/** * Normalize Elementor post meta on import, * We need the `wp_slash` in order to avoid the unslashing during the `add_post_meta` * * @param array $post_meta * * @return array */ public static function on_wp_import_post_meta($post_meta) { foreach ($post_meta as &$meta) { if ('_elementor_data' === $meta['key']) { $meta['value'] = wp_slash($meta['value']); break; } } return $post_meta; }
/** * Get the source's images and save them locally, for posterity, unless we can't. * * @since 4.2.0 * @access public * * @param int $post_id Post ID. * @param string $content Optional. Current expected markup for Press This. Expects slashed. Default empty. * @return string New markup with old image URLs replaced with the local attachment ones if swapped. */ public function side_load_images($post_id, $content = '') { $content = wp_unslash($content); if (preg_match_all('/<img [^>]+>/', $content, $matches) && current_user_can('upload_files')) { foreach ((array) $matches[0] as $image) { // This is inserted from our JS so HTML attributes should always be in double quotes. if (!preg_match('/src="([^"]+)"/', $image, $url_matches)) { continue; } $image_src = $url_matches[1]; // Don't try to sideload a file without a file extension, leads to WP upload error. if (!preg_match('/[^\\?]+\\.(?:jpe?g|jpe|gif|png)(?:\\?|$)/i', $image_src)) { continue; } // Sideload image, which gives us a new image src. $new_src = media_sideload_image($image_src, $post_id, null, 'src'); if (!is_wp_error($new_src)) { // Replace the POSTED content <img> with correct uploaded ones. // Need to do it in two steps so we don't replace links to the original image if any. $new_image = str_replace($image_src, $new_src, $image); $content = str_replace($image, $new_image, $content); } } } // Edxpected slashed return wp_slash($content); }
/** * Update the client's post. * * @param array $params Parameters to update. * @return bool|WP_Error True on success, error object otherwise. */ public function update($params) { $data = array(); if (isset($params['name'])) { $data['post_title'] = $params['name']; } if (isset($params['description'])) { $data['post_content'] = $params['description']; } // Are we updating the post itself? if (!empty($data)) { $data['ID'] = $this->post->ID; $result = wp_update_post(wp_slash($data), true); if (is_wp_error($result)) { return $result; } // Reload the post property $this->post = get_post($this->post->ID); } // Are we updating any meta? if (!empty($params['meta'])) { $meta = $params['meta']; foreach ($meta as $key => $value) { $existing = get_post_meta($this->post->ID, $key, true); if ($existing === $value) { continue; } $did_update = update_post_meta($this->post->ID, $key, wp_slash($value)); if (!$did_update) { return new WP_Error('rest_client_update_meta_failed', __('Could not update client metadata.', 'rest_oauth')); } } } return true; }
/** * Save builder method. * * @since 1.0.0 * @param int $post_id * @param array $posted * @param string $revision * * @return void */ public function save_editor($post_id, $posted, $revision = self::REVISION_PUBLISH) { // Change the global post to current library post, so widgets can use `get_the_ID` and other post data if (isset($GLOBALS['post'])) { $global_post = $GLOBALS['post']; } $GLOBALS['post'] = get_post($post_id); $editor_data = $this->_get_editor_data($posted); // We need the `wp_slash` in order to avoid the unslashing during the `update_post_meta` $json_value = wp_slash(wp_json_encode($editor_data)); if (self::REVISION_PUBLISH === $revision) { $this->remove_draft($post_id); update_post_meta($post_id, '_elementor_data', $json_value); $this->_save_plain_text($post_id); } else { update_post_meta($post_id, '_elementor_draft_data', $json_value); } update_post_meta($post_id, '_elementor_version', self::DB_VERSION); // Restore global post if (isset($global_post)) { $GLOBALS['post'] = $global_post; } else { unset($GLOBALS['post']); } }
/** * Encodes Page Builder Meta Data to json format to handle PHP `serialize` issues with UTF8 characters * WordPress `update_post_meta` serializes the data and in some cases (probably depends on hostng env.) * the serialized data is not being unserialized * Uses `json_encode` * * @since 1.2.5 * * @return string */ public static function encode_pb_section_metadata($meta) { if (!is_array($meta)) { return wp_slash($meta); } return wp_slash(json_encode(self::sanitize_meta_data($meta))); }
