/** * Sanitises a fragment of XML code. * * @since 1.4 * * @param string $xml * @return string */ public static function ksesXML($xml) { $xml = wp_kses_no_null($xml); $xml = wp_kses_js_entities($xml); $xml = wp_kses_normalize_entities($xml); return preg_replace_callback('%(<[^>]*(>|$)|>)%', array('self', 'kses_split'), $xml); }
function wp_kses($string, $allowed_html, $allowed_protocols = array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'feed', 'gopher', 'mailto')) { $string = wp_kses_no_null($string); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $string = wp_kses_hook($string); $allowed_html_fixed = wp_kses_array_lc($allowed_html); return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols); }
/** * Filters content and keeps only allowable HTML elements. * * This function makes sure that only the allowed HTML element names, attribute * names and attribute values plus only sane HTML entities will occur in * $string. You have to remove any slashes from PHP's magic quotes before you * call this function. * * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news', * 'irc', 'gopher', 'nntp', 'feed', and finally 'telnet. This covers all common * link protocols, except for 'javascript' which should not be allowed for * untrusted users. * * @since 1.0.0 * * @param string $string Content to filter through kses * @param array $allowed_html List of allowed HTML elements * @param array $allowed_protocols Optional. Allowed protocol in links. * @return string Filtered content with only allowed HTML elements */ function wp_kses($string, $allowed_html, $allowed_protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet')) { $string = wp_kses_no_null($string); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $allowed_html_fixed = wp_kses_array_lc($allowed_html); $string = wp_kses_hook($string, $allowed_html_fixed, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols); }
/** * Filters content and keeps only allowable HTML elements. * * This function makes sure that only the allowed HTML element names, attribute * names and attribute values plus only sane HTML entities will occur in * $string. You have to remove any slashes from PHP's magic quotes before you * call this function. * * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news', * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This * covers all common link protocols, except for 'javascript' which should not * be allowed for untrusted users. * * @since 1.0.0 * * @param string $string Content to filter through kses * @param array $allowed_html List of allowed HTML elements * @param array $allowed_protocols Optional. Allowed protocol in links. * @return string Filtered content with only allowed HTML elements */ function wp_kses($string, $allowed_html, $allowed_protocols = array()) { global $allowedprotocols; if (empty($allowed_protocols)) { $allowed_protocols = $allowedprotocols; } $string = wp_kses_no_null($string); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); return wp_kses_split($string, $allowed_html, $allowed_protocols); }
function wp_kses($string, $allowed_html, $allowed_protocols = array ('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'feed', 'gopher', 'mailto')) ############################################################################### # This function makes sure that only the allowed HTML element names, attribute # names and attribute values plus only sane HTML entities will occur in # $string. You have to remove any slashes from PHP's magic quotes before you # call this function. ############################################################################### { $string = wp_kses_no_null($string); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $string = wp_kses_hook($string); $allowed_html_fixed = wp_kses_array_lc($allowed_html); return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols); } # function wp_kses
function nextgen_esc_url($url, $protocols = null, $_context = 'display') { $original_url = $url; if ('' == $url) { return $url; } $url = preg_replace('|[^a-z0-9 \\-~+_.?#=!&;,/:%@$\\|*\'()\\x80-\\xff]|i', '', $url); $strip = array('%0d', '%0a', '%0D', '%0A'); $url = _deep_replace($strip, $url); $url = str_replace(';//', '://', $url); /* If the URL doesn't appear to contain a scheme, we * presume it needs http:// appended (unless a relative * link starting with /, # or ? or a php file). */ if (strpos($url, ':') === false && !in_array($url[0], array('/', '#', '?')) && !preg_match('/^[a-z0-9-]+?\\.php/i', $url)) { $url = 'http://' . $url; } // Replace ampersands and single quotes only when displaying. if ('display' == $_context) { $url = wp_kses_normalize_entities($url); $url = str_replace('&', '&', $url); $url = str_replace("'", ''', $url); $url = str_replace('%', '%25', $url); $url = str_replace(' ', '%20', $url); } if ('/' === $url[0]) { $good_protocol_url = $url; } else { if (!is_array($protocols)) { $protocols = wp_allowed_protocols(); } $good_protocol_url = wp_kses_bad_protocol($url, $protocols); if (strtolower($good_protocol_url) != strtolower($url)) { return ''; } } return apply_filters('clean_url', $good_protocol_url, $original_url, $_context); }
function processShortcodePreformattedText($attribute, $content, $tag) { $attribute = $this->processAttribute($tag, $attribute); $html = null; $Validation = new PBValidation(); if ($Validation->isEmpty($content)) { return $html; } if (!$Validation->isBool($attribute['open_default'])) { return $html; } $class = array('pb-preformatted-text'); if ($attribute['open_default'] == 1) { array_push($class, 'pb-preformatted-text-visible'); } array_push($class, $attribute['css_class']); $id = PBHelper::createId('pb_preformatted_text'); $content = nl2br(trim(preg_replace(array('/\\[/', '/\\]/'), array('[', ']'), htmlspecialchars($content)))); $html = ' <div id="' . $id . '"' . PBHelper::createClassAttribute($class) . '> <a href="#"> <span class="pb-preformatted-text-label-open">' . esc_html($attribute['label_open']) . '</span> <span class="pb-preformatted-text-label-close">' . esc_html($attribute['label_close']) . '</span> </a> <pre>' . wp_kses_normalize_entities($content) . '</pre> </div> <div class="pb-script-tag"> <script type="text/javascript"> jQuery(document).ready(function($) { $("#' . $id . '").PBPreformattedText(); }); </script> </div> '; return PBHelper::formatHTML($html); }
/** * Handle import/export for categories & listings. * * @since 1.4.6 * @package GeoDirectory * * @global object $wpdb WordPress Database object. * @global string $plugin_prefix Geodirectory plugin table prefix. * @global object $current_user Current user object. * @global null|object $wp_filesystem WP_Filesystem object. * @return string Json data. */ function geodir_ajax_import_export() { global $wpdb, $plugin_prefix, $current_user, $wp_filesystem; // try to set higher limits for import @ini_set('max_input_time', 3000); @ini_set('max_execution_time', 3000); @ini_set('memory_limit', '256M'); error_reporting(0); $json = array(); if (!current_user_can('manage_options')) { wp_send_json($json); } $task = isset($_REQUEST['task']) ? $_REQUEST['task'] : NULL; $nonce = isset($_REQUEST['_nonce']) ? $_REQUEST['_nonce'] : NULL; $stat = isset($_REQUEST['_st']) ? $_REQUEST['_st'] : false; if (!wp_verify_nonce($nonce, 'geodir_import_export_nonce')) { wp_send_json($json); } $post_type = isset($_REQUEST['_pt']) ? $_REQUEST['_pt'] : NULL; /*if( empty( $wp_filesystem ) ) { require_once( ABSPATH . '/wp-admin/includes/file.php' ); WP_Filesystem(); global $wp_filesystem; }*/ $wp_filesystem = geodir_init_filesystem(); if (!$wp_filesystem) { $json['error'] = __('Fail, something wrong to create csv file.', GEODIRECTORY_TEXTDOMAIN); wp_send_json($json); exit; } $csv_file_dir = geodir_path_import_export(false); if (!$wp_filesystem->is_dir($csv_file_dir)) { $wp_filesystem->mkdir($csv_file_dir, FS_CHMOD_DIR); } switch ($task) { case 'export_posts': // WPML $is_wpml = geodir_is_wpml(); if ($is_wpml) { global $sitepress; $active_lang = ICL_LANGUAGE_CODE; $sitepress->switch_lang('all', true); } // WPML if ($post_type == 'gd_event') { //add_filter( 'geodir_imex_count_posts', 'geodir_imex_count_events', 10, 2 ); add_filter('geodir_imex_export_posts_query', 'geodir_imex_get_events_query', 10, 2); } $file_name = $post_type . '_' . date('j_n_y'); $posts_count = geodir_get_posts_count($post_type); $file_url = geodir_path_import_export() . '/' . $file_name . '.csv'; $file_path = $csv_file_dir . '/' . $file_name . '.csv'; $file_path_temp = $csv_file_dir . '/' . $post_type . '_' . $nonce . '.csv'; if (isset($_REQUEST['_st'])) { $line_count = (int) geodir_import_export_line_count($file_path_temp); $percentage = count($posts_count) > 0 && $line_count > 0 ? ceil($line_count / $posts_count) * 100 : 0; $percentage = min($percentage, 100); $json['percentage'] = $percentage; // WPML if ($is_wpml) { $sitepress->switch_lang($active_lang, true); } // WPML wp_send_json($json); } else { if ($wp_filesystem->exists($file_path)) { $wp_filesystem->delete($file_path); } if (!$posts_count > 0) { $json['error'] = __('No records to export.', GEODIRECTORY_TEXTDOMAIN); } else { $args = array('hide_empty' => 0); $posts = geodir_imex_get_posts($post_type); if (!empty($posts)) { $total_posts = count($posts); $per_page = 100; $total_pages = ceil($total_posts / $per_page); for ($i = 0; $i <= $total_pages; $i++) { $save_posts = array_slice($posts, $i * $per_page, $per_page); $clear = $i == 0 ? true : false; geodir_save_csv_data($file_path_temp, $save_posts, $clear); } if ($wp_filesystem->exists($file_path_temp)) { $wp_filesystem->move($file_path_temp, $file_path, true); } if ($wp_filesystem->exists($file_path)) { $json['total'] = $posts_count; $json['csv_file'] = $file_url; } else { $json['error'] = __('Fail, something wrong to create csv file.', GEODIRECTORY_TEXTDOMAIN); } } else { $json['error'] = __('No records to export.', GEODIRECTORY_TEXTDOMAIN); } } // WPML if ($is_wpml) { $sitepress->switch_lang($active_lang, true); } // WPML wp_send_json($json); } break; case 'export_cats': // WPML $is_wpml = geodir_is_wpml(); if ($is_wpml) { global $sitepress; $active_lang = ICL_LANGUAGE_CODE; $sitepress->switch_lang('all', true); } // WPML $file_name = $post_type . 'category_' . date('j_n_y'); $terms_count = geodir_get_terms_count($post_type); $file_url = geodir_path_import_export() . '/' . $file_name . '.csv'; $file_path = $csv_file_dir . '/' . $file_name . '.csv'; $file_path_temp = $csv_file_dir . '/' . $post_type . 'category_' . $nonce . '.csv'; if (isset($_REQUEST['_st'])) { $line_count = (int) geodir_import_export_line_count($file_path_temp); $percentage = count($terms_count) > 0 && $line_count > 0 ? ceil($line_count / $terms_count) * 100 : 0; $percentage = min($percentage, 100); $json['percentage'] = $percentage; // WPML if ($is_wpml) { $sitepress->switch_lang($active_lang, true); } // WPML wp_send_json($json); } else { if ($wp_filesystem->exists($file_path)) { $wp_filesystem->delete($file_path); } if (!