--- wp-admin/admin-ajax.php +++ wp-admin/admin-ajax.php @@ -231,7 +231,7 @@ if($_POST['post_ID'] < 0) { $_POST['temp_ID'] = $_POST['post_ID']; $id = wp_write_post(); - if(is_wp_error($id)) + if( is_wp_error($id) ) die($id->get_error_message()); else die("$id"); --- wp-admin/admin-db.php +++ wp-admin/admin-db.php @@ -123,7 +123,7 @@ if (!$update) { $wpdb->query("INSERT INTO $wpdb->categories (cat_ID, cat_name, category_nicename, category_description, category_parent, links_private, posts_private) VALUES ('0', '$cat_name', '$category_nicename', '$category_description', '$category_parent', '$links_private', '$posts_private')"); - $cat_ID = $wpdb->insert_id; + $cat_ID = (int) $wpdb->insert_id; } else { $wpdb->query ("UPDATE $wpdb->categories SET cat_name = '$cat_name', category_nicename = '$category_nicename', category_description = '$category_description', category_parent = '$category_parent', links_private = '$links_private', posts_private = '$posts_private' WHERE cat_ID = '$cat_ID'"); } @@ -245,7 +245,7 @@ if (!$category_nicename = sanitize_title($cat_name)) return 0; - return $wpdb->get_var("SELECT cat_ID FROM $wpdb->categories WHERE category_nicename = '$category_nicename'"); + return (int) $wpdb->get_var("SELECT cat_ID FROM $wpdb->categories WHERE category_nicename = '$category_nicename'"); } function wp_delete_user($id, $reassign = 'novalue') { @@ -299,6 +299,8 @@ if ( !empty($link_id) ) $update = true; + $link_id = (int) $link_id; + if( trim( $link_name ) == '' ) return 0; $link_name = apply_filters('pre_link_name', $link_name); @@ -360,7 +362,7 @@ WHERE link_id='$link_id'"); } else { $wpdb->query("INSERT INTO $wpdb->links (link_url, link_name, link_image, link_target, link_description, link_visible, link_owner, link_rating, link_rel, link_notes, link_rss) VALUES('$link_url','$link_name', '$link_image', '$link_target', '$link_description', '$link_visible', '$link_owner', '$link_rating', '$link_rel', '$link_notes', '$link_rss')"); - $link_id = $wpdb->insert_id; + $link_id = (int) $wpdb->insert_id; } wp_set_link_cats($link_id, $link_category); @@ -443,7 +445,7 @@ $old_categories = $wpdb->get_col(" SELECT category_id FROM $wpdb->link2cat - WHERE link_id = $link_ID"); + WHERE link_id = '$link_ID'"); if (!$old_categories) { $old_categories = array(); @@ -456,10 +458,11 @@ if ($delete_cats) { foreach ($delete_cats as $del) { + $del = (int) $del; $wpdb->query(" DELETE FROM $wpdb->link2cat - WHERE category_id = $del - AND link_id = $link_ID + WHERE category_id = '$del' + AND link_id = '$link_ID' "); } } @@ -469,9 +472,11 @@ if ($add_cats) { foreach ($add_cats as $new_cat) { - $wpdb->query(" - INSERT INTO $wpdb->link2cat (link_id, category_id) - VALUES ($link_ID, $new_cat)"); + $new_cat = (int) $new_cat; + if ( !empty($new_cat) ) + $wpdb->query(" + INSERT INTO $wpdb->link2cat (link_id, category_id) + VALUES ('$link_ID', '$new_cat')"); } } --- wp-admin/admin-functions.php +++ wp-admin/admin-functions.php @@ -151,7 +151,7 @@ if ( 0 == preg_match( $search, $anchor, $id_matches ) ) continue; - $id = $id_matches[3]; + $id = (int) $id_matches[3]; // While we have the attachment ID, let's adopt any orphans. $attachment = & get_post( $id, ARRAY_A ); @@ -358,7 +358,7 @@ else if ( !empty( $post_title ) ) { $text = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) ); $text = funky_javascript_fix( $text); - $popupurl = attribute_escape($_REQUEST['popupurl']); + $popupurl = clean_url($_REQUEST['popupurl']); $post_content = ''.$post_title.''."\n$text"; } @@ -417,7 +417,7 @@ $user = new WP_User( $user_id ); $user->user_login = attribute_escape($user->user_login); $user->user_email = attribute_escape($user->user_email); - $user->user_url = attribute_escape($user->user_url); + $user->user_url = clean_url($user->user_url); $user->first_name = attribute_escape($user->first_name); $user->last_name = attribute_escape($user->last_name); $user->display_name = attribute_escape($user->display_name); @@ -435,7 +435,7 @@ function add_user() { if ( func_num_args() ) { // The hackiest hack that ever did hack global $current_user, $wp_roles; - $user_id = func_get_arg( 0 ); + $user_id = (int) func_get_arg( 0 ); if ( isset( $_POST['role'] ) ) { if( $user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap( 'edit_users' ) ) { @@ -453,7 +453,7 @@ global $current_user, $wp_roles, $wpdb; if ( $user_id != 0 ) { $update = true; - $user->ID = $user_id; + $user->ID = (int) $user_id; $userdata = get_userdata( $user_id ); $user->user_login = $wpdb->escape( $userdata->user_login ); } else { @@ -478,7 +478,7 @@ if ( isset( $_POST['email'] )) $user->user_email = wp_specialchars( trim( $_POST['email'] )); if ( isset( $_POST['url'] ) ) { - $user->user_url = wp_specialchars( trim( $_POST['url'] )); + $user->user_url = clean_url( trim( $_POST['url'] )); $user->user_url = preg_match('/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url; } if ( isset( $_POST['first_name'] )) @@ -562,11 +562,11 @@ function get_link_to_edit( $link_id ) { $link = get_link( $link_id ); - $link->link_url = attribute_escape($link->link_url); + $link->link_url = clean_url($link->link_url); $link->link_name = attribute_escape($link->link_name); $link->link_image = attribute_escape($link->link_image); $link->link_description = attribute_escape($link->link_description); - $link->link_rss = attribute_escape($link->link_rss); + $link->link_rss = clean_url($link->link_rss); $link->link_rel = attribute_escape($link->link_rel); $link->link_notes = wp_specialchars($link->link_notes); $link->post_category = $link->link_category; @@ -576,7 +576,7 @@ function get_default_link_to_edit() { if ( isset( $_GET['linkurl'] ) ) - $link->link_url = attribute_escape( $_GET['linkurl']); + $link->link_url = clean_url( $_GET['linkurl']); else $link->link_url = ''; @@ -599,10 +599,10 @@ wp_die( __( 'Cheatin’ uh?' )); $_POST['link_url'] = wp_specialchars( $_POST['link_url'] ); - $_POST['link_url'] = preg_match('/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is', $_POST['link_url']) ? $_POST['link_url'] : 'http://' . $_POST['link_url']; + $_POST['link_url'] = clean_url($_POST['link_url']); $_POST['link_name'] = wp_specialchars( $_POST['link_name'] ); $_POST['link_image'] = wp_specialchars( $_POST['link_image'] ); - $_POST['link_rss'] = wp_specialchars( $_POST['link_rss'] ); + $_POST['link_rss'] = clean_url($_POST['link_rss']); $_POST['link_category'] = $_POST['post_category']; if ( !empty( $link_id ) ) { @@ -781,8 +781,8 @@ $pad = str_repeat( '— ', $level ); if ( current_user_can( 'manage_categories' ) ) { $edit = "".__( 'Edit' ).""; - $default_cat_id = get_option( 'default_category' ); - $default_link_cat_id = get_option( 'default_link_category' ); + $default_cat_id = (int) get_option( 'default_category' ); + $default_link_cat_id = (int) get_option( 'default_link_category' ); if ( ($category->cat_ID != $default_cat_id ) && ($category->cat_ID != $default_link_cat_id ) ) $edit .= "cat_ID ) . "' onclick=\"return deleteSomething( 'cat', $category->cat_ID, '" . js_escape(sprintf( __("You are about to delete the category '%s'.\nAll of its posts will go into the default category of '%s'\nAll of its bookmarks will go into the default category of '%s'.\n'OK' to delete, 'Cancel' to stop." ), $category->cat_name, get_catname( $default_cat_id ), get_catname( $default_link_cat_id ) )) . "' );\" class='delete'>".__( 'Delete' ).""; @@ -821,7 +821,7 @@ $post->post_title = wp_specialchars( $post->post_title ); $pad = str_repeat( '— ', $level ); - $id = $post->ID; + $id = (int) $post->ID; $class = ('alternate' == $class ) ? '' : 'alternate'; ?> @@ -867,7 +867,7 @@ } $r .= "\n\t\t"; if ( current_user_can( 'edit_user', $user_object->ID ) ) { - $edit_link = attribute_escape( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" )); + $edit_link = add_query_arg( 'wp_http_referer', urlencode( clean_url( stripslashes( $_SERVER['REQUEST_URI'] ) ) ), "user-edit.php?user_id=$user_object->ID" ); $r .= "".__( 'Edit' ).""; } $r .= "\n\t"; @@ -1533,6 +1533,14 @@ return add_submenu_page( 'themes.php', $page_title, $menu_title, $access_level, $file, $function ); } +function add_users_page( $page_title, $menu_title, $access_level, $file, $function = '' ) { + if ( current_user_can('edit_users') ) + $parent = 'users.php'; + else + $parent = 'profile.php'; + return add_submenu_page( $parent, $page_title, $menu_title, $access_level, $file, $function ); +} + function validate_file( $file, $allowed_files = '' ) { if ( false !== strpos( $file, './' )) return 1; @@ -1914,7 +1922,7 @@ if ( strstr( $size, 'g' ) ) $bytes = $size * 1024 * 1024 * 1024; ?> -
+