/** * When we save the post we don't want the extra embeds to be lingering outside * of the [simple-links] shortcode. * We strip them out here as the post saves so anywhere else is none the wiser * that the embeds ever existed * * @param array $post_data - wp_slashed array of post data * * @return array */ public function strip_embed_wraps_upon_save($post_data) { $content = wp_unslash($post_data['post_content']); $content = preg_replace("/\\[embed\\](\\[simple-links([^\\]]*)\\])\\[\\/embed\\]/", "\$1", $content); $post_data['post_content'] = wp_slash($content); return $post_data; }
/** * If a JSON blob of navigation menu data is in POST data, expand it and inject * it into `$_POST` to avoid PHP `max_input_vars` limitations. See #14134. * * @ignore * @since 4.5.3 * @access private */ function _wp_expand_nav_menu_post_data() { if (!isset($_POST['nav-menu-data'])) { return; } $data = json_decode(stripslashes($_POST['nav-menu-data'])); if (!is_null($data) && $data) { foreach ($data as $post_input_data) { // For input names that are arrays (e.g. `menu-item-db-id[3][4][5]`), // derive the array path keys via regex and set the value in $_POST. preg_match('#([^\\[]*)(\\[(.+)\\])?#', $post_input_data->name, $matches); $array_bits = array($matches[1]); if (isset($matches[3])) { $array_bits = array_merge($array_bits, explode('][', $matches[3])); } $new_post_data = array(); // Build the new array value from leaf to trunk. for ($i = count($array_bits) - 1; $i >= 0; $i--) { if ($i == count($array_bits) - 1) { $new_post_data[$array_bits[$i]] = wp_slash($post_input_data->value); } else { $new_post_data = array($array_bits[$i] => $new_post_data); } } $_POST = array_replace_recursive($_POST, $new_post_data); } } }
/** * Save keychain details */ function orbis_save_keychain_details($post_id, $post) { // Doing autosave if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) { return; } // Verify nonce $nonce = filter_input(INPUT_POST, 'orbis_keychain_details_meta_box_nonce', FILTER_SANITIZE_STRING); if (!wp_verify_nonce($nonce, 'orbis_save_keychain_details')) { return; } // Check permissions if (!($post->post_type == 'orbis_keychain' && current_user_can('edit_post', $post_id))) { return; } // OK $definition = array('_orbis_keychain_url' => FILTER_VALIDATE_URL, '_orbis_keychain_email' => FILTER_VALIDATE_EMAIL, '_orbis_keychain_username' => FILTER_SANITIZE_STRING, '_orbis_keychain_password' => FILTER_UNSAFE_RAW); $data = wp_slash(filter_input_array(INPUT_POST, $definition)); // Pasword $password_old = get_post_meta($post_id, '_orbis_keychain_password', true); $password_new = $data['_orbis_keychain_password']; foreach ($data as $key => $value) { if (empty($value)) { delete_post_meta($post_id, $key); } else { update_post_meta($post_id, $key, $value); } } // Action if ($post->post_status == 'publish' && !empty($password_old) && $password_old != $password_new) { // @see https://github.com/woothemes/woocommerce/blob/v2.1.4/includes/class-wc-order.php#L1274 do_action('orbis_keychain_password_update', $post_id, $password_old, $password_new); } }
/** * Records a new history entry for the current post. * * @param string $message * @param array $data */ public function add_entry($message, array $data = array()) { $datetime = current_time('mysql'); $checksum = uniqid(substr(hash('md5', $datetime . $message . serialize($data)), 0, 8) . '_'); $log_entry = wp_slash(json_encode(array('datetime' => $datetime, 'message' => $message, 'data' => $data, 'checksum' => $checksum))); add_post_meta($this->post_id, self::HISTORY_KEY, $log_entry); }
/** * @ticket 35795 */ public function test_slashed_key_for_existing_metadata() { global $wpdb; add_metadata('post', 123, wp_slash('foo\\foo'), 'bar'); update_metadata('post', 123, wp_slash('foo\\foo'), 'baz'); $found = get_metadata('post', 123, 'foo\\foo', true); $this->assertSame('baz', $found); }
public function setAttribute($key, $value) { // fix double quote slash if (is_string($value)) { $value = wp_slash($value); } update_post_meta($this->getId(), $key, $value); return $this; }