$terms_count > 0) { $json['error'] = __('No records to export.', GEODIRECTORY_TEXTDOMAIN); } else { $args = array('hide_empty' => 0); $terms = geodir_imex_get_terms($post_type); if (!empty($terms)) { $total_terms = count($terms); $per_page = 50; $total_pages = ceil($total_terms / $per_page); for ($i = 0; $i <= $total_pages; $i++) { $save_terms = array_slice($terms, $i * $per_page, $per_page); $clear = $i == 0 ? true : false; geodir_save_csv_data($file_path_temp, $save_terms, $clear); } if ($wp_filesystem->exists($file_path_temp)) { $wp_filesystem->move($file_path_temp, $file_path, true); } if ($wp_filesystem->exists($file_path)) { $json['total'] = $terms_count; $json['csv_file'] = $file_url; } else { $json['error'] = __('Fail, something wrong to create csv file.', GEODIRECTORY_TEXTDOMAIN); } } else { $json['error'] = __('No records to export.', GEODIRECTORY_TEXTDOMAIN); } } // WPML if ($is_wpml) { $sitepress->switch_lang($active_lang, true); } // WPML wp_send_json($json); } break; case 'prepare_import': case 'import_cat': case 'import_post': // WPML $is_wpml = geodir_is_wpml(); if ($is_wpml) { global $sitepress; $active_lang = ICL_LANGUAGE_CODE; } // WPML ini_set('auto_detect_line_endings', true); $uploads = wp_upload_dir(); $uploads_dir = $uploads['path']; $uploads_subdir = $uploads['subdir']; $csv_file = isset($_POST['_file']) ? $_POST['_file'] : NULL; $import_choice = isset($_REQUEST['_ch']) ? $_REQUEST['_ch'] : 'skip'; $csv_file_arr = explode('/', $csv_file); $csv_filename = end($csv_file_arr); $target_path = $uploads_dir . '/temp_' . $current_user->data->ID . '/' . $csv_filename; $json['file'] = $csv_file; $json['error'] = __('The uploaded file is not a valid csv file. Please try again.', GEODIRECTORY_TEXTDOMAIN); if ($csv_file && $wp_filesystem->is_file($target_path) && $wp_filesystem->exists($target_path)) { $wp_filetype = wp_check_filetype_and_ext($target_path, $csv_filename); if (!empty($wp_filetype) && isset($wp_filetype['ext']) && strtolower($wp_filetype['ext']) == 'csv') { $json['error'] = NULL; $json['rows'] = 0; if (($handle = fopen($target_path, "r")) !== FALSE) { while (($data = fgetcsv($handle, 100000, ",")) !== FALSE) { if (!empty($data)) { $file[] = $data; } } fclose($handle); } $json['rows'] = !empty($file) && count($file) > 1 ? count($file) - 1 : 0; if (!$json['rows'] > 0) { $json['error'] = __('No data found in csv file.', GEODIRECTORY_TEXTDOMAIN); } } else { wp_send_json($json); } } else { wp_send_json($json); } if ($task == 'prepare_import' || !empty($json['error'])) { wp_send_json($json); } $total = $json['rows']; $limit = isset($_POST['limit']) ? (int) $_POST['limit'] : 1; $processed = isset($_POST['processed']) ? (int) $_POST['processed'] : 0; $count = $limit; $requested_limit = $limit; if ($count < $total) { $count = $processed + $count; if ($count > $total) { $count = $total; } } else { $count = $total; } $created = 0; $updated = 0; $skipped = 0; $invalid = 0; $invalid_addr = 0; $images = 0; $invalid_title = 0; $customKeyarray = array(); $gd_post_info = array(); $post_location = array(); $countpost = 0; $post_types = geodir_get_posttypes(); if ($task == 'import_cat') { if (!empty($file)) { $columns = isset($file[0]) ? $file[0] : NULL; if (empty($columns) || !empty($columns) && $columns[0] == '') { $json['error'] = CSV_INVAILD_FILE; wp_send_json($json); } for ($i = 1; $i <= $limit; $i++) { $index = $processed + $i; if (isset($file[$index])) { $row = $file[$index]; $row = array_map('trim', $row); $row = array_map('utf8_encode', $row); $cat_id = ''; $cat_name = ''; $cat_slug = ''; $cat_posttype = ''; $cat_parent = ''; $cat_description = ''; $cat_top_description = ''; $cat_image = ''; $cat_icon = ''; $cat_language = ''; $c = 0; foreach ($columns as $column) { if ($column == 'cat_id') { $cat_id = (int) $row[$c]; } else { if ($column == 'cat_name') { $cat_name = $row[$c]; } else { if ($column == 'cat_slug') { $cat_slug = $row[$c]; } else { if ($column == 'cat_posttype') { $cat_posttype = $row[$c]; } else { if ($column == 'cat_parent') { $cat_parent = trim($row[$c]); } else { if ($column == 'cat_description') { $cat_description = $row[$c]; } else { if ($column == 'cat_top_description') { $cat_top_description = $row[$c]; } else { if ($column == 'cat_image') { $cat_image = $row[$c]; } else { if ($column == 'cat_icon') { $cat_icon = $row[$c]; } } } } } } } } } // WPML if ($is_wpml && $column == 'cat_language') { $cat_language = strtolower(trim($row[$c])); } // WPML $c++; } if ($cat_name == '' || !in_array($cat_posttype, $post_types)) { $invalid++; continue; } // WPML if ($is_wpml && $cat_language != '') { $sitepress->switch_lang($cat_language, true); } // WPML $term_data = array(); $term_data['name'] = $cat_name; $term_data['slug'] = $cat_slug; $term_data['description'] = $cat_description; $term_data['top_description'] = $cat_top_description; $term_data['image'] = $cat_image != '' ? basename($cat_image) : ''; $term_data['icon'] = $cat_icon != '' ? basename($cat_icon) : ''; $term_data = array_map('utf8_encode', $term_data); $taxonomy = $cat_posttype . 'category'; $term_data['taxonomy'] = $taxonomy; $term_parent_id = 0; if ($cat_parent != "" || (int) $cat_parent > 0) { $term_parent = ''; if ($term_parent = get_term_by('name', $cat_parent, $taxonomy)) { $term_parent = $term_parent; } else { if ($term_parent = get_term_by('slug', $cat_parent, $taxonomy)) { $term_parent = $term_parent; } else { if ($term_parent = get_term_by('id', $cat_parent, $taxonomy)) { $term_parent = $term_parent; } else { $term_parent_data = array(); $term_parent_data['name'] = $cat_parent; $term_parent_data = array_map('utf8_encode', $term_parent_data); $term_parent_data['taxonomy'] = $taxonomy; $term_parent_id = (int) geodir_imex_insert_term($taxonomy, $term_parent_data); } } } if (!empty($term_parent) && !is_wp_error($term_parent)) { $term_parent_id = (int) $term_parent->term_id; } } $term_data['parent'] = (int) $term_parent_id; $term_id = NULL; if ($import_choice == 'update') { if ($cat_id > 0 && ($term = (array) term_exists($cat_id, $taxonomy))) { $term_data['term_id'] = $term['term_id']; if ($term_id = geodir_imex_update_term($taxonomy, $term_data)) { $updated++; } else { $invalid++; } } else { if ($term_data['slug'] != '' && ($term = (array) term_exists($term_data['slug'], $taxonomy))) { $term_data['term_id'] = $term['term_id']; if ($term_id = geodir_imex_update_term($taxonomy, $term_data)) { $updated++; } else { $invalid++; } } else { if ($term_id = geodir_imex_insert_term($taxonomy, $term_data)) { $created++; } else { $invalid++; } } } } else { if ($import_choice == 'skip') { if ($cat_id > 0 && ($term = (array) term_exists($cat_id, $taxonomy))) { $skipped++; } else { if ($term_data['slug'] != '' && ($term = (array) term_exists($term_data['slug'], $taxonomy))) { $skipped++; } else { if ($term_id = geodir_imex_insert_term($taxonomy, $term_data)) { $created++; } else { $invalid++; } } } } else { $invalid++; } } if ($term_id) { if (isset($term_data['top_description'])) { update_tax_meta($term_id, 'ct_cat_top_desc', $term_data['top_description'], $cat_posttype); } $attachment = false; if (isset($term_data['image']) && $term_data['image'] != '') { $cat_image = geodir_get_default_catimage($term_id, $cat_posttype); $cat_image = !empty($cat_image) && isset($cat_image['src']) ? $cat_image['src'] : ''; if (basename($cat_image) != $term_data['image']) { $attachment = true; update_tax_meta($term_id, 'ct_cat_default_img', array('id' => 'image', 'src' => $uploads['url'] . '/' . $term_data['image']), $cat_posttype); } } if (isset($term_data['icon']) && $term_data['icon'] != '') { $cat_icon = get_tax_meta($term_id, 'ct_cat_icon', false, $cat_posttype); $cat_icon = !empty($cat_icon) && isset($cat_icon['src']) ? $cat_icon['src'] : ''; if (basename($cat_icon) != $term_data['icon']) { $attachment = true; update_tax_meta($term_id, 'ct_cat_icon', array('id' => 'icon', 'src' => $uploads['url'] . '/' . $term_data['icon']), $cat_posttype); } } if ($attachment) { $images++; } } // WPML if ($is_wpml && $cat_language != '') { $sitepress->switch_lang($active_lang, true); } // WPML } } } $json = array(); $json['processed'] = $limit; $json['created'] = $created; $json['updated'] = $updated; $json['skipped'] = $skipped; $json['invalid'] = $invalid; $json['images'] = $images; wp_send_json($json); } else { if ($task == 'import_post') { if (!empty($file)) { $wp_post_statuses = get_post_statuses(); // All of the WordPress supported post statuses. $default_status = 'publish'; $current_date = date_i18n('Y-m-d', time()); $columns = isset($file[0]) ? $file[0] : NULL; if (empty($columns) || !empty($columns) && $columns[0] == '') { $json['error'] = CSV_INVAILD_FILE; wp_send_json($json); } for ($i = 1; $i <= $limit; $i++) { $index = $processed + $i; $gd_post = array(); if (isset($file[$index])) { $row = $file[$index]; $row = array_map('trim', $row); $row = array_map('utf8_encode', $row); $row = array_map('addslashes_gpc', $row); $post_id = ''; $post_title = ''; $post_author = ''; $post_content = ''; $post_category_arr = array(); $post_tags = array(); $post_type = ''; $post_status = ''; $geodir_video = ''; $post_address = ''; $post_city = ''; $post_region = ''; $post_country = ''; $post_zip = ''; $post_latitude = ''; $post_longitude = ''; $geodir_timing = ''; $geodir_contact = ''; $geodir_email = ''; $geodir_website = ''; $geodir_twitter = ''; $geodir_facebook = ''; $geodir_twitter = ''; $post_images = array(); $expire_date = 'Never'; $language = ''; $original_post_id = ''; $c = 0; foreach ($columns as $column) { $gd_post[$column] = $row[$c]; if ($column == 'post_id') { $post_id = $row[$c]; } else { if ($column == 'post_title') { $post_title = $row[$c]; } else { if ($column == 'post_author') { $post_author = $row[$c]; } else { if ($column == 'post_content') { $post_content = $row[$c]; } else { if ($column == 'post_category' && $row[$c] != '') { $post_category_arr = explode(',', $row[$c]); } else { if ($column == 'post_tags' && $row[$c] != '') { $post_tags = explode(',', $row[$c]); } else { if ($column == 'post_type') { $post_type = $row[$c]; } else { if ($column == 'post_status') { $post_status = sanitize_key($row[$c]); } else { if ($column == 'is_featured') { $is_featured = (int) $row[$c]; } else { if ($column == 'geodir_video') { $geodir_video = $row[$c]; } else { if ($column == 'post_address') { $post_address = $row[$c]; } else { if ($column == 'post_city') { $post_city = $row[$c]; } else { if ($column == 'post_region') { $post_region = $row[$c]; } else { if ($column == 'post_country') { $post_country = $row[$c]; } else { if ($column == 'post_zip') { $post_zip = $row[$c]; } else { if ($column == 'post_latitude') { $post_latitude = $row[$c]; } else { if ($column == 'post_longitude') { $post_longitude = $row[$c]; } else { if ($column == 'geodir_timing') { $geodir_timing = $row[$c]; } else { if ($column == 'geodir_contact') { $geodir_contact = $row[$c]; } else { if ($column == 'geodir_email') { $geodir_email = $row[$c]; } else { if ($column == 'geodir_website') { $geodir_website = $row[$c]; } else { if ($column == 'geodir_twitter') { $geodir_twitter = $row[$c]; } else { if ($column == 'geodir_facebook') { $geodir_facebook = $row[$c]; } else { if ($column == 'geodir_twitter') { $geodir_twitter = $row[$c]; } else { if ($column == 