diff --git a/wp-admin/admin-functions.php b/wp-admin/admin-functions.php
index 5bc83efb8..973aff999 100644
--- a/wp-admin/admin-functions.php
+++ b/wp-admin/admin-functions.php
@@ -2030,6 +2030,7 @@ function wp_import_upload_form( $action ) {
?>
';
}
@@ -570,7 +572,8 @@ class Dotclear_Import {
$this->users2wp($users);
echo '';
}
@@ -581,7 +584,8 @@ class Dotclear_Import {
$this->posts2wp($posts);
echo '';
}
@@ -592,7 +596,8 @@ class Dotclear_Import {
$this->comments2wp($comments);
echo '';
}
@@ -604,7 +609,8 @@ class Dotclear_Import {
add_option('dc_links', $links);
echo '';
}
@@ -667,42 +673,44 @@ class Dotclear_Import {
if ( $step > 0 )
{
+ check_admin_referer('import-dotclear');
+
if($_POST['dbuser'])
{
if(get_option('dcuser'))
delete_option('dcuser');
- add_option('dcuser',$_POST['dbuser']);
+ add_option('dcuser', sanitize_user($_POST['dbuser'], true));
}
if($_POST['dbpass'])
{
if(get_option('dcpass'))
delete_option('dcpass');
- add_option('dcpass',$_POST['dbpass']);
+ add_option('dcpass', sanitize_user($_POST['dbpass'], true));
}
if($_POST['dbname'])
{
if(get_option('dcname'))
delete_option('dcname');
- add_option('dcname',$_POST['dbname']);
+ add_option('dcname', sanitize_user($_POST['dbname'], true));
}
if($_POST['dbhost'])
{
if(get_option('dchost'))
delete_option('dchost');
- add_option('dchost',$_POST['dbhost']);
+ add_option('dchost', sanitize_user($_POST['dbhost'], true));
}
if($_POST['dccharset'])
{
if(get_option('dccharset'))
delete_option('dccharset');
- add_option('dccharset',$_POST['dccharset']);
+ add_option('dccharset', sanitize_user($_POST['dccharset'], true));
}
if($_POST['dbprefix'])
{
if(get_option('dcdbprefix'))
delete_option('dcdbprefix');
- add_option('dcdbprefix',$_POST['dbprefix']);
+ add_option('dcdbprefix', sanitize_user($_POST['dbprefix'], true));
}
diff --git a/wp-admin/import/greymatter.php b/wp-admin/import/greymatter.php
index 9203ff72c..4305cd18c 100644
--- a/wp-admin/import/greymatter.php
+++ b/wp-admin/import/greymatter.php
@@ -34,6 +34,7 @@ class GM_Import {