From 5300ef20cf4d3555a1fac93a2555ac0d21022558 Mon Sep 17 00:00:00 2001 From: ryan Date: Wed, 3 Oct 2007 16:16:55 +0000 Subject: [PATCH] Add sanitize_url. Don't convert ampersands in URLs when saving to DB. fixes #4411 for trunk git-svn-id: http://svn.automattic.com/wordpress/trunk@6182 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/default-filters.php | 13 +++++++++++-- wp-includes/formatting.php | 13 ++++++++++--- wp-includes/widgets.php | 2 +- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php index 9202aa27a..7fba5ea36 100644 --- a/wp-includes/default-filters.php +++ b/wp-includes/default-filters.php @@ -25,9 +25,18 @@ foreach ( $filters as $filter ) { add_filter($filter, 'wp_filter_kses'); } -// URL +// Save URL $filters = array('pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image', - 'pre_link_rss', 'comment_url'); + 'pre_link_rss'); +foreach ( $filters as $filter ) { + add_filter($filter, 'strip_tags'); + add_filter($filter, 'trim'); + add_filter($filter, 'sanitize_url'); + add_filter($filter, 'wp_filter_kses'); +} + +// Display URL +$filters = array('user_url', 'link_url', 'link_image', 'link_rss', 'comment_url'); foreach ( $filters as $filter ) { add_filter($filter, 'strip_tags'); add_filter($filter, 'trim'); diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index a58aa886b..2c95dbe8e 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -1087,7 +1087,7 @@ function wp_richedit_pre($text) { return apply_filters('richedit_pre', $output); } -function clean_url( $url, $protocols = null ) { +function clean_url( $url, $protocols = null, $context = 'display' ) { $original_url = $url; if ('' == $url) return $url; @@ -1103,13 +1103,20 @@ function clean_url( $url, $protocols = null ) { substr( $url, 0, 1 ) != '/' && !preg_match('/^[a-z0-9-]+?\.php/i', $url) ) $url = 'http://' . $url; - $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); + // Replace ampersands ony when displaying. + if ( 'display' == $context ) + $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); + if ( !is_array($protocols) ) $protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet'); if ( wp_kses_bad_protocol( $url, $protocols ) != $url ) return ''; - return apply_filters('clean_url', $url, $original_url); + return apply_filters('clean_url', $url, $original_url, $context); +} + +function sanitize_url( $url, $protocols = null ) { + return clean_url( $url, $protocols, 'db'); } // Borrowed from the PHP Manual user notes. Convert entities, while diff --git a/wp-includes/widgets.php b/wp-includes/widgets.php index 4c5921718..10d1e3d96 100644 --- a/wp-includes/widgets.php +++ b/wp-includes/widgets.php @@ -1001,7 +1001,7 @@ function wp_widget_rss_control($number) { $options = $newoptions = get_option('widget_rss'); if ( $_POST["rss-submit-$number"] ) { $newoptions[$number]['items'] = (int) $_POST["rss-items-$number"]; - $url = clean_url(strip_tags(stripslashes($_POST["rss-url-$number"]))); + $url = sanitize_url(strip_tags(stripslashes($_POST["rss-url-$number"]))); $newoptions[$number]['title'] = trim(strip_tags(stripslashes($_POST["rss-title-$number"]))); if ( $url !== $options[$number]['url'] ) { require_once(ABSPATH . WPINC . '/rss.php');