'IMAGE' && !empty($row[$c]) && $row[$c] != '') { $post_images[] = $row[$c]; } else { if ($column == 'alive_days' && (int) $row[$c] > 0) { $expire_date = date_i18n('Y-m-d', strtotime($current_date . '+' . (int) $row[$c] . ' days')); } else { if ($column == 'expire_date' && $row[$c] != '' && strtolower($row[$c]) != 'never') { $row[$c] = str_replace('/', '-', $row[$c]); $expire_date = date_i18n('Y-m-d', strtotime($row[$c])); } } } } } } } } } } } } } } } } } } } } } } } } } } } // WPML if ($is_wpml) { if ($column == 'language') { $language = strtolower(trim($row[$c])); } else { if ($column == 'original_post_id') { $original_post_id = (int) $row[$c]; } } } // WPML $c++; } // WPML if ($is_wpml && $language != '') { $sitepress->switch_lang($language, true); } // WPML $gd_post['IMAGE'] = $post_images; $post_status = !empty($post_status) ? sanitize_key($post_status) : $default_status; $post_status = !empty($wp_post_statuses) && !isset($wp_post_statuses[$post_status]) ? $default_status : $post_status; $valid = true; if ($post_title == '' || !in_array($post_type, $post_types)) { $invalid++; $valid = false; } $location_allowed = function_exists('geodir_cpt_no_location') && geodir_cpt_no_location($post_type) ? false : true; if ($location_allowed) { $location_result = geodir_get_default_location(); if ($post_address == '' || $post_city == '' || $post_region == '' || $post_country == '' || $post_latitude == '' || $post_longitude == '') { $invalid_addr++; $valid = false; } else { if (!empty($location_result) && $location_result->location_id == 0) { if (strtolower($post_city) != strtolower($location_result->city) || strtolower($post_region) != strtolower($location_result->region) || strtolower($post_country) != strtolower($location_result->country)) { $invalid_addr++; $valid = false; } else { if (!function_exists('geodir_location_plugin_activated')) { $gd_post['post_locations'] = '[' . $location_result->city_slug . '],[' . $location_result->region_slug . '],[' . $location_result->country_slug . ']'; // Set the default location when location manager not activated. } } } } } if (!$valid) { continue; } $cat_taxonomy = $post_type . 'category'; $tags_taxonomy = $post_type . '_tags'; $post_category = array(); if (!empty($post_category_arr)) { foreach ($post_category_arr as $value) { $category_name = wp_kses_normalize_entities(trim($value)); if ($category_name != '') { $term_category = array(); if ($term = get_term_by('name', $category_name, $cat_taxonomy)) { $term_category = $term; } else { if ($term = get_term_by('slug', $category_name, $cat_taxonomy)) { $term_category = $term; } else { $term_data = array(); $term_data['name'] = $category_name; $term_data = array_map('utf8_encode', $term_data); $term_data['taxonomy'] = $cat_taxonomy; $term_id = geodir_imex_insert_term($cat_taxonomy, $term_data); if ($term_id) { $term_category = get_term($term_id, $cat_taxonomy); } } } if (!empty($term_category) && !is_wp_error($term_category)) { //$post_category[] = $term_category->slug; $post_category[] = intval($term_category->term_id); } } } } $save_post = array(); $save_post['post_title'] = $post_title; $save_post['post_content'] = $post_content; $save_post['post_type'] = $post_type; $save_post['post_author'] = $post_author; $save_post['post_status'] = $post_status; $save_post['post_category'] = $post_category; $save_post['post_tags'] = $post_tags; $saved_post_id = NULL; if ($import_choice == 'update') { if ($post_id > 0 && get_post($post_id)) { $save_post['ID'] = $post_id; if (wp_update_post($save_post)) { $saved_post_id = $post_id; $updated++; } } else { if ($saved_post_id = wp_insert_post($save_post)) { $created++; } } if (!$saved_post_id > 0) { $invalid++; } } else { if ($import_choice == 'skip') { if ($post_id > 0 && get_post($post_id)) { $skipped++; } else { if ($saved_post_id = wp_insert_post($save_post)) { $created++; } else { $invalid++; } } } else { $invalid++; } } if ((int) $saved_post_id > 0) { // WPML if ($is_wpml && $original_post_id > 0 && $language != '') { $wpml_post_type = 'post_' . $post_type; $source_language = geodir_get_language_for_element($original_post_id, $wpml_post_type); $source_language = $source_language != '' ? $source_language : $sitepress->get_default_language(); $trid = $sitepress->get_element_trid($original_post_id, $wpml_post_type); $sitepress->set_element_language_details($saved_post_id, $wpml_post_type, $trid, $language, $source_language); } // WPML $gd_post_info = geodir_get_post_info($saved_post_id); $gd_post['post_id'] = $saved_post_id; $gd_post['ID'] = $saved_post_id; $gd_post['post_tags'] = $post_tags; $gd_post['post_title'] = $post_title; $gd_post['post_status'] = $post_status; $gd_post['submit_time'] = time(); $gd_post['submit_ip'] = $_SERVER['REMOTE_ADDR']; // post location $post_location_id = 0; if ($location_allowed && !empty($location_result) && $location_result->location_id > 0) { $post_location_info = array('city' => $post_city, 'region' => $post_region, 'country' => $post_country, 'geo_lat' => $post_latitude, 'geo_lng' => $post_longitude); if ($location_id = (int) geodir_add_new_location($post_location_info)) { $post_location_id = $location_id; } } $gd_post['post_location_id'] = $post_location_id; // post package info $package_id = isset($gd_post['package_id']) && !empty($gd_post['package_id']) ? (int) $gd_post['package_id'] : 0; if (!$package_id && !empty($gd_post_info) && isset($gd_post_info->package_id) && $gd_post_info->package_id) { $package_id = $gd_post_info->package_id; } $package_info = array(); if ($package_id && function_exists('geodir_get_package_info_by_id')) { $package_info = (array) geodir_get_package_info_by_id($package_id); if (!(!empty($package_info) && isset($package_info['post_type']) && $package_info['post_type'] == $post_type)) { $package_info = array(); } } if (empty($package_info)) { $package_info = (array) geodir_post_package_info(array(), '', $post_type); } if (!empty($package_info)) { $package_id = $package_info['pid']; if (isset($gd_post['alive_days']) || isset($gd_post['expire_date'])) { $gd_post['expire_date'] = $expire_date; } else { if (isset($package_info['days']) && (int) $package_info['days'] > 0) { $gd_post['alive_days'] = (int) $package_info['days']; $gd_post['expire_date'] = date_i18n('Y-m-d', strtotime($current_date . '+' . (int) $package_info['days'] . ' days')); } else { $gd_post['expire_date'] = 'Never'; } } $gd_post['package_id'] = $package_id; } $table = $plugin_prefix . $post_type . '_detail'; if ($post_type == 'gd_event') { $gd_post = geodir_imex_process_event_data($gd_post); } if (isset($gd_post['post_id'])) { unset($gd_post['post_id']); } // Export franchise fields $is_franchise_active = is_plugin_active('geodir_franchise/geodir_franchise.php') && geodir_franchise_enabled($post_type) ? true : false; if ($is_franchise_active) { if (isset($gd_post['gd_is_franchise']) && (int) $gd_post['gd_is_franchise'] == 1) { $gd_franchise_lock = array(); if (isset($gd_post['gd_franchise_lock'])) { $gd_franchise_lock = str_replace(" ", "", $gd_post['gd_franchise_lock']); $gd_franchise_lock = trim($gd_franchise_lock); $gd_franchise_lock = explode(",", $gd_franchise_lock); } update_post_meta($saved_post_id, 'gd_is_franchise', 1); update_post_meta($saved_post_id, 'gd_franchise_lock', $gd_franchise_lock); } else { if (isset($gd_post['franchise']) && (int) $gd_post['franchise'] > 0 && geodir_franchise_check((int) $gd_post['franchise'])) { geodir_save_post_meta($saved_post_id, 'franchise', (int) $gd_post['franchise']); } } } if (!empty($save_post['post_category']) && is_array($save_post['post_category'])) { $save_post['post_category'] = array_unique(array_map('intval', $save_post['post_category'])); $gd_post[$cat_taxonomy] = $save_post['post_category']; } // Save post info geodir_save_post_info($saved_post_id, $gd_post); // post taxonomies if (!empty($save_post['post_category'])) { wp_set_object_terms($saved_post_id, $save_post['post_category'], $cat_taxonomy); $post_default_category = isset($save_post['post_default_category']) ? $save_post['post_default_category'] : ''; $post_category_str = isset($save_post['post_category_str']) ? $save_post['post_category_str'] : ''; geodir_set_postcat_structure($saved_post_id, $cat_taxonomy, $post_default_category, $post_category_str); } if (!empty($save_post['post_tags'])) { wp_set_object_terms($saved_post_id, $save_post['post_tags'], $tags_taxonomy); } // Post images if (!empty($post_images)) { $post_images = array_unique($post_images); $old_post_images_arr = array(); $saved_post_images_arr = array(); $order = 1; $old_post_images = geodir_get_images($saved_post_id); if (!empty($old_post_images)) { foreach ($old_post_images as $old_post_image) { if (!empty($old_post_image) && isset($old_post_image->file) && $old_post_image->file != '') { $old_post_images_arr[] = $old_post_image->file; } } } foreach ($post_images as $post_image) { $image_name = basename($post_image); $saved_post_images_arr[] = $image_name; if (!empty($old_post_images_arr) && in_array($image_name, $old_post_images_arr)) { continue; // Skip if image already exists. } $image_name_parts = explode('.', $image_name); array_pop($image_name_parts); $proper_image_name = implode('.', $image_name_parts); $arr_file_type = wp_check_filetype($image_name); if (!empty($arr_file_type)) { $uploaded_file_type = $arr_file_type['type']; $attachment = array(); $attachment['post_id'] = $saved_post_id; $attachment['title'] = $proper_image_name; $attachment['content'] = ''; $attachment['file'] = $uploads_subdir . '/' . $image_name; $attachment['mime_type'] = $uploaded_file_type; $attachment['menu_order'] = $order; $attachment['is_featured'] = 0; $attachment_set = ''; foreach ($attachment as $key => $val) { if ($val != '') { $attachment_set .= $key . " = '" . $val . "', "; } } $attachment_set = trim($attachment_set, ", "); // Add new attachment $wpdb->query("INSERT INTO " . GEODIR_ATTACHMENT_TABLE . " SET " . $attachment_set); $order++; } } $saved_post_images_sql = !empty($saved_post_images_arr) ? " AND ( file NOT LIKE '%/" . implode("' AND file NOT LIKE '%/", $saved_post_images_arr) . "' )" : ''; // Remove previous attachment $wpdb->query("DELETE FROM " . GEODIR_ATTACHMENT_TABLE . " WHERE post_id = " . (int) $saved_post_id . " " . $saved_post_images_sql); if (!empty($saved_post_images_arr)) { $menu_order = 1; foreach ($saved_post_images_arr as $img_name) { $wpdb->query($wpdb->prepare("UPDATE " . GEODIR_ATTACHMENT_TABLE . " SET menu_order = %d WHERE post_id =%d AND file LIKE %s", array($menu_order, $saved_post_id, '%/' . $img_name))); if ($menu_order == 1) { if ($featured_image = $wpdb->get_var($wpdb->prepare("SELECT file FROM " . GEODIR_ATTACHMENT_TABLE . " WHERE post_id =%d AND file LIKE %s", array($saved_post_id, '%/' . $img_name)))) { $wpdb->query($wpdb->prepare("UPDATE " . $table . " SET featured_image = %s WHERE post_id =%d", array($featured_image, $saved_post_id))); } } $menu_order++; } } if ($order > 1) { $images++; } } /** This action is documented in geodirectory-functions/post-functions.php */ do_action('geodir_after_save_listing', $saved_post_id, $gd_post); if (isset($is_featured)) { geodir_save_post_meta($saved_post_id, 'is_featured', $is_featured); } if (isset($gd_post['expire_date'])) { geodir_save_post_meta($saved_post_id, 'expire_date', $gd_post['expire_date']); } } // WPML if ($is_wpml && $language != '') { $sitepress->switch_lang($active_lang, true); } // WPML } } } $json = array(); $json['processed'] = $limit; $json['created'] = $created; $json['updated'] = $updated; $json['skipped'] = $skipped; $json['invalid'] = $invalid; $json['invalid_addr'] = $invalid_addr; $json['images'] = $images; wp_send_json($json); } } break; } echo '0'; wp_die(); }
