts'] ? 'true' : '';
$user->use_ssl = 0;
if (!empty($_POST['use_ssl'])) {
$user->use_ssl = 1;
}
$errors = new WP_Error();
/* checking that username has been typed */
if ($user->user_login == '') {
$errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.'));
}
/* checking the password has been typed twice */
do_action_ref_array('check_passwords', array($user->user_login, &$pass1, &$pass2));
if ($update) {
if (empty($pass1) && !empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.'), array('form-field' => 'pass1'));
} elseif (!empty($pass1) && empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.'), array('form-field' => 'pass2'));
}
} else {
if (empty($pass1)) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter your password.'), array('form-field' => 'pass1'));
} elseif (empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter your password twice.'), array('form-field' => 'pass2'));
}
}
/* Check for "\" in password */
if (false !== strpos(stripslashes($pass1), "\\")) {
$errors->add('pass', __('<strong>ERROR</strong>: Passwords may not contain the character "\\".'), array('form-field' => 'pass1'));
}
/* checking the password has been typed twice the same */
if ($pass1 != $pass2) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter the same password in the two password fields.'), array('form-field' => 'pass1'));
}
if (!empty($pass1)) {
$user->user_pass = $pass1;
}
if (!$update && isset($_POST['user_login']) && !validate_username($_POST['user_login'])) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.'));
}
if (!$update && username_exists($user->user_login)) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.'));
}
/* checking e-mail address */
if (empty($user->user_email)) {
$errors->add('empty_email', __('<strong>ERROR</strong>: Please enter an e-mail address.'), array('form-field' => 'email'));
} elseif (!is_email($user->user_email)) {
$errors->add('invalid_email', __('<strong>ERROR</strong>: The e-mail address isn’t correct.'), array('form-field' => 'email'));
} elseif (($owner_id = email_exists($user->user_email)) && (!$update || $owner_id != $user->ID)) {
$errors->add('email_exists', __('<strong>ERROR</strong>: This email is already registered, please choose another one.'), array('form-field' => 'email'));
}
// Allow plugins to return their own errors.
do_action_ref_array('user_profile_update_errors', array(&$errors, $update, &$user));
if ($errors->get_error_codes()) {
return $errors;
}
if ($update) {
$user_id = wp_update_user($user);
} else {
$user_id = wp_insert_user($user);
wp_new_user_notification($user_id, isset($_POST['send_password']) ? $pass1 : '');
}
return $user_id;
}
/**
* @depends test_allowed_protocol_has_an_example
* @dataProvider data_example_urls
*
* @param string The scheme.
* @param string Example URL.
*/
function test_allowed_protocols($protocol, $url)
{
$this->assertEquals($url, esc_url($url, $protocol));
$this->assertEquals($url, esc_url($url, wp_allowed_protocols()));
}
/**
* Edit user settings based on contents of $_POST
*
* Used on user-edit.php and profile.php to manage and process user options, passwords etc.
*
* @since 2.0.0
*
* @param int $user_id Optional. User ID.
* @return int|WP_Error user id of the updated user
*/
function edit_user($user_id = 0)
{
$wp_roles = wp_roles();
$user = new stdClass();
if ($user_id) {
$update = true;
$user->ID = (int) $user_id;
$userdata = get_userdata($user_id);
$user->user_login = wp_slash($userdata->user_login);
} else {
$update = false;
}
if (!$update && isset($_POST['user_login'])) {
$user->user_login = sanitize_user($_POST['user_login'], true);
}
$pass1 = $pass2 = '';
if (isset($_POST['pass1'])) {
$pass1 = $_POST['pass1'];
}
if (isset($_POST['pass2'])) {
$pass2 = $_POST['pass2'];
}
if (isset($_POST['role']) && current_user_can('edit_users')) {
$new_role = sanitize_text_field($_POST['role']);
$potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false;
// Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
// Multisite super admins can freely edit their blog roles -- they possess all caps.