/** * fix importing Builder contents using WP_Import */ function import_post_meta($post_id, $key, $value) { if ($key == $this->meta_key) { /* slashes are removed by update_post_meta, add it to protect the data */ $builder_data = wp_slash($value); /* save the data in json format */ update_post_meta($post_id, $this->meta_key, $builder_data); } }
/** * Update the value of a WP User Option with the WP User Options API. * * @since 1.0.0 * * @param string $option_name Name of the WP User Option. * @param string $new_value New value of the WP User Option (not slashed). * @return bool True on success, false on failure. */ protected function _update_option($option_name, $new_value) { // Non-logged-in user can never have a saved option value to be updated. if (!is_user_logged_in()) { return false; } // WP expects a slashed value. $new_value = wp_slash($new_value); return update_user_option(get_current_user_id(), $option_name, $new_value, false); }
function column_action($item) { $paged = $this->get_pagenum(); $paged_arg = (int) $paged > 1 ? '&paged=' . $paged : ''; $buttons = ''; if (current_user_can('duplicate_masterslider') || apply_filters('masterslider_admin_display_duplicate_btn', 0)) { $buttons .= sprintf('<a class="action-duplicate msp-ac-btn msp-btn-gray msp-iconic" href="?page=%s&action=%s&slider_id=%s%s"><span></span>%s</a>', $_REQUEST['page'], 'duplicate', $item['ID'], $paged_arg, __('duplicate')); } if (current_user_can('delete_masterslider') || apply_filters('masterslider_admin_display_delete_btn', 0)) { $buttons .= sprintf('<a class="action-delete msp-ac-btn msp-btn-red msp-iconic" href="?page=%s&action=%s&slider_id=%s%s" onClick="return confirm(\'%s\');" ><span></span>%s</a>', $_REQUEST['page'], 'delete', $item['ID'], $paged_arg, wp_slash(apply_filters('masterslider_admin_delete_btn_alert_message', __('Are you sure you want to delete this slider?', 'master-slider'))), __('delete')); } $buttons .= sprintf('<a class="action-preview msp-ac-btn msp-btn-blue msp-iconic" href="?page=%s&action=%s&slider_id=%s" onClick="lunchMastersliderPreviewBySliderID(%s);return false;" ><span></span>%s</a>', $_REQUEST['page'], 'preview', $item['ID'], $item['ID'], __('preview')); return $buttons; }
function column_action($item) { $paged = $this->get_pagenum(); $paged_arg = (int) $paged > 1 ? '&paged=' . $paged : ''; $buttons = ''; if (current_user_can('duplicate_masterslider') || apply_filters('masterslider_admin_display_duplicate_btn', 0)) { $buttons .= sprintf('<a class="action-duplicate msp-ac-btn msp-btn-gray msp-iconic" href="%s"><span></span>%s</a>', esc_url(add_query_arg(array('page' => $_GET['page'], 'action' => 'duplicate', 'slider_id' => $item['ID'], 'paged' => $paged))), __('duplicate', MSWP_TEXT_DOMAIN)); } if (current_user_can('delete_masterslider') || apply_filters('masterslider_admin_display_delete_btn', 0)) { $buttons .= sprintf('<a class="action-delete msp-ac-btn msp-btn-red msp-iconic" href="%s" onClick="return confirm(\'%s\');" ><span></span>%s</a>', esc_url(add_query_arg(array('page' => $_GET['page'], 'action' => 'delete', 'slider_id' => $item['ID'], 'paged' => $paged))), wp_slash(apply_filters('masterslider_admin_delete_btn_alert_message', __('Are you sure you want to delete this slider?', MSWP_TEXT_DOMAIN))), __('delete', MSWP_TEXT_DOMAIN)); } $buttons .= sprintf('<a class="action-preview msp-ac-btn msp-btn-blue msp-iconic" href="%s" onClick="lunchMastersliderPreviewBySliderID(%s);return false;" ><span></span>%s</a>', esc_url(add_query_arg(array('page' => $_GET['page'], 'action' => 'preview', 'slider_id' => $item['ID']))), $item['ID'], __('preview', MSWP_TEXT_DOMAIN)); return $buttons; }
/** * Add slashes to a string or array of strings. * * This should be used when preparing data for core API that expects slashed data. * This should not be used to escape data going directly into an SQL query. * * @since 3.6.0 * * @param string|array $value String or array of strings to slash. * @return string|array Slashed $value */ function wp_slash($value) { if (is_array($value)) { foreach ($value as $k => $v) { if (is_array($v)) { $value[$k] = wp_slash($v); } else { $value[$k] = addslashes($v); } } } else { $value = addslashes($value); } return $value; }