/** * Adds 'login_post' context which changes URL scheme and escape URL for displaying on site * * @param string $url * @param string $original_url * @param string $context * * @return string */ function appthemes_add_login_post_context($url, $original_url, $context) { if ($context == 'login_post') { $url = set_url_scheme($url, $context); $url = wp_kses_normalize_entities($url); $url = str_replace('&', '&', $url); $url = str_replace("'", ''', $url); } return $url; }
public function html_out($value = 0) { if ($value) { return wp_kses_normalize_entities($value); } }
/** * Checks and cleans a URL. * * A number of characters are removed from the URL. If the URL is for displaying * (the default behaviour) ampersands are also replaced. The 'clean_url' filter * is applied to the returned cleaned URL. * * @since 2.8.0 * @uses wp_kses_bad_protocol() To only permit protocols in the URL set * via $protocols or the common ones set in the function. * * @param string $url The URL to be cleaned. * @param array $protocols Optional. An array of acceptable protocols. * Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set. * @param string $_context Private. Use esc_url_raw() for database usage. * @return string The cleaned $url after the 'clean_url' filter is applied. */ function esc_url( $url, $protocols = null, $_context = 'display' ) { $original_url = $url; if ( '' == $url ) return $url; $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url); $strip = array('%0d', '%0a', '%0D', '%0A'); $url = _deep_replace($strip, $url); $url = str_replace(';//', '://', $url); /* If the URL doesn't appear to contain a scheme, we * presume it needs http:// appended (unless a relative * link starting with /, # or ? or a php file). */ if ( strpos($url, ':') === false && ! in_array( $url[0], array( '/', '#', '?' ) ) && ! preg_match('/^[a-z0-9-]+?\.php/i', $url) ) $url = 'http://' . $url; // Replace ampersands and single quotes only when displaying. if ( 'display' == $_context ) { $url = wp_kses_normalize_entities( $url ); $url = str_replace( '&', '&', $url ); $url = str_replace( "'", ''', $url ); } if ( '/' === $url[0] ) { $good_protocol_url = $url; } else { if ( ! is_array( $protocols ) ) $protocols = wp_allowed_protocols(); $good_protocol_url = wp_kses_bad_protocol( $url, $protocols ); if ( strtolower( $good_protocol_url ) != strtolower( $url ) ) return ''; } /** * Filter a string cleaned and escaped for output as a URL. * * @since 2.3.0 * * @param string $good_protocol_url The cleaned URL to be returned. * @param string $original_url The URL prior to cleaning. * @param string $_context If 'display', replace ampersands and single quotes only. */ return apply_filters( 'clean_url', $good_protocol_url, $original_url, $_context ); }
/** * When search_terms are passed to BP_User_Query, search against xprofile fields. * * @since BuddyPress (2.0.0) * * @param array $sql Clauses in the user_id SQL query. * @param BP_User_Query User query object. */ function bp_xprofile_bp_user_query_search($sql, BP_User_Query $query) { global $wpdb; if (empty($query->query_vars['search_terms']) || empty($sql['where']['search'])) { return $sql; } $bp = buddypress(); $search_terms_clean = bp_esc_like(wp_kses_normalize_entities($query->query_vars['search_terms'])); if ($query->query_vars['search_wildcard'] === 'left') { $search_terms_nospace = '%' . $search_terms_clean; $search_terms_space = '%' . $search_terms_clean . ' %'; } elseif ($query->query_vars['search_wildcard'] === 'right') { $search_terms_nospace = $search_terms_clean . '%'; $search_terms_space = '% ' . $search_terms_clean . '%'; } else { $search_terms_nospace = '%' . $search_terms_clean . '%'; $search_terms_space = '%' . $search_terms_clean . '%'; } // Combine the core search (against wp_users) into a single OR clause // with the xprofile_data search $search_xprofile = $wpdb->prepare("u.{$query->uid_name} IN ( SELECT user_id FROM {$bp->profile->table_name_data} WHERE value LIKE %s OR value LIKE %s )", $search_terms_nospace, $search_terms_space); $search_core = $sql['where']['search']; $search_combined = "( {$search_xprofile} OR {$search_core} )"; $sql['where']['search'] = $search_combined; return $sql; }
function test_wp_kses_bad_protocol() { $bad = array( 'dummy:alert(1)', 'javascript:alert(1)', 'JaVaScRiPt:alert(1)', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert(1);', 'javascript:alert('XSS')', 'jav ascript:alert(1);', 'jav	ascript:alert(1);', 'jav
ascript:alert(1);', 'jav
ascript:alert(1);', '  javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:javascript:alert(1);', 'javascript:alert(1)//?:', 'feed:javascript:alert(1)', 'feed:javascript:feed:javascript:feed:javascript:alert(1)', ); foreach ( $bad as $k => $x ) { $result = wp_kses_bad_protocol( wp_kses_normalize_entities( $x ), wp_allowed_protocols() ); if ( ! empty( $result ) && $result != 'alert(1);' && $result != 'alert(1)' ) { switch ( $k ) { case 6: $this->assertEquals( 'javascript&#0000058alert(1);', $result ); break; case 12: $this->assertEquals( str_replace( '&', '&', $x ), $result ); break; case 22: $this->assertEquals( 'javascript&#0000058alert(1);', $result ); break; case 23: $this->assertEquals( 'javascript&#0000058alert(1)//?:', $result ); break; case 24: $this->assertEquals( 'feed:alert(1)', $result ); break; default: $this->fail( "wp_kses_bad_protocol failed on $x. Result: $result" ); } } } $safe = array( 'dummy:alert(1)', 'HTTP://example.org/', 'http://example.org/', 'http://example.org/', 'http://example.org/', 'https://example.org', 'http://example.org/wp-admin/post.php?post=2&action=edit', 'http://example.org/index.php?test='blah'', ); foreach ( $safe as $x ) { $result = wp_kses_bad_protocol( wp_kses_normalize_entities( $x ), array( 'http', 'https', 'dummy' ) ); if ( $result != $x && $result != 'http://example.org/' ) $this->fail( "wp_kses_bad_protocol incorrectly blocked $x" ); } }
/** * Filters content and keeps only allowable HTML elements. * * This function makes sure that only the allowed HTML element names, attribute * names and attribute values plus only sane HTML entities will occur in * $string. You have to remove any slashes from PHP's magic quotes before you * call this function. * * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news', * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This * covers all common link protocols, except for 'javascript' which should not * be allowed for untrusted users. * * @since 1.0.0 * * @param string $string Content to filter through kses * @param array $allowed_html List of allowed HTML elements * @param array $allowed_protocols Optional. Allowed protocol in links. * @return string Filtered content with only allowed HTML elements */ function wp_kses($string, $allowed_html, $allowed_protocols = array()) { if (empty($allowed_protocols)) { $allowed_protocols = wp_allowed_protocols(); } $string = wp_kses_no_null($string, array('slash_zero' => 'keep')); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook return wp_kses_split($string, $allowed_html, $allowed_protocols); }
/** * Prepare the query for user_ids. * * @since 1.7.0 */ public function prepare_user_ids_query() { global $wpdb; $bp = buddypress(); // Default query variables used here. $type = ''; $per_page = 0; $page = 1; $user_id = 0; $include = false; $search_terms = false; $exclude = false; $meta_key = false; $meta_value = false; extract($this->query_vars); // Setup the main SQL query container. $sql = array('select' => '', 'where' => array(), 'orderby' => '', 'order' => '', 'limit' => ''); /* TYPE **************************************************************/ // Determines the sort order, which means it also determines where the // user IDs are drawn from (the SELECT and WHERE statements). switch ($type) { // 'online' query happens against the last_activity usermeta key // Filter 'bp_user_query_online_interval' to modify the // number of minutes used as an interval. case 'online': $this->uid_name = 'user_id'; $this->uid_table = $bp->members->table_name_last_activity; $sql['select'] = "SELECT u.{$this->uid_name} as id FROM {$this->uid_table} u"; $sql['where'][] = $wpdb->prepare("u.component = %s AND u.type = 'last_activity'", buddypress()->members->id); /** * Filters the threshold for activity timestamp minutes since to indicate online status. * * @since 1.8.0 * * @param int $value Amount of minutes for threshold. Default 15. */ $sql['where'][] = $wpdb->prepare("u.date_recorded >= DATE_SUB( UTC_TIMESTAMP(), INTERVAL %d MINUTE )", apply_filters('bp_user_query_online_interval', 15)); $sql['orderby'] = "ORDER BY u.date_recorded"; $sql['order'] = "DESC"; break; // 'active', 'newest', and 'random' queries // all happen against the last_activity usermeta key. // 'active', 'newest', and 'random' queries // all happen against the last_activity usermeta key. case 'active': case 'newest': case 'random': $this->uid_name = 'user_id'; $this->uid_table = $bp->members->table_name_last_activity; $sql['select'] = "SELECT u.{$this->uid_name} as id FROM {$this->uid_table} u"; $sql['where'][] = $wpdb->prepare("u.component = %s AND u.type = 'last_activity'", buddypress()->members->id); if ('newest' == $type) { $sql['orderby'] = "ORDER BY u.user_id"; $sql['order'] = "DESC"; } elseif ('random' == $type) { $sql['orderby'] = "ORDER BY rand()"; } else { $sql['orderby'] = "ORDER BY u.date_recorded"; $sql['order'] = "DESC"; } break; // 'popular' sorts by the 'total_friend_count' usermeta. // 'popular' sorts by the 'total_friend_count' usermeta. case 'popular': $this->uid_name = 'user_id'; $this->uid_table = $wpdb->usermeta; $sql['select'] = "SELECT u.{$this->uid_name} as id FROM {$this->uid_table} u"; $sql['where'][] = $wpdb->prepare("u.meta_key = %s", bp_get_user_meta_key('total_friend_count')); $sql['orderby'] = "ORDER BY CONVERT(u.meta_value, SIGNED)"; $sql['order'] = "DESC"; break; // 'alphabetical' sorts depend on the xprofile setup. // 'alphabetical' sorts depend on the xprofile setup. case 'alphabetical': // We prefer to do alphabetical sorts against the display_name field // of wp_users, because the table is smaller and better indexed. We // can do so if xprofile sync is enabled, or if xprofile is inactive. // // @todo remove need for bp_is_active() check. if (!bp_disable_profile_sync() || !bp_is_active('xprofile')) { $this->uid_name = 'ID'; $this->uid_table = $wpdb->users; $sql['select'] = "SELECT u.{$this->uid_name} as id FROM {$this->uid_table} u"; $sql['orderby'] = "ORDER BY u.display_name"; $sql['order'] = "ASC"; // When profile sync is disabled, alphabetical sorts must happen against // the xprofile table. } else { $this->uid_name = 'user_id'; $this->uid_table = $bp->profile->table_name_data; $sql['select'] = "SELECT u.