if (is_multisite() && current_user_can('manage_sites') || $user_id != get_current_user_id() || $potential_role && $potential_role->has_cap('edit_users')) {
$user->role = $new_role;
}
// If the new role isn't editable by the logged-in user die with error
$editable_roles = get_editable_roles();
if (!empty($new_role) && empty($editable_roles[$new_role])) {
wp_die(__('You can’t give users that role.'));
}
}
if (isset($_POST['email'])) {
$user->user_email = sanitize_text_field(wp_unslash($_POST['email']));
}
if (isset($_POST['url'])) {
if (empty($_POST['url']) || $_POST['url'] == 'http://') {
$user->user_url = '';
} else {
$user->user_url = esc_url_raw($_POST['url']);
$protocols = implode('|', array_map('preg_quote', wp_allowed_protocols()));
$user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url;
}
}
if (isset($_POST['first_name'])) {
$user->first_name = sanitize_text_field($_POST['first_name']);
}
if (isset($_POST['last_name'])) {
$user->last_name = sanitize_text_field($_POST['last_name']);
}
if (isset($_POST['nickname'])) {
$user->nickname = sanitize_text_field($_POST['nickname']);
}
if (isset($_POST['display_name'])) {
$user->display_name = sanitize_text_field($_POST['display_name']);
}
if (isset($_POST['description'])) {
$user->description = trim($_POST['description']);
}
foreach (wp_get_user_contact_methods($user) as $method => $name) {
if (isset($_POST[$method])) {
$user->{$method} = sanitize_text_field($_POST[$method]);
}
}
if ($update) {
$user->rich_editing = isset($_POST['rich_editing']) && 'false' == $_POST['rich_editing'] ? 'false' : 'true';
$user->admin_color = isset($_POST['admin_color']) ? sanitize_text_field($_POST['admin_color']) : 'fresh';
$user->show_admin_bar_front = isset($_POST['admin_bar_front']) ? 'true' : 'false';
}
$user->comment_shortcuts = isset($_POST['comment_shortcuts']) && 'true' == $_POST['comment_shortcuts'] ? 'true' : '';
$user->use_ssl = 0;
if (!empty($_POST['use_ssl'])) {
$user->use_ssl = 1;
}
$errors = new WP_Error();
/* checking that username has been typed */
if ($user->user_login == '') {
$errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.'));
}
/* checking that nickname has been typed */
if ($update && empty($user->nickname)) {
$errors->add('nickname', __('<strong>ERROR</strong>: Please enter a nickname.'));
}
/* checking the password has been typed twice */
/**
* Fires before the password and confirm password fields are checked for congruity.
*
* @since 1.5.1
*
* @param string $user_login The username.
* @param string &$pass1 The password, passed by reference.
* @param string &$pass2 The confirmed password, passed by reference.
*/
do_action_ref_array('check_passwords', array($user->user_login, &$pass1, &$pass2));
/* Check for "\" in password */
if (false !== strpos(wp_unslash($pass1), "\\")) {
$errors->add('pass', __('<strong>ERROR</strong>: Passwords may not contain the character "\\".'), array('form-field' => 'pass1'));
}
/* checking the password has been typed twice the same */
if ($pass1 != $pass2) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter the same password in both password fields.'), array('form-field' => 'pass1'));
}
if (!empty($pass1)) {
$user->user_pass = $pass1;
}
if (!$update && isset($_POST['user_login']) && !validate_username($_POST['user_login'])) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.'));
}
if (!$update && username_exists($user->user_login)) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.'));
}
/** This filter is documented in wp-includes/user.php */
$illegal_logins = (array) apply_filters('illegal_user_logins', array());
if (in_array(strtolower($user->user_login), array_map('strtolower', $illegal_logins))) {
$errors->add('illegal_user_login', __('<strong>ERROR</strong>: Sorry, that username is not allowed.'));
}
/* checking email address */
if (empty($user->user_email)) {
$errors->add('empty_email', __('<strong>ERROR</strong>: Please enter an email address.'), array('form-field' => 'email'));
} elseif (!is_email($user->user_email)) {
$errors->add('invalid_email', __('<strong>ERROR</strong>: The email address isn’t correct.'), array('form-field' => 'email'));
} elseif (($owner_id = email_exists($user->user_email)) && (!$update || $owner_id != $user->ID)) {
$errors->add('email_exists', __('<strong>ERROR</strong>: This email is already registered, please choose another one.'), array('form-field' => 'email'));
}
/**
* Fires before user profile update errors are returned.
*
* @since 2.8.0
*
* @param WP_Error &$errors WP_Error object, passed by reference.
* @param bool $update Whether this is a user update.
* @param WP_User &$user WP_User object, passed by reference.
*/
do_action_ref_array('user_profile_update_errors', array(&$errors, $update, &$user));
if ($errors->get_error_codes()) {
return $errors;
}
if ($update) {
$user_id = wp_update_user($user);
} else {
$user_id = wp_insert_user($user);
/**
* Fires after a new user has been created.
*
* @since 4.4.0
*
* @param int $user_id ID of the newly created user.
*/
do_action('edit_user_created_user', $user_id);
}
return $user_id;
}
/**
* Checks and cleans a URL. This function is from WordPress.
*
* A number of characters are removed from the URL. If the URL is for displaying
* (the default behaviour) ampersands are also replaced. The 'clean_url' filter
* is applied to the returned cleaned URL.
*
* @since 2.8.0
* @uses wp_kses_bad_protocol() To only permit protocols in the URL set
* via $protocols or the common ones set in the function.