function extra_add_post_rating($post_id, $rating) { if (extra_get_user_post_rating($post_id)) { return array(); } $commentdata = array('comment_type' => EXTRA_RATING_COMMENT_TYPE, 'comment_author' => '', 'comment_author_url' => '', 'comment_author_email' => '', 'comment_post_ID' => absint($post_id), 'comment_content' => abs(floatval($rating))); $user = wp_get_current_user(); if ($user->exists()) { $commentdata['comment_author'] = wp_slash($user->display_name); $commentdata['user_ID'] = $user->ID; } // prevent notifications add_filter('extra_rating_notify_intercept', '__return_zero'); wp_new_comment($commentdata); return array('rating' => $rating, 'average' => extra_set_post_rating_average($post_id)); }
/** * Test the WP_Customize_Manager::post_value() method * * @ticket 30988 */ function test_post_value() { $posted_settings = array( 'foo' => 'OOF', ); $_POST['customized'] = wp_slash( wp_json_encode( $posted_settings ) ); $manager = $this->instantiate(); $manager->add_setting( 'foo', array( 'default' => 'foo_default' ) ); $foo_setting = $manager->get_setting( 'foo' ); $this->assertEquals( 'foo_default', $manager->get_setting( 'foo' )->value(), 'Expected non-previewed setting to return default when value() method called.' ); $this->assertEquals( $posted_settings['foo'], $manager->post_value( $foo_setting, 'post_value_foo_default' ), 'Expected post_value($foo_setting) to return value supplied in $_POST[customized][foo]' ); $manager->add_setting( 'bar', array( 'default' => 'bar_default' ) ); $bar_setting = $manager->get_setting( 'bar' ); $this->assertEquals( 'post_value_bar_default', $manager->post_value( $bar_setting, 'post_value_bar_default' ), 'Expected post_value($bar_setting, $default) to return $default since no value supplied in $_POST[customized][bar]' ); }
/** * Save a form * * @since 1.0.0 */ function wpforms_save_form() { // Run a security check check_ajax_referer('wpforms-builder', 'nonce'); // Check for permissions if (!current_user_can(apply_filters('wpforms_manage_cap', 'manage_options'))) { die(__('You do no have permission.', 'wpforms')); } // Check for form data if (empty($_POST['data'])) { die(__('No data provided', 'wpforms')); } $form_post = json_decode(stripslashes($_POST['data'])); $data = array(); if (!is_null($form_post) && $form_post) { foreach ($form_post as $post_input_data) { // For input names that are arrays (e.g. `menu-item-db-id[3][4][5]`), // derive the array path keys via regex and set the value in $_POST. preg_match('#([^\\[]*)(\\[(.+)\\])?#', $post_input_data->name, $matches); $array_bits = array($matches[1]); if (isset($matches[3])) { $array_bits = array_merge($array_bits, explode('][', $matches[3])); } $new_post_data = array(); // Build the new array value from leaf to trunk. for ($i = count($array_bits) - 1; $i >= 0; $i--) { if ($i == count($array_bits) - 1) { $new_post_data[$array_bits[$i]] = wp_slash($post_input_data->value); } else { $new_post_data = array($array_bits[$i] => $new_post_data); } } $data = array_replace_recursive($data, $new_post_data); } } $form_id = wpforms()->form->update($data['id'], $data); do_action('wpforms_builder_save_form', $form_id, $data); if (!$form_id) { die(__('An error occured and the form could not be saved', 'wpforms')); } else { $data = array('form_name' => esc_html($data['settings']['form_title']), 'form_desc' => $data['settings']['form_desc'], 'redirect' => admin_url('admin.php?page=wpforms-overview')); wp_send_json_success($data); } }
/** * Helper function to update post meta data * * @param int $post_id * @param array $data */ function pronamic_pay_update_post_meta_data($post_id, array $data) { /* * Post meta values are passed through the stripslashes() function * upon being stored, so you will need to be careful when passing * in values (such as JSON) that might include \ escaped characters. * * @see http://codex.wordpress.org/Function_Reference/update_post_meta */ $data = wp_slash($data); // Meta foreach ($data as $key => $value) { if (isset($value) && '' !== $value) { update_post_meta($post_id, $key, $value); } else { delete_post_meta($post_id, $key); } } }