{$this->uid_name} as id FROM {$this->uid_table} u"; $sql['where'][] = $wpdb->prepare("u.field_id = %d", bp_xprofile_fullname_field_id()); $sql['orderby'] = "ORDER BY u.value"; $sql['order'] = "ASC"; } // Alphabetical queries ignore last_activity, while BP uses last_activity // to infer spam/deleted/non-activated users. To ensure that these users // are filtered out, we add an appropriate sub-query. $sql['where'][] = "u.{$this->uid_name} IN ( SELECT ID FROM {$wpdb->users} WHERE " . bp_core_get_status_sql('') . " )"; break; // Any other 'type' falls through. // Any other 'type' falls through. default: $this->uid_name = 'ID'; $this->uid_table = $wpdb->users; $sql['select'] = "SELECT u.{$this->uid_name} as id FROM {$this->uid_table} u"; // In this case, we assume that a plugin is // handling order, so we leave those clauses // blank. break; } /* WHERE *************************************************************/ // 'include' - User ids to include in the results. $include = false !== $include ? wp_parse_id_list($include) : array(); $include_ids = $this->get_include_ids($include); if (!empty($include_ids)) { $include_ids = implode(',', wp_parse_id_list($include_ids)); $sql['where'][] = "u.{$this->uid_name} IN ({$include_ids})"; } // 'exclude' - User ids to exclude from the results. if (false !== $exclude) { $exclude_ids = implode(',', wp_parse_id_list($exclude)); $sql['where'][] = "u.{$this->uid_name} NOT IN ({$exclude_ids})"; } // 'user_id' - When a user id is passed, limit to the friends of the user // @todo remove need for bp_is_active() check. if (!empty($user_id) && bp_is_active('friends')) { $friend_ids = friends_get_friend_user_ids($user_id); $friend_ids = implode(',', wp_parse_id_list($friend_ids)); if (!empty($friend_ids)) { $sql['where'][] = "u.{$this->uid_name} IN ({$friend_ids})"; // If the user has no friends, the query should always // return no users. } else { $sql['where'][] = $this->no_results['where']; } } /* Search Terms ******************************************************/ // 'search_terms' searches user_login and user_nicename // xprofile field matches happen in bp_xprofile_bp_user_query_search(). if (false !== $search_terms) { $search_terms = bp_esc_like(wp_kses_normalize_entities($search_terms)); if ($search_wildcard === 'left') { $search_terms_nospace = '%' . $search_terms; $search_terms_space = '%' . $search_terms . ' %'; } elseif ($search_wildcard === 'right') { $search_terms_nospace = $search_terms . '%'; $search_terms_space = '% ' . $search_terms . '%'; } else { $search_terms_nospace = '%' . $search_terms . '%'; $search_terms_space = '%' . $search_terms . '%'; } $sql['where']['search'] = $wpdb->prepare("u.{$this->uid_name} IN ( SELECT ID FROM {$wpdb->users} WHERE ( user_login LIKE %s OR user_login LIKE %s OR user_nicename LIKE %s OR user_nicename LIKE %s ) )", $search_terms_nospace, $search_terms_space, $search_terms_nospace, $search_terms_space); } // Only use $member_type__in if $member_type is not set. if (empty($member_type) && !empty($member_type__in)) { $member_type = $member_type__in; } // Member types to exclude. Note that this takes precedence over inclusions. if (!empty($member_type__not_in)) { $member_type_clause = $this->get_sql_clause_for_member_types($member_type__not_in, 'NOT IN'); // Member types to include. } elseif (!empty($member_type)) { $member_type_clause = $this->get_sql_clause_for_member_types($member_type, 'IN'); } if (!empty($member_type_clause)) { $sql['where']['member_type'] = $member_type_clause; } // 'meta_key', 'meta_value' allow usermeta search // To avoid global joins, do a separate query. if (false !== $meta_key) { $meta_sql = $wpdb->prepare("SELECT user_id FROM {$wpdb->usermeta} WHERE meta_key = %s", $meta_key); if (false !== $meta_value) { $meta_sql .= $wpdb->prepare(" AND meta_value = %s", $meta_value); } $found_user_ids = $wpdb->get_col($meta_sql); if (!empty($found_user_ids)) { $sql['where'][] = "u.{$this->uid_name} IN (" . implode(',', wp_parse_id_list($found_user_ids)) . ")"; } else { $sql['where'][] = '1 = 0'; } } // 'per_page', 'page' - handles LIMIT. if (!empty($per_page) && !empty($page)) { $sql['limit'] = $wpdb->prepare("LIMIT %d, %d", intval(($page - 1) * $per_page), intval($per_page)); } else { $sql['limit'] = ''; } /** * Filters the clauses for the user query. * * @since 2.0.0 * * @param array $sql Array of SQL clauses to be used in the query. * @param BP_User_Query $this Current BP_User_Query instance. */ $sql = apply_filters_ref_array('bp_user_query_uid_clauses', array($sql, &$this)); // Assemble the query chunks. $this->uid_clauses['select'] = $sql['select']; $this->uid_clauses['where'] = !empty($sql['where']) ? 'WHERE ' . implode(' AND ', $sql['where']) : ''; $this->uid_clauses['orderby'] = $sql['orderby']; $this->uid_clauses['order'] = $sql['order']; $this->uid_clauses['limit'] = $sql['limit']; /** * Fires before the BP_User_Query query is made. * * @since 1.7.0 * * @param BP_User_Query $this Current BP_User_Query instance. Passed by reference. */ do_action_ref_array('bp_pre_user_query', array(&$this)); }
static function wp_kses($string, $allowed_html, $allowed_protocols = array()) { $string = wp_kses_no_null($string); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); return VaultPress_kses::wp_kses_split($string, $allowed_html, $allowed_protocols); }
/** * Filters one attribute only and ensures its value is allowed. * * This function has the advantage of being more secure than esc_attr() and can * escape data in some situations where wp_kses() must strip the whole attribute. * * @since 4.2.3 * * @param string $string The 'whole' attribute, including name and value. * @param string $element The element name to which the attribute belongs. * @return string Filtered attribute. */ function wp_kses_one_attr($string, $element) { $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action'); $allowed_html = wp_kses_allowed_html('post'); $allowed_protocols = wp_allowed_protocols(); $string = wp_kses_no_null($string, array('slash_zero' => 'keep')); $string = wp_kses_js_entities($string); $string = wp_kses_normalize_entities($string); // Preserve leading and trailing whitespace. $matches = array(); preg_match('/^\\s*/', $string, $matches); $lead = $matches[0]; preg_match('/\\s*$/', $string, $matches); $trail = $matches[0]; if (empty($trail)) { $string = substr($string, strlen($lead)); } else { $string = substr($string, strlen($lead), -strlen($trail)); } // Parse attribute name and value from input. $split = preg_split('/\\s*=\\s*/', $string, 2); $name = $split[0]; if (count($split) == 2) { $value = $split[1]; // Remove quotes surrounding $value. // Also guarantee correct quoting in $string for this one attribute. if ('' == $value) { $quote = ''; } else { $quote = $value[0]; } if ('"' == $quote || "'" == $quote) { if (substr($value, -1) != $quote) { return ''; } $value = substr($value, 1, -1); } else { $quote = '"'; } // Sanitize quotes and angle braces. $value = htmlspecialchars($value, ENT_QUOTES, null, false); // Sanitize URI values. if (in_array(strtolower($name), $uris)) { $value = wp_kses_bad_protocol($value, $allowed_protocols); } $string = "{$name}={$quote}{$value}{$quote}"; $vless = 'n'; } else { $value = ''; $vless = 'y'; } // Sanitize attribute by name. wp_kses_attr_check($name, $value, $string, $vless, $element, $allowed_html); // Restore whitespace. return $lead . $string . $trail; }
/** * Imports data from CSV file using ajax. * * @since 1.0.0 * @package GeoDirectory * @global object $wpdb WordPress Database object. * @global string $plugin_prefix Geodirectory plugin table prefix. * @global object $current_user Current user object. */ function geodir_ajax_import_csv() { error_reporting(0); // hide error to get clean json response global $wpdb, $plugin_prefix, $current_user; $uploads = wp_upload_dir(); ini_set('auto_detect_line_endings', true); $wp_post_statuses = get_post_statuses(); // All of the WordPress supported post statuses. $task = isset($_POST['task']) ? $_POST['task'] : ''; $uploadedFile = isset($_POST['gddata']['uploadedFile']) ? $_POST['gddata']['uploadedFile'] : NULL; $filename = $uploadedFile; $uploads = wp_upload_dir(); $uploads_dir = $uploads['path']; $image_name_arr = explode('/', $filename); $filename = end($image_name_arr); $target_path = $uploads_dir . '/temp_' . $current_user->data->ID . '/' . $filename; $return = array(); $return['file'] = $uploadedFile; $return['error'] = __('The uploaded file is not a valid csv file. Please try again.', 'geodirectory'); if (is_file($target_path) && file_exists($target_path) && $uploadedFile) { $wp_filetype = wp_check_filetype_and_ext($target_path, $filename); if (!empty($wp_filetype) && isset($wp_filetype['ext']) && geodir_strtolower($wp_filetype['ext']) == 'csv') { $return['error'] = NULL; $return['rows'] = 0; if (($handle = fopen($target_path, "r")) !== FALSE) { while (($data = fgetcsv($handle, 1000, ",")) !== FALSE) { if (is_array($data) && !empty($data)) { $file[] = '"' . implode('","', $data) . '"'; } } fclose($handle); $file = $file; } $return['rows'] = !empty($file) && count($file) > 1 ? count($file) - 1 : 0; if (!$return['rows'] > 0) { $return['error'] = __('No data found in csv file.', 'geodirectory'); } } } if ($task == 'prepare' || !empty($return['error'])) { echo json_encode($return); exit; } $totRecords = isset($_POST['gddata']['totRecords']) ? $_POST['gddata']['totRecords'] : NULL; $importlimit = isset($_POST['gddata']['importlimit']) ? $_POST['gddata']['importlimit'] : 1; $count = $importlimit; $requested_limit = $importlimit; $tmpCnt = isset($_POST['gddata']['tmpcount']) ? $_POST['gddata']['tmpcount'] : 0; if ($count < $totRecords) { $count = $tmpCnt + $count; if ($count > $totRecords) { $count = $totRecords; } } else { $count = $totRecords; } $total_records = 0; $rowcount = 0; $address_invalid = 0; $blank_address = 0; $upload_files = 0; $invalid_post_type = 0; $invalid_title = 0; $customKeyarray = array(); $gd_post_info = array(); $post_location = array(); $countpost = 0; if (!empty($file)) { $columns = isset($file[0]) ? geodir_str_getcsv($file[0]) : NULL; $customKeyarray = $columns; if (empty($columns) || !empty($columns) && $columns[0] == '') { $return['error'] = CSV_INVAILD_FILE; echo json_encode($return); exit; } for ($i = 1; $i <= $importlimit; $i++) { $current_index = $tmpCnt + $i; if (isset($file[$current_index])) { $total_records++; $buffer = geodir_str_getcsv($file[$current_index]); $post_title = addslashes($buffer[0]); $current_post_author = $buffer[1]; $post_desc = addslashes($buffer[2]); $post_cat = array(); $catids_arr = array(); $post_cat = trim($buffer[3]); // comma seperated category name if ($post_cat) { $post_cat_arr = explode(',', $post_cat); for ($c = 0; $c < count($post_cat_arr); $c++) { $catid = wp_kses_normalize_entities(trim($post_cat_arr[$c])); if (!empty($buffer[5])) { if (in_array($buffer[5], geodir_get_posttypes())) { $p_taxonomy = geodir_get_taxonomies(addslashes($buffer[5])); if (get_term_by('name', $catid, $p_taxonomy[0])) { $cat = get_term_by('name', $catid, $p_taxonomy[0]); $catids_arr[] = $cat->slug; } else { if (get_term_by('slug', $catid, $p_taxonomy[0])) { $cat = get_term_by('slug', $catid, $p_taxonomy[0]); $catids_arr[] = $cat->slug; } else { $ret = wp_insert_term($catid, $p_taxonomy[0]); if ($ret && !is_wp_error($ret)) { if (get_term_by('name', $catid, $p_taxonomy[0])) { $cat = get_term_by('name', $catid, $p_taxonomy[0]); $catids_arr[] = $cat->slug; } elseif (get_term_by('slug', $catid, $p_taxonomy[0])) { $cat = get_term_by('slug', $catid, $p_taxonomy[0]); $catids_arr[] = $cat->slug; } } } } } } } } if (!