*
* @param string $url The URL to be cleaned.
* @param array $protocols Optional. An array of acceptable protocols.
* Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
* @param string $_context Private. Use esc_url_raw() for database usage.
* @return string The cleaned $url after the 'clean_url' filter is applied.
*/
public function esc_url($url, $protocols = null, $_context = 'display')
{
$original_url = $url;
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\\|*\'()\\x80-\\xff]|i', '', $url);
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = _deep_replace($strip, $url);
$url = str_replace(';//', '://', $url);
// Replace ampersands and single quotes only when displaying.
if ('display' == $_context) {
$url = wp_kses_normalize_entities($url);
$url = str_replace('&', '&', $url);
$url = str_replace('\'', ''', $url);
}
if (!empty($url[0]) && '/' === $url[0]) {
$good_protocol_url = $url;
} else {
if (!is_array($protocols)) {
$protocols = wp_allowed_protocols();
}
$good_protocol_url = wp_kses_bad_protocol($url, $protocols);
if (strtolower($good_protocol_url) != strtolower($url)) {
return '';
}
}
/**
* Filter a string cleaned and escaped for output as a URL.
*
* @since 2.3.0
*
* @param string $good_protocol_url The cleaned URL to be returned.
* @param string $original_url The URL prior to cleaning.
* @param string $_context If 'display', replace ampersands and single quotes only.
*/
return apply_filters('clean_url', $good_protocol_url, $original_url, $_context);
}
/**
* Callback to add a base url to relative links in passed content.
*
* @since 2.7.0
* @access private
*
* @global string $_links_add_base
*
* @param string $m The matched link.
* @return string The processed link.
*/
function _links_add_base($m)
{
global $_links_add_base;
//1 = attribute name 2 = quotation mark 3 = URL
return $m[1] . '=' . $m[2] . (preg_match('#^(\\w{1,20}):#', $m[3], $protocol) && in_array($protocol[1], wp_allowed_protocols()) ? $m[3] : WP_Http::make_absolute_url($m[3], $_links_add_base)) . $m[2];
}
/**
* Strip scripts and some HTML tags.
*
* @param string $value The field value to be processed.
* @param int $form_id The ID of the form currently being processed.
*
* @return string
*/
public function sanitize_entry_value($value, $form_id)
{
if (is_array($value)) {
return '';
}
$allowable_tags = $this->get_allowable_tags($form_id);
if ($allowable_tags !== true) {
$value = strip_tags($value, $allowable_tags);
}
$allowed_protocols = wp_allowed_protocols();
$value = wp_kses_no_null($value, array('slash_zero' => 'keep'));
$value = wp_kses_hook($value, 'post', $allowed_protocols);
$value = wp_kses_split($value, 'post', $allowed_protocols);
return $value;
}
/**
* A special URL escaping function that handles additional protocols
*
* @param $url
*
* @return string
*/
function sow_esc_url_raw($url)
{
if (preg_match('/^post: *([0-9]+)/', $url, $matches)) {
// Convert the special post URL into a permalink
$url = get_the_permalink(intval($matches[1]));
}
$protocols = wp_allowed_protocols();
$protocols[] = 'skype';
return esc_url_raw($url, $protocols);
}
/**
* AJAX hook for the inline link editor on Tools -> Broken Links.
*
* @return void
*/
function ajax_edit()
{
if (!current_user_can('edit_others_posts') || !check_ajax_referer('blc_edit', false, false)) {
die(json_encode(array('error' => __("You're not allowed to do that!", 'broken-link-checker'))));
}
if (empty($_POST['link_id']) || empty($_POST['new_url']) || !is_numeric($_POST['link_id'])) {
die(json_encode(array('error' => __("Error : link_id or new_url not specified", 'broken-link-checker'))));
}
//Load the link
$link = new blcLink(intval($_POST['link_id']));
if (!$link->valid()) {
die(json_encode(array('error' => sprintf(__("Oops, I can't find the link %d", 'broken-link-checker'), intval($_POST['link_id'])))));
}
//Validate the new URL.
$new_url = stripslashes($_POST['new_url']);
$parsed = @parse_url($new_url);
if (!$parsed) {
die(json_encode(array('error' => __("Oops, the new URL is invalid!", 'broken-link-checker'))));
}
if (!current_user_can('unfiltered_html')) {
//Disallow potentially dangerous URLs like "javascript:...".