function wp_update_post($postarr = array(), $wp_error = false) { if (is_object($postarr)) { // Non-escaped post was passed. $postarr = get_object_vars($postarr); $postarr = wp_slash($postarr); } // First, get all of the original fields. $post = get_post($postarr['ID'], ARRAY_A); if (is_null($post)) { if ($wp_error) { return new WP_Error('invalid_post', __('Invalid post ID.')); } return 0; } // Escape data pulled from DB. $post = wp_slash($post); // Passed post category list overwrites existing category list if not empty. if (isset($postarr['post_category']) && is_array($postarr['post_category']) && 0 != count($postarr['post_category'])) { $post_cats = $postarr['post_category']; } else { $post_cats = $post['post_category']; } // Drafts shouldn't be assigned a date unless explicitly done so by the user. if (isset($post['post_status']) && in_array($post['post_status'], array('draft', 'pending', 'auto-draft')) && empty($postarr['edit_date']) && '0000-00-00 00:00:00' == $post['post_date_gmt']) { $clear_date = true; } else { $clear_date = false; } // Merge old and new fields with new fields overwriting old ones. $postarr = array_merge($post, $postarr); $postarr['post_category'] = $post_cats; if ($clear_date) { $postarr['post_date'] = current_time('mysql'); $postarr['post_date_gmt'] = ''; } if ($postarr['post_type'] == 'attachment') { return wp_insert_attachment($postarr); } return wp_insert_post($postarr, $wp_error); }
/** * Filter input and return sanitized output * * @param mixed $input The string, array, or object to sanitize * @param array $params Additional options * * @return array|mixed|object|string|void * * @since 1.1.10 * */ public static function sanitize($input, $params = array()) { $input = stripslashes_deep($input); if ('' === $input || is_int($input) || is_float($input) || empty($input)) { return $input; } $output = array(); $defaults = array('nested' => false, 'type' => null); if (!is_array($params)) { $defaults['type'] = $params; $params = $defaults; } else { $params = array_merge($defaults, (array) $params); } if (is_object($input)) { $input = get_object_vars($input); $n_params = $params; $n_params['nested'] = true; foreach ($input as $key => $val) { $output[self::sanitize($key)] = self::sanitize($val, $n_params); } $output = (object) $output; } elseif (is_array($input)) { $n_params = $params; $n_params['nested'] = true; foreach ($input as $key => $val) { $output[self::sanitize($key)] = self::sanitize($val, $n_params); } } elseif (!empty($params['type']) && false !== strpos($params['type'], '%')) { /** * @var $wpdb wpdb */ global $wpdb; $output = $wpdb->prepare($params['type'], $output); } else { $output = wp_slash($input); } return $output; }
function callback($path = '', $blog_id = 0, $post_id = 0) { $blog_id = $this->api->switch_to_blog_and_validate_user($this->api->get_blog_id($blog_id)); if (is_wp_error($blog_id)) { return $blog_id; } $args = $this->query_args(); $input = $this->input(false); if (!is_array($input) || !$input) { return new WP_Error('invalid_input', 'Invalid request input', 400); } $post = get_post($post_id); if (!$post || is_wp_error($post)) { return new WP_Error('unknown_post', 'Unknown post', 404); } if (!current_user_can('edit_post', $post->ID)) { return new WP_Error('unauthorized', 'User cannot edit post', 403); } $post_data = array('post_ID' => $post_id, 'post_title' => $input['title'], 'post_content' => $input['content'], 'post_excerpt' => $input['excerpt']); $preview_url = add_query_arg('preview', 'true', get_permalink($post->ID)); if (!wp_check_post_lock($post->ID) && get_current_user_id() == $post->post_author && ('auto-draft' == $post->post_status || 'draft' == $post->post_status)) { // Drafts and auto-drafts are just overwritten by autosave for the same user if the post is not locked $auto_ID = edit_post(wp_slash($post_data)); } else { // Non drafts or other users drafts are not overwritten. The autosave is stored in a special post revision for each user. $auto_ID = wp_create_post_autosave(wp_slash($post_data)); $nonce = wp_create_nonce('post_preview_' . $post->ID); $preview_url = add_query_arg(array('preview_id' => $auto_ID, 'preview_nonce' => $nonce), $preview_url); } $updated_post = get_post($auto_ID); if ($updated_post && $updated_post->ID && $updated_post->post_modified) { return array('ID' => $auto_ID, 'post_ID' => $post->ID, 'modified' => $this->format_date($updated_post->post_modified), 'preview_URL' => $preview_url); } else { return new WP_Error('autosave_error', __('Autosave encountered an unexpected error', 'jetpack'), 500); } }