$catids_arr) { $catids_arr[] = 1; } $post_tags = trim($buffer[4]); // comma seperated tags $tag_arr = ''; if ($post_tags) { $tag_arr = explode(',', $post_tags); } $table = $plugin_prefix . $buffer[5] . '_detail'; // check table in database $error = ''; if ($wpdb->get_var("SHOW TABLES LIKE '" . $table . "'") != $table) { $invalid_post_type++; continue; } if ($post_title != '') { $menu_order = 0; $image_folder_name = 'uplaod/'; $image_names = array(); for ($c = 5; $c < count($customKeyarray); $c++) { $gd_post_info[$customKeyarray[$c]] = addslashes($buffer[$c]); if ($customKeyarray[$c] == 'IMAGE') { $buffer[$c] = trim($buffer[$c]); if (!empty($buffer[$c])) { $image_names[] = $buffer[$c]; } } if ($customKeyarray[$c] == 'alive_days') { if ($buffer[$c] != '0' && $buffer[$c] != '') { $submitdata = date('Y-m-d'); $gd_post_info['expire_date'] = date('Y-m-d', strtotime($submitdata . "+" . addslashes($buffer[$c]) . " days")); } else { $gd_post_info['expire_date'] = 'Never'; } } if ($customKeyarray[$c] == 'post_city') { $post_city = addslashes($buffer[$c]); } if ($customKeyarray[$c] == 'post_region') { $post_region = addslashes($buffer[$c]); } if ($customKeyarray[$c] == 'post_country') { $post_country = addslashes($buffer[$c]); } if ($customKeyarray[$c] == 'post_latitude') { $post_latitude = addslashes($buffer[$c]); } if ($customKeyarray[$c] == 'post_longitude') { $post_longitude = addslashes($buffer[$c]); } // Post status if ($customKeyarray[$c] == 'post_status') { $post_status = sanitize_key($buffer[$c]); } } /* ================ before array create ============== */ $location_result = geodir_get_default_location(); if (!isset($gd_post_info['post_city']) || $gd_post_info['post_city'] == '' || (!isset($gd_post_info['post_region']) || $gd_post_info['post_region'] == '') || (!isset($gd_post_info['post_country']) || $gd_post_info['post_country'] == '') || (!isset($gd_post_info['post_address']) || $gd_post_info['post_address'] == '') || (!isset($gd_post_info['post_latitude']) || $gd_post_info['post_latitude'] == '') || (!isset($gd_post_info['post_longitude']) || $gd_post_info['post_longitude'] == '')) { $blank_address++; continue; } else { if ($location_result->location_id == 0) { if (geodir_strtolower($gd_post_info['post_city']) != geodir_strtolower($location_result->city) || geodir_strtolower($gd_post_info['post_region']) != geodir_strtolower($location_result->region) || geodir_strtolower($gd_post_info['post_country']) != geodir_strtolower($location_result->country)) { $address_invalid++; continue; } } } // Default post status $default_status = 'publish'; $post_status = !empty($post_status) ? sanitize_key($post_status) : $default_status; $post_status = !empty($wp_post_statuses) && !isset($wp_post_statuses[$post_status]) ? $default_status : $post_status; $my_post['post_title'] = $post_title; $my_post['post_content'] = $post_desc; $my_post['post_type'] = addslashes($buffer[5]); $my_post['post_author'] = $current_post_author; $my_post['post_status'] = $post_status; $my_post['post_category'] = $catids_arr; $my_post['post_tags'] = $tag_arr; $gd_post_info['post_tags'] = $tag_arr; $gd_post_info['post_title'] = $post_title; $gd_post_info['post_status'] = $post_status; $gd_post_info['submit_time'] = time(); $gd_post_info['submit_ip'] = $_SERVER['REMOTE_ADDR']; $last_postid = wp_insert_post($my_post); $countpost++; // Check if we need to save post location as new location if ($location_result->location_id > 0) { if (isset($post_city) && isset($post_region)) { $request_info['post_location'] = array('city' => $post_city, 'region' => $post_region, 'country' => $post_country, 'geo_lat' => $post_latitude, 'geo_lng' => $post_longitude); $post_location_info = $request_info['post_location']; if ($location_id = geodir_add_new_location($post_location_info)) { $post_location_id = $location_id; } } else { $post_location_id = 0; } } else { $post_location_id = 0; } /* ------- get default package info ----- */ $payment_info = array(); $package_info = array(); $package_info = (array) geodir_post_package_info($package_info, '', $buffer[5]); $package_id = ''; if (isset($gd_post_info['package_id']) && $gd_post_info['package_id'] != '') { $package_id = $gd_post_info['package_id']; } if (!empty($package_info)) { $payment_info['package_id'] = $package_info['pid']; if (isset($package_info['alive_days']) && $package_info['alive_days'] != 0) { $payment_info['expire_date'] = date('Y-m-d', strtotime("+" . $package_info['alive_days'] . " days")); } else { $payment_info['expire_date'] = 'Never'; } $gd_post_info = array_merge($gd_post_info, $payment_info); } $gd_post_info['post_location_id'] = $post_location_id; $post_type = get_post_type($last_postid); $table = $plugin_prefix . $post_type . '_detail'; geodir_save_post_info($last_postid, $gd_post_info); if (!empty($image_names)) { $upload_files++; $menu_order = 1; foreach ($image_names as $image_name) { $img_name_arr = explode('.', $image_name); $uploads = wp_upload_dir(); $sub_dir = $uploads['subdir']; $arr_file_type = wp_check_filetype($image_name); $uploaded_file_type = $arr_file_type['type']; $attachment = array(); $attachment['post_id'] = $last_postid; $attachment['title'] = $img_name_arr[0]; $attachment['content'] = ''; $attachment['file'] = $sub_dir . '/' . $image_name; $attachment['mime_type'] = $uploaded_file_type; $attachment['menu_order'] = $menu_order; $attachment['is_featured'] = 0; $attachment_set = ''; foreach ($attachment as $key => $val) { if ($val != '') { $attachment_set .= $key . " = '" . $val . "', "; } } $attachment_set = trim($attachment_set, ", "); $wpdb->query("INSERT INTO " . GEODIR_ATTACHMENT_TABLE . " SET " . $attachment_set); if ($menu_order == 1) { $post_type = get_post_type($last_postid); $wpdb->query($wpdb->prepare("UPDATE " . $table . " SET featured_image = %s where post_id =%d", array($sub_dir . '/' . $image_name, $last_postid))); } $menu_order++; } } $gd_post_info['package_id'] = $package_id; /** This action is documented in geodirectory-functions/post-functions.php */ do_action('geodir_after_save_listing', $last_postid, $gd_post_info); if (!empty($buffer[5])) { if (in_array($buffer[5], geodir_get_posttypes())) { $taxonomies = geodir_get_posttype_info(addslashes($buffer[5])); wp_set_object_terms($last_postid, $my_post['post_tags'], $taxonomy = $taxonomies['taxonomies'][1]); wp_set_object_terms($last_postid, $my_post['post_category'], $taxonomy = $taxonomies['taxonomies'][0]); $post_default_category = isset($my_post['post_default_category']) ? $my_post['post_default_category'] : ''; $post_category_str = isset($my_post['post_category_str']) ? $my_post['post_category_str'] : ''; geodir_set_postcat_structure($last_postid, $taxonomy, $post_default_category, $post_category_str); } } } else { $invalid_title++; } } } } $return['rowcount'] = $countpost; $return['invalidcount'] = $address_invalid; $return['blank_address'] = $blank_address; $return['upload_files'] = $upload_files; $return['invalid_post_type'] = $invalid_post_type; $return['invalid_title'] = $invalid_title; $return['total_records'] = $total_records; echo json_encode($return); exit; }
/** * Checks and cleans a URL. This function is from WordPress. * * A number of characters are removed from the URL. If the URL is for displaying * (the default behaviour) ampersands are also replaced. The 'clean_url' filter * is applied to the returned cleaned URL. * * @since 2.8.0 * @uses wp_kses_bad_protocol() To only permit protocols in the URL set * via $protocols or the common ones set in the function. * * @param string $url The URL to be cleaned. * @param array $protocols Optional. An array of acceptable protocols. * Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set. * @param string $_context Private. Use esc_url_raw() for database usage. * @return string The cleaned $url after the 'clean_url' filter is applied. */ public function esc_url($url, $protocols = null, $_context = 'display') { $original_url = $url; $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\\|*\'()\\x80-\\xff]|i', '', $url); $strip = array('%0d', '%0a', '%0D', '%0A'); $url = _deep_replace($strip, $url); $url = str_replace(';//', '://', $url); // Replace ampersands and single quotes only when displaying. if ('display' == $_context) { $url = wp_kses_normalize_entities($url); $url = str_replace('&', '&', $url); $url = str_replace('\'', ''', $url); } if (!empty($url[0]) && '/' === $url[0]) { $good_protocol_url = $url; } else { if (!is_array($protocols)) { $protocols = wp_allowed_protocols(); } $good_protocol_url = wp_kses_bad_protocol($url, $protocols); if (strtolower($good_protocol_url) != strtolower($url)) { return ''; } } /** * Filter a string cleaned and escaped for output as a URL. * * @since 2.3.0 * * @param string $good_protocol_url The cleaned URL to be returned. * @param string $original_url The URL prior to cleaning. * @param string $_context If 'display', replace ampersands and single quotes only. */ return apply_filters('clean_url', $good_protocol_url, $original_url, $_context); }
/** * Html entity decoding for shortcode attributes and post meta values * - Will first change invalid entities to valid ones - : -> : * - Then change named ones to numeric ones * - Then decode them all to their normal characters * - And remove any surrounding whitespace * * @param string $string Arbitrary string * * @return string */ protected function normalize_entities($string) { return trim(wp_kses_decode_entities(ent2ncr(wp_kses_normalize_entities($string)))); }
/** * @ticket 26290 */ public function test_wp_kses_normalize_entities() { $this->assertEquals('♠', wp_kses_normalize_entities('♠')); $this->assertEquals('¹', wp_kses_normalize_entities('¹')); $this->assertEquals('²', wp_kses_normalize_entities('²')); $this->assertEquals('³', wp_kses_normalize_entities('³')); $this->assertEquals('¼', wp_kses_normalize_entities('¼')); $this->assertEquals('½', wp_kses_normalize_entities('½')); $this->assertEquals('¾', wp_kses_normalize_entities('¾')); $this->assertEquals('∴', wp_kses_normalize_entities('∴')); }