$protocols = wp_allowed_protocols();
$good_protocol_url = wp_kses_bad_protocol($new_url, $protocols);
if ($new_url != $good_protocol_url) {
die(json_encode(array('error' => __("Oops, the new URL is invalid!", 'broken-link-checker'))));
}
}
$new_text = isset($_POST['new_text']) && is_string($_POST['new_text']) ? stripslashes($_POST['new_text']) : null;
if ($new_text === '') {
$new_text = null;
}
if (!empty($new_text) && !current_user_can('unfiltered_html')) {
$new_text = stripslashes(wp_filter_post_kses(addslashes($new_text)));
//wp_filter_post_kses expects slashed data.
}
$rez = $link->edit($new_url, $new_text);
if ($rez === false) {
die(json_encode(array('error' => __("An unexpected error occurred!", 'broken-link-checker'))));
} else {
$new_link = $rez['new_link'];
/** @var blcLink $new_link */
$new_status = $new_link->analyse_status();
$ui_link_text = null;
if (isset($new_text)) {
$instances = $new_link->get_instances();
if (!empty($instances)) {
$first_instance = reset($instances);
$ui_link_text = $first_instance->ui_get_link_text();
}
}
$response = array('new_link_id' => $rez['new_link_id'], 'cnt_okay' => $rez['cnt_okay'], 'cnt_error' => $rez['cnt_error'], 'status_text' => $new_status['text'], 'status_code' => $new_status['code'], 'http_code' => empty($new_link->http_code) ? '' : $new_link->http_code, 'redirect_count' => $new_link->redirect_count, 'url' => $new_link->url, 'escaped_url' => esc_url_raw($new_link->url), 'final_url' => $new_link->final_url, 'link_text' => isset($new_text) ? $new_text : null, 'ui_link_text' => isset($new_text) ? $ui_link_text : null, 'errors' => array());
//url, status text, status code, link text, editable link text
foreach ($rez['errors'] as $error) {
/** @var $error WP_Error */
array_push($response['errors'], implode(', ', $error->get_error_messages()));
}
die(json_encode($response));
}
}
/**
* Callback to add a base url to relative links in passed content.
*
* @since 2.7.0
* @access private
*
* @param string $m The matched link.
* @return string The processed link.
*/
function _links_add_base($m)
{
global $_links_add_base;
//1 = attribute name 2 = quotation mark 3 = URL
return $m[1] . '=' . $m[2] . (preg_match('#^(\\w{1,20}):#', $m[3], $protocol) && in_array($protocol[1], wp_allowed_protocols()) ? $m[3] : path_join($_links_add_base, $m[3])) . $m[2];
}
function esc_url($url, $protocols = null, $_context = 'display')
{
$original_url = $url;
if ('' == $url) {
return $url;
}
$url = str_replace(' ', '%20', $url);
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\\|*\'()\\[\\]\\x80-\\xff]|i', '', $url);
if ('' === $url) {
return $url;
}
if (0 !== stripos($url, 'mailto:')) {
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = _deep_replace($strip, $url);
}
$url = str_replace(';//', '://', $url);
/* If the URL doesn't appear to contain a scheme, we
* presume it needs http:// prepended (unless a relative
* link starting with /, # or ? or a php file).
*/
if (strpos($url, ':') === false && !in_array($url[0], array('/', '#', '?')) && !preg_match('/^[a-z0-9-]+?\\.php/i', $url)) {
$url = 'http://' . $url;
}
// Replace ampersands and single quotes only when displaying.
if ('display' == $_context) {
$url = wp_kses_normalize_entities($url);
$url = str_replace('&', '&', $url);
$url = str_replace("'", ''', $url);
}
if (false !== strpos($url, '[') || false !== strpos($url, ']')) {
$parsed = wp_parse_url($url);
$front = '';
if (isset($parsed['scheme'])) {
$front .= $parsed['scheme'] . '://';
} elseif ('/' === $url[0]) {
$front .= '//';
}
if (isset($parsed['user'])) {
$front .= $parsed['user'];
}
if (isset($parsed['pass'])) {
$front .= ':' . $parsed['pass'];
}
if (isset($parsed['user']) || isset($parsed['pass'])) {
$front .= '@';
}
if (isset($parsed['host'])) {
$front .= $parsed['host'];
}
if (isset($parsed['port'])) {
$front .= ':' . $parsed['port'];
}
$end_dirty = str_replace($front, '', $url);
$end_clean = str_replace(array('[', ']'), array('%5B', '%5D'), $end_dirty);
$url = str_replace($end_dirty, $end_clean, $url);
}
if ('/' === $url[0]) {
$good_protocol_url = $url;
} else {
if (!is_array($protocols)) {
$protocols = wp_allowed_protocols();
}
$good_protocol_url = wp_kses_bad_protocol($url, $protocols);
if (strtolower($good_protocol_url) != strtolower($url)) {
return '';
}
}
return apply_filters('clean_url', $good_protocol_url, $original_url, $_context);
}