public function getFrontendTemplates() { if ($this->allowed_templates !== null) { return $this->allowed_templates; } $content_template_usages = $this->getUsages(); $theme_template_files = (array) wp_get_theme()->get_files('php', 1, true); $wpv_options_patterns = array('views_template_for_' => array('label' => __('Single page', 'wpv-views'), 'domain' => 'post', 'template_hierarchy' => array('single-%NAME%.php', 'single.php', 'singular.php', 'index.php')), 'views_template_archive_for_' => array('label' => __('Post archive', 'wpv-views'), 'domain' => 'post', 'template_hierarchy' => array('archive-%NAME%.php', 'archive.php', 'index.php')), 'views_template_loop_' => array('label' => __('Taxonomy archive', 'wpv-views'), 'domain' => 'taxonomy', 'template_hierarchy' => array('taxonomy-%NAME%.php', 'taxonomy.php', 'archive.php', 'index.php')), 'view_loop_preview_post_type_' => array('label' => __('View loop', 'wpv-views'), 'domain' => 'post', 'template_hierarchy' => array('single-%NAME%.php', 'single.php', 'singular.php', 'index.php')), 'view_wpa_loop_preview_post_type_' => array('label' => __('WordPress Archive loop', 'wpv-views'), 'domain' => 'post', 'template_hierarchy' => array('archive-%NAME%.php', 'archive.php', 'index.php')), 'view_wpa_loop_preview_taxonomy_' => array('label' => __('WordPress Archive loop', 'wpv-views'), 'domain' => 'taxonomy', 'template_hierarchy' => array('taxonomy-%NAME%.php', 'taxonomy.php', 'archive.php', 'index.php'))); $this->allowed_templates = array(); foreach ($content_template_usages as $usage => $ct_id) { foreach ($wpv_options_patterns as $pattern => $settings) { if (strpos($usage, $pattern) !== false) { $type_name = str_replace($pattern, '', $usage); $type_object = $settings['domain'] == 'post' ? get_post_type_object($type_name) : get_taxonomy($type_name); foreach ($settings['template_hierarchy'] as $template_file) { $template_file = str_replace('%NAME%', $type_object->name, $template_file); if (array_key_exists($template_file, $theme_template_files)) { $this->allowed_templates[] = array('slug' => $type_object->name, 'domain' => $settings['domain'], 'form-option-label' => $settings['label'] . ' ' . $type_object->labels->name, 'path' => $theme_template_files[$template_file]); break; } } } } } // Make sure that the stored template path is in the allowed ones, or force it otherwise $allowed_paths = wp_list_pluck($this->allowed_templates, 'path'); $current_template = get_post_meta($_GET['ct_id'], $this->manager->getActiveEditor()->getOptionName(), true); if (isset($_GET['ct_id']) && !empty($allowed_paths) && (!isset($current_template['template_path']) || !in_array($current_template['template_path'], $allowed_paths))) { $slide_allowed_template = array_slice($this->allowed_templates, 0, 1); $first_allowed_template = array_shift($slide_allowed_template); $settings_to_store = array('template_path' => wp_slash($first_allowed_template['path']), 'preview_domain' => $first_allowed_template['domain'], 'preview_slug' => $first_allowed_template['slug']); update_post_meta($_GET['ct_id'], $this->manager->getActiveEditor()->getOptionName(), $settings_to_store); $stored = get_post_meta($_GET['ct_id'], $this->manager->getActiveEditor()->getOptionName(), true); } return $this->allowed_templates; }
public function test_serve_request_headers_are_unslashed() { $this->server->register_route('test', '/test', array(array('methods' => WP_REST_Server::READABLE, 'callback' => '__return_false', 'args' => array('data' => array())))); // WordPress internally will slash the superglobals on bootstrap $_SERVER['HTTP_X_MY_HEADER'] = wp_slash('data\\with\\slashes'); $result = $this->server->serve_request('/test/data\\with\\slashes'); $this->assertEquals('data\\with\\slashes', $this->server->last_request->get_header('x_my_header')); }