function EscapeAndFilterPostKSES($strString, $arrAllowedTags = array(), $arrDisallowedTags = array(), $arrAllowedProtocols = array()) { // $arrAllowedTags : e.g. array( 'noscript' => array(), 'style' => array() ); // $arrDisallowedTags : e.g. array( 'table', 'tbody', 'thoot', 'thead', 'th', 'tr' ); global $allowedposttags; // $arrAllowedHTML = array_replace_recursive( $allowedposttags, $arrAllowedTags ); // the second parameter takes over the first. // $arrAllowedHTML = wp_parse_args( $arrAllowedTags, $allowedposttags ); // the first parameter takes over the second. $arrAllowedHTML = $this->oUtil->UniteArraysRecursive($arrAllowedTags, $allowedposttags); // the first parameter takes over the second. foreach ($arrDisallowedTags as $strTag) { if (isset($arrAllowedHTML[$strTag])) { unset($arrAllowedHTML[$strTag]); } } if (empty($arrAllowedProtocols)) { $arrAllowedProtocols = wp_allowed_protocols(); } $strString = addslashes($strString); // the original function call was doing this - could be redundant but haven't fully tested it $strString = stripslashes($strString); // wp_filter_post_kses() $strString = wp_kses_no_null($strString); // wp_kses() $strString = wp_kses_js_entities($strString); // wp_kses() $strString = wp_kses_normalize_entities($strString); // wp_kses() $strString = wp_kses_hook($strString, $arrAllowedHTML, $arrAllowedProtocols); // WP changed the order of these funcs and added args to wp_kses_hook $strString = wp_kses_split($strString, $arrAllowedHTML, $arrAllowedProtocols); $strString = addslashes($strString); // wp_filter_post_kses() $strString = stripslashes($strString); // the original function call was doing this - could be redundant but haven't fully tested it return $strString; }
/** * Escapes the given string for the KSES filter with the criteria of allowing/disallowing tags and the protocol. * * @remark Attributes are not supported at this moment. * @param array $aAllowedTags e.g. array( 'noscript', 'style', ) * @param array $aDisallowedTags e.g. array( 'table', 'tbody', 'thoot', 'thead', 'th', 'tr' ) * @since 2.0.0 */ public static function escapeKSESFilter($sString, $aAllowedTags = array(), $aDisallowedTags = array(), $aAllowedProtocols = array()) { foreach ($aAllowedTags as $sTag) { $aFormatAllowedTags[$sTag] = array(); // activate the inline style attribute. } $aAllowedHTMLTags = AmazonAutoLinks_Utility::uniteArrays($aFormatAllowedTags, $GLOBALS['allowedposttags']); // the first parameter takes over the second. foreach ($aDisallowedTags as $sTag) { if (isset($aAllowedHTMLTags[$sTag])) { unset($aAllowedHTMLTags[$sTag]); } } if (empty($aAllowedProtocols)) { $aAllowedProtocols = wp_allowed_protocols(); } $sString = addslashes($sString); // the original function call was doing this - could be redundant but haven't fully tested it $sString = stripslashes($sString); // wp_filter_post_kses() $sString = wp_kses_no_null($sString); // wp_kses() $sString = wp_kses_js_entities($sString); // wp_kses() $sString = wp_kses_normalize_entities($sString); // wp_kses() $sString = wp_kses_hook($sString, $aAllowedHTMLTags, $aAllowedProtocols); // WP changed the order of these funcs and added args to wp_kses_hook $sString = wp_kses_split($sString, $aAllowedHTMLTags, $aAllowedProtocols); $sString = addslashes($sString); // wp_filter_post_kses() $sString = stripslashes($sString); // the original function call was doing this - could be redundant but haven't fully tested it return $sString; }
/** * Filters content and keeps only allowable HTML elements. * * This is the same function as built into WP, but with optional allowing of keeping "&" * * @param string $string Content to filter through kses * @param array $allowed_html List of allowed HTML elements * @param array $allowed_protocols Optional. Allowed protocol in links. * @return string Filtered content with only allowed HTML elements */ function wp_kses($string, $allowed_html, $allowed_protocols = array(), $skip_normalize_entities = false) { if (empty($allowed_protocols)) { $allowed_protocols = wp_allowed_protocols(); } $string = wp_kses_no_null($string); $string = wp_kses_js_entities($string); if (!$skip_normalize_entities) { $string = wp_kses_normalize_entities($string); } $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook return wp_kses_split($string, $allowed_html, $allowed_protocols); }
/** * Converts a number of special characters into their HTML entities. * * Specifically deals with: &, <, >, ", and '. * * $quote_style can be set to ENT_COMPAT to encode " to * ", or ENT_QUOTES to do both. Default is ENT_NOQUOTES where no quotes are encoded. * * @since 1.2.2 * * @param string $string The text which is to be encoded. * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES. * @param string $charset Optional. The character encoding of the string. Default is false. * @param boolean $double_encode Optional. Whether to encode existing html entities. Default is false. * @return string The encoded text with HTML entities. */ function _wp_specialchars($string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false) { $string = (string) $string; if (0 === strlen($string)) { return ''; } // Don't bother if there are no specialchars - saves some processing if (!preg_match('/[&<>"\']/', $string)) { return $string; } // Account for the previous behaviour of the function when the $quote_style is not an accepted value if (empty($quote_style)) { $quote_style = ENT_NOQUOTES; } elseif (!in_array($quote_style, array(0, 2, 3, 'single', 'double'), true)) { $quote_style = ENT_QUOTES; } // Store the site charset as a static to avoid multiple calls to wp_load_alloptions() if (!$charset) { static $_charset; if (!isset($_charset)) { $alloptions = wp_load_alloptions(); $_charset = isset($alloptions['blog_charset']) ? $alloptions['blog_charset'] : ''; } $charset = $_charset; } if (in_array($charset, array('utf8', 'utf-8', 'UTF8'))) { $charset = 'UTF-8'; } $_quote_style = $quote_style; if ($quote_style === 'double') { $quote_style = ENT_COMPAT; $_quote_style = ENT_COMPAT; } elseif ($quote_style === 'single') { $quote_style = ENT_NOQUOTES; } // Handle double encoding ourselves if (!$double_encode) { $string = wp_specialchars_decode($string, $_quote_style); /* Critical */ // The previous line decodes &phrase; into &phrase; We must guarantee that &phrase; is valid before proceeding. $string = wp_kses_normalize_entities($string); // Now proceed with custom double-encoding silliness $string = preg_replace('/&(#?x?[0-9a-z]+);/i', '|wp_entity|$1|/wp_entity|', $string); } $string = @htmlspecialchars($string, $quote_style, $charset); // Handle double encoding ourselves if (!$double_encode) { $string = str_replace(array('|wp_entity|', '|/wp_entity|'), array('&', ';'), $string); } // Backwards compatibility if ('single' === $_quote_style) { $string = str_replace("'", ''', $string); } return $string; }
/** * Sanitize and validate input. Accepts an array, return a sanitized array. */ function theme_designspecials_validate($input) { if (!isset($input['aktiv-mediaqueries-allparts'])) { $input['aktiv-mediaqueries-allparts'] = 0; } $input['aktiv-mediaqueries-allparts'] = $input['aktiv-mediaqueries-allparts'] == 1 ? 1 : 0; $input['css-default-branding-padding-top'] = wp_kses_normalize_entities($input['css-default-branding-padding-top']); $input['css-default-header-height'] = wp_kses_normalize_entities($input['css-default-header-height']); $input['css-eigene-anweisungen'] = wp_filter_post_kses($input['css-eigene-anweisungen']); $input['css-default-header-background-color'] = wp_filter_post_kses($input['css-default-header-background-color']); $input['css-default-header-background-image'] = wp_filter_post_kses($input['css-default-header-background-image']); $input['css-default-header-background-position'] = wp_filter_post_kses($input['css-default-header-background-position']); $input['css-default-header-background-repeat'] = wp_filter_post_kses($input['css-default-header-background-repeat']); $input['css-colorfile'] = wp_filter_post_kses($input['css-colorfile']); $input['css-fontfile'] = wp_filter_post_kses($input['css-fontfile']); return $input; }
/** * Checks and cleans a URL. * * A number of characters are removed from the URL. If the URL is for displaying * (the default behaviour) ampersands are also replaced. The 'clean_url' filter * is applied to the returned cleaned URL. * * @since 2.8.0 * * @param string $url The URL to be cleaned. * @param array $protocols Optional. An array of acceptable protocols. * Defaults to return value of wp_allowed_protocols() * @param string $_context Private. Use esc_url_raw() for database usage. * @return string The cleaned $url after the 'clean_url' filter is applied. */ function esc_url($url, $protocols = null, $_context = 'display') { $original_url = $url; if ('' == $url) { return $url; } $url = str_replace(' ', '%20', $url); $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\\|*\'()\\[\\]\\x80-\\xff]|i', '', $url); if ('' === $url) { return $url; } if (0 !== stripos($url, 'mailto:')) { $strip = array('%0d', '%0a', '%0D', '%0A'); $url = _deep_replace($strip, $url); } $url = str_replace(';//', '://', $url); /* If the URL doesn't appear to contain a scheme, we * presume it needs http:// prepended (unless a relative * link starting with /, # or ? or a php file). */ if (strpos($url, ':') === false && !in_array($url[0], array('/', '#', '?')) && !preg_match('/^[a-z0-9-]+?\\.php/i', $url)) { $url = 'http://' . $url; } // Replace ampersands and single quotes only when displaying. if ('display' == $_context) { $url = wp_kses_normalize_entities($url); $url = str_replace('&', '&', $url); $url = str_replace("'", ''', $url); } if (false !== strpos($url, '[') || false !== strpos($url, ']')) { $parsed = wp_parse_url($url); $front = ''; if (isset($parsed['scheme'])) { $front .= $parsed['scheme'] . '://'; } elseif ('/' === $url[0]) { $front .= '//'; } if (isset($parsed['user'])) { $front .= $parsed['user']; } if (isset($parsed['pass'])) { $front .= ':' . $parsed['pass']; } if (isset($parsed['user']) || isset($parsed['pass'])) { $front .= '@'; } if (isset($parsed['host'])) { $front .= $parsed['host']; } if (isset($parsed['port'])) { $front .= ':' . $parsed['port']; } $end_dirty = str_replace($front, '', $url); $end_clean = str_replace(array('[', ']'), array('%5B', '%5D'), $end_dirty); $url = str_replace($end_dirty, $end_clean, $url); } if ('/' === $url[0]) { $good_protocol_url = $url; } else { if (!is_array($protocols)) { $protocols = wp_allowed_protocols(); } $good_protocol_url = wp_kses_bad_protocol($url, $protocols); if (strtolower($good_protocol_url) != strtolower($url)) { return ''; } } /** * Filter a string cleaned and escaped for output as a URL. * * @since 2.3.0 * * @param string $good_protocol_url The cleaned URL to be returned. * @param string $original_url The URL prior to cleaning. * @param string $_context If 'display', replace ampersands and single quotes only. */ return apply_filters('clean_url', $good_protocol_url, $original_url, $_context); }