( ) --- wp-admin/admin-header.php +++ wp-admin/admin-header.php @@ -2,7 +2,7 @@ @header('Content-type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset')); if (!isset($_GET["page"])) require_once('admin.php'); if ( $editing ) { - wp_enqueue_script( array("dbx-admin-key?pagenow=$pagenow",'admin-custom-fields') ); + wp_enqueue_script( array('dbx-admin-key?pagenow=' . attribute_escape($pagenow),'admin-custom-fields') ); if ( current_user_can('manage_categories') ) wp_enqueue_script( 'ajaxcat' ); if ( user_can_richedit() ) --- wp-admin/bookmarklet.php +++ wp-admin/bookmarklet.php @@ -37,7 +37,7 @@ $content = wp_specialchars($_REQUEST['content']); -$popupurl = attribute_escape($_REQUEST['popupurl']); +$popupurl = clean_url($_REQUEST['popupurl']); if ( !empty($content) ) { $post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) ); } else { --- wp-admin/custom-header.php +++ wp-admin/custom-header.php @@ -174,7 +174,7 @@

%1$d x %2$d pixels will be used as-is.'), HEADER_IMAGE_WIDTH, HEADER_IMAGE_HEIGHT); ?>

- +

@@ -188,7 +188,7 @@

- +
@@ -240,7 +240,7 @@
-
+

--- wp-admin/edit-comments.php +++ wp-admin/edit-comments.php @@ -56,7 +56,7 @@ $i = 0; foreach ($_POST['delete_comments'] as $comment) : // Check the permissions on each $comment = (int) $comment; - $post_id = $wpdb->get_var("SELECT comment_post_ID FROM $wpdb->comments WHERE comment_ID = $comment"); + $post_id = (int) $wpdb->get_var("SELECT comment_post_ID FROM $wpdb->comments WHERE comment_ID = $comment"); // $authordata = get_userdata( $wpdb->get_var("SELECT post_author FROM $wpdb->posts WHERE ID = $post_id") ); if ( current_user_can('edit_post', $post_id) ) { if ( !empty( $_POST['spam_button'] ) ) @@ -101,7 +101,7 @@ $r = ''; if ( 1 < $page ) { $args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1; - $r .= '' . "\n"; + $r .= '' . "\n"; } if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) { for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) : @@ -111,7 +111,7 @@ $p = false; if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) : $args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num; - $r .= '' . ( $page_num ) . "\n"; + $r .= '' . ( $page_num ) . "\n"; $in = true; elseif ( $in == true ) : $r .= "...\n"; @@ -122,7 +122,7 @@ } if ( ( $page ) * 20 < $total || -1 == $total ) { $args['apage'] = $page + 1; - $r .= '' . "\n"; + $r .= '' . "\n"; } echo "

$r

"; ?> @@ -248,7 +248,7 @@ $r = ''; if ( 1 < $page ) { $args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1; - $r .= '' . "\n"; + $r .= '' . "\n"; } if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) { for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) : @@ -258,7 +258,7 @@ $p = false; if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) : $args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num; - $r .= '' . ( $page_num ) . "\n"; + $r .= '' . ( $page_num ) . "\n"; $in = true; elseif ( $in == true ) : $r .= "...\n"