/** * A simpler way of inserting a user into the database. * * Creates a new user with just the username, password, and email. For more * complex user creation use {@see wp_insert_user()} to specify more information. * * @since 2.0.0 * @see wp_insert_user() More complete way to create a new user * * @param string $username The user's username. * @param string $password The user's password. * @param string $email Optional. The user's email. Default empty. * @return int|WP_Error The newly created user's ID or a WP_Error object if the user could not * be created. */ function wp_create_user($username, $password, $email = '') { $user_login = wp_slash($username); $user_email = wp_slash($email); $user_pass = $password; $userdata = compact('user_login', 'user_email', 'user_pass'); return wp_insert_user($userdata); }
/** * Escape string or array of strings for database. * * @since 1.5.2 * * @param string|array $data Escape single string or array of strings. * @return string|array Type matches $data and sanitized for the database. */ public function escape(&$data) { if (!is_array($data)) { return wp_slash($data); } foreach ($data as &$v) { if (is_array($v)) { $this->escape($v); } elseif (!is_object($v)) { $v = wp_slash($v); } } }
/** * Ajax handler for updating attachment attributes. * * @since 3.5.0 */ function wp_ajax_save_attachment() { if (!isset($_REQUEST['id']) || !isset($_REQUEST['changes'])) { wp_send_json_error(); } if (!($id = absint($_REQUEST['id']))) { wp_send_json_error(); } check_ajax_referer('update-post_' . $id, 'nonce'); if (!current_user_can('edit_post', $id)) { wp_send_json_error(); } $changes = $_REQUEST['changes']; $post = get_post($id, ARRAY_A); if ('attachment' != $post['post_type']) { wp_send_json_error(); } if (isset($changes['parent'])) { $post['post_parent'] = $changes['parent']; } if (isset($changes['title'])) { $post['post_title'] = $changes['title']; } if (isset($changes['caption'])) { $post['post_excerpt'] = $changes['caption']; } if (isset($changes['description'])) { $post['post_content'] = $changes['description']; } if (MEDIA_TRASH && isset($changes['status'])) { $post['post_status'] = $changes['status']; } if (isset($changes['alt'])) { $alt = wp_unslash($changes['alt']); if ($alt != get_post_meta($id, '_wp_attachment_image_alt', true)) { $alt = wp_strip_all_tags($alt, true); update_post_meta($id, '_wp_attachment_image_alt', wp_slash($alt)); } } if (wp_attachment_is('audio', $post['ID'])) { $changed = false; $id3data = wp_get_attachment_metadata($post['ID']); if (!is_array($id3data)) { $changed = true; $id3data = array(); } foreach (wp_get_attachment_id3_keys((object) $post, 'edit') as $key => $label) { if (isset($changes[$key])) { $changed = true; $id3data[$key] = sanitize_text_field(wp_unslash($changes[$key])); } } if ($changed) { wp_update_attachment_metadata($id, $id3data); } } if (MEDIA_TRASH && isset($changes['status']) && 'trash' === $changes['status']) { wp_delete_post($id); } else { wp_update_post($post); } wp_send_json_success(); }
*/ do_action('pre_comment_on_post', $comment_post_ID); } $comment_author = isset($_POST['author']) ? trim(strip_tags($_POST['author'])) : null; $comment_author_email = isset($_POST['email']) ? trim($_POST['email']) : null; $comment_author_url = isset($_POST['url']) ? trim($_POST['url']) : null; $comment_content = isset($_POST['comment']) ? trim($_POST['comment']) : null; // If the user is logged in $user = wp_get_current_user(); if ($user->exists()) { if (empty($user->display_name)) { $user->display_name = $user->user_login; } $comment_author = wp_slash($user->display_name); $comment_author_email = wp_slash($user->user_email); $comment_author_url = wp_slash($user->user_url); if (current_user_can('unfiltered_html')) { if (!isset($_POST['_wp_unfiltered_html_comment']) || !wp_verify_nonce($_POST['_wp_unfiltered_html_comment'], 'unfiltered-html-comment_' . $comment_post_ID)) { kses_remove_filters(); // start with a clean slate kses_init_filters(); // set up the filters } } } else { if (get_option('comment_registration') || 'private' == $status) { wp_die(__('Sorry, you must be logged in to post a comment.'), 403); } } $comment_type = ''; if (get_option('require_name_email') && !$user->exists()) {
/** * Store the export record. * * @param array $export * @return bool */ function set_exported_menu($export) { //Caution: update_metadata expects slashed data. $export = wp_slash($export); $user = wp_get_current_user(); return update_metadata('user', $user->ID, 'custom_menu_export', $export); }