/** * Returns parsed url and title. * * This function converts string to url and title if there is "|" separator used in url. * Ex: "http://wpgeodirectory.com|GeoDirectory" will return array( url => http://wpgeodirectory.com, label => GeoDirectory ). * * @package Geodirectory * @since 1.5.7 * @param string $url The website url. * @param bool $formatted True if returns formatted url. False if not. Default true. * @return array Parsed url and title. */ function geodir_parse_custom_field_url($url, $formatted = true) { if ($url == '' || !is_string($url)) { return NULL; } $original_url = $url; $url = stripcslashes($url); $parts = explode('|', $url, 2); $url = trim($parts[0]); if ($formatted && $url != '') { $url = str_replace(' ', '%20', $url); $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\\|*\'()\\[\\]\\x80-\\xff]|i', '', $url); if (0 !== stripos($url, 'mailto:')) { $strip = array('%0d', '%0a', '%0D', '%0A'); $url = _deep_replace($strip, $url); } $url = str_replace(';//', '://', $url); if (strpos($url, ':') === false && !in_array($url[0], array('/', '#', '?')) && !preg_match('/^[a-z0-9-]+?\\.php/i', $url)) { $url = 'http://' . $url; } $url = wp_kses_normalize_entities($url); $url = str_replace('&', '&', $url); $url = str_replace("'", ''', $url); } $return = array(); $return['url'] = $url; if (!empty($parts[1]) && trim($parts[1]) != '') { $return['label'] = trim($parts[1]); } return $return; }
/** * Checks and cleans a URL. * * A number of characters are removed from the URL. If the URL is for displaying * (the default behaviour) amperstands are also replaced. The 'clean_url' filter * is applied to the returned cleaned URL. * * @since 2.8.0 * @uses wp_kses_bad_protocol() To only permit protocols in the URL set * via $protocols or the common ones set in the function. * * @param string $url The URL to be cleaned. * @param array $protocols Optional. An array of acceptable protocols. * Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet' if not set. * @param string $_context Private. Use esc_url_raw() for database usage. * @return string The cleaned $url after the 'clean_url' filter is applied. */ function esc_url($url, $protocols = null, $_context = 'display') { $original_url = $url; if ('' == $url) { return $url; } $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\\|*\'()\\x80-\\xff]|i', '', $url); $strip = array('%0d', '%0a', '%0D', '%0A'); $url = _deep_replace($strip, $url); $url = str_replace(';//', '://', $url); /* If the URL doesn't appear to contain a scheme, we * presume it needs http:// appended (unless a relative * link starting with / or a php file). */ if (strpos($url, ':') === false && substr($url, 0, 1) != '/' && substr($url, 0, 1) != '#' && !preg_match('/^[a-z0-9-]+?\\.php/i', $url)) { $url = 'http://' . $url; } // Replace ampersands and single quotes only when displaying. if ('display' == $_context) { $url = wp_kses_normalize_entities($url); $url = str_replace('&', '&', $url); $url = str_replace("'", ''', $url); } if (!is_array($protocols)) { $protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn'); } if (wp_kses_bad_protocol($url, $protocols) != $url) { return ''; } return apply_filters('clean_url', $url, $original_url, $_context); }
/** * Prepare the query for user_ids. * * @since BuddyPress (1.7.0) */ public function prepare_user_ids_query() { global $wpdb, $bp; // Default query variables used here $type = ''; $per_page = 0; $page = 1; $user_id = 0; $include = false; $search_terms = false; $exclude = false; $meta_key = false; $meta_value = false; extract( $this->query_vars ); // Setup the main SQL query container $sql = array( 'select' => '', 'where' => array(), 'orderby' => '', 'order' => '', 'limit' => '' ); /** TYPE **************************************************************/ // Determines the sort order, which means it also determines where the // user IDs are drawn from (the SELECT and WHERE statements) switch ( $type ) { // 'online' query happens against the last_activity usermeta key // Filter 'bp_user_query_online_interval' to modify the // number of minutes used as an interval case 'online' : $this->uid_name = 'user_id'; $this->uid_table = $bp->members->table_name_last_activity; $sql['select'] = "SELECT u.{$this->uid_name} as id FROM {$this->uid_table} u"; $sql['where'][] = $wpdb->prepare( "u.component = %s AND u.type = 'last_activity'", buddypress()->members->id ); $sql['where'][] = $wpdb->prepare( "u.date_recorded >= DATE_SUB( UTC_TIMESTAMP(), INTERVAL %d MINUTE )", apply_filters( 'bp_user_query_online_interval', 15 ) ); $sql['orderby'] = "ORDER BY u.date_recorded"; $sql['order'] = "DESC"; break; // 'active', 'newest', and 'random' queries // all happen against the last_activity usermeta key case 'active' : case 'newest' : case 'random' : $this->uid_name = 'user_id'; $this->uid_table = $bp->members->table_name_last_activity; $sql['select'] = "SELECT u.{$this->uid_name} as id FROM {$this->uid_table} u"; $sql['where'][] = $wpdb->prepare( "u.component = %s AND u.type = 'last_activity'", buddypress()->members->id ); if ( 'newest' == $type ) { $sql['orderby'] = "ORDER BY u.user_id"; $sql['order'] = "DESC"; } elseif ( 'random' == $type ) { $sql['orderby'] = "ORDER BY rand()"; } else { $sql['orderby'] = "ORDER BY u.date_recorded"; $sql['order'] = "DESC"; } break; // 'popular' sorts by the 'total_friend_count' usermeta case 'popular' : $this->uid_name = 'user_id'; $this->uid_table = $wpdb->usermeta; $sql['select'] = "SELECT u.{$this->uid_name} as id FROM {$this->uid_table} u"; $sql['where'][] = $wpdb->prepare( "u.meta_key = %s", bp_get_user_meta_key( 'total_friend_count' ) ); $sql['orderby'] = "ORDER BY CONVERT(u.meta_value, SIGNED)"; $sql['order'] = "DESC"; break; // 'alphabetical' sorts depend on the xprofile setup case 'alphabetical' : // We prefer to do alphabetical sorts against the display_name field // of wp_users, because the table is smaller and better indexed. We // can do so if xprofile sync is enabled, or if xprofile is inactive. // // @todo remove need for bp_is_active() check if ( ! bp_disable_profile_sync() || ! bp_is_active( 'xprofile' ) ) { $this->uid_name = 'ID'; $this->uid_table = $wpdb->users; $sql['select'] = "SELECT u.{$this->uid_name} as id FROM {$this->uid_table} u"; $sql['orderby'] = "ORDER BY u.display_name"; $sql['order'] = "ASC"; // When profile sync is disabled, alphabetical sorts must happen against // the xprofile table } else { $this->uid_name = 'user_id'; $this->uid_table = $bp->profile->table_name_data; $sql['select'] = "SELECT u.{$this->uid_name} as id FROM {$this->uid_table} u"; $sql['where'][] = $wpdb->prepare( "u.field_id = %d", bp_xprofile_fullname_field_id() ); $sql['orderby'] = "ORDER BY u.value"; $sql['order'] = "ASC"; } // Alphabetical queries ignore last_activity, while BP uses last_activity // to infer spam/deleted/non-activated users. To ensure that these users // are filtered out, we add an appropriate sub-query. $sql['where'][] = "u.{$this->uid_name} IN ( SELECT ID FROM {$wpdb->users} WHERE " . bp_core_get_status_sql( '' ) . " )"; break; // Any other 'type' falls through default : $this->uid_name = 'ID'; $this->uid_table = $wpdb->users; $sql['select'] = "SELECT u.{$this->uid_name} as id FROM {$this->uid_table} u"; // In this case, we assume that a plugin is // handling order, so we leave those clauses // blank break; } /** WHERE *************************************************************/ // 'include' - User ids to include in the results $include = false !== $include ? wp_parse_id_list( $include ) : array(); $include_ids = $this->get_include_ids( $include ); if ( ! empty( $include_ids ) ) { $include_ids = implode( ',', wp_parse_id_list( $include_ids ) ); $sql['where'][] = "u.{$this->uid_name} IN ({$include_ids})"; } // 'exclude' - User ids to exclude from the results if ( false !== $exclude ) { $exclude_ids = implode( ',', wp_parse_id_list( $exclude ) ); $sql['where'][] = "u.{$this->uid_name} NOT IN ({$exclude_ids})"; } // 'user_id' - When a user id is passed, limit to the friends of the user // @todo remove need for bp_is_active() check if ( ! empty( $user_id ) && bp_is_active( 'friends' ) ) { $friend_ids = friends_get_friend_user_ids( $user_id ); $friend_ids = implode( ',', wp_parse_id_list( $friend_ids ) ); if ( ! empty( $friend_ids ) ) { $sql['where'][] = "u.{$this->uid_name} IN ({$friend_ids})"; // If the user has no friends, the query should always // return no users } else { $sql['where'][] = $this->no_results['where']; } } /** Search Terms ******************************************************/ // 'search_terms' searches user_login and user_nicename // xprofile field matches happen in bp_xprofile_bp_user_query_search() if ( false !== $search_terms ) { $search_terms = bp_esc_like( wp_kses_normalize_entities( $search_terms ) ); if ( $search_wildcard === 'left' ) { $search_terms_nospace = '%' . $search_terms; $search_terms_space = '%' . $search_terms . ' %'; } elseif ( $search_wildcard === 'right' ) { $search_terms_nospace = $search_terms . '%'; $search_terms_space = '% ' . $search_terms . '%'; } else { $search_terms_nospace = '%' . $search_terms . '%'; $search_terms_space = '%' . $search_terms . '%'; } $sql['where']['search'] = $wpdb->prepare( "u.{$this->uid_name} IN ( SELECT ID FROM {$wpdb->users} WHERE ( user_login LIKE %s OR user_login LIKE %s OR user_nicename LIKE %s OR user_nicename LIKE %s ) )", $search_terms_nospace, $search_terms_space, $search_terms_nospace, $search_terms_space ); } // Member type. if ( ! empty( $member_type ) ) { $member_types = array(); if ( ! is_array( $member_type ) ) { $member_type = preg_split( '/[,\s+]/', $member_type ); } foreach ( $member_type as $mt ) { if ( ! bp_get_member_type_object( $mt ) ) { continue; } $member_types[] = $mt; } if ( ! empty( $member_types ) ) { $member_type_tq = new WP_Tax_Query( array( array( 'taxonomy' => 'bp_member_type', 'field' => 'name', 'operator' => 'IN', 'terms' => $member_types, ), ) ); // Switch to the root blog, where member type taxonomies live. switch_to_blog( bp_get_root_blog_id() ); $member_type_sql_clauses = $member_type_tq->get_sql( 'u', $this->uid_name ); restore_current_blog(); // Grab the first term_relationships clause and convert to a subquery. if ( preg_match( '/' . $wpdb->term_relationships . '\.term_taxonomy_id IN \([0-9, ]+\)/', $member_type_sql_clauses['where'], $matches ) ) { $sql['where']['member_type'] = "u.{$this->uid_name} IN ( SELECT object_id FROM $wpdb->term_relationships WHERE {$matches[0]} )"; } } } // 'meta_key', 'meta_value' allow usermeta search // To avoid global joins, do a separate query if ( false !== $meta_key ) { $meta_sql = $wpdb->prepare( "SELECT user_id FROM {$wpdb->usermeta} WHERE meta_key = %s", $meta_key ); if ( false !== $meta_value ) { $meta_sql .= $wpdb->prepare( " AND meta_value = %s", $meta_value ); } $found_user_ids = $wpdb->get_col( $meta_sql ); if ( ! empty( $found_user_ids ) ) { $sql['where'][] = "u.{$this->uid_name} IN (" . implode( ',', wp_parse_id_list( $found_user_ids ) ) . ")"; } else { $sql['where'][] = '1 = 0'; } } // 'per_page', 'page' - handles LIMIT if ( !empty( $per_page ) && !empty( $page ) ) { $sql['limit'] = $wpdb->prepare( "LIMIT %d, %d", intval( ( $page - 1 ) * $per_page ), intval( $per_page ) ); } else { $sql['limit'] = ''; } // Allow custom filters $sql = apply_filters_ref_array( 'bp_user_query_uid_clauses', array( $sql, &$this ) ); // Assemble the query chunks $this->uid_clauses['select'] = $sql['select']; $this->uid_clauses['where'] = ! empty( $sql['where'] ) ? 'WHERE ' . implode( ' AND ', $sql['where'] ) : ''; $this->uid_clauses['orderby'] = $sql['orderby']; $this->uid_clauses['order'] = $sql['order']; $this->uid_clauses['limit'] = $sql['limit']; do_action_ref_array( 'bp_pre_user_query', array( &$this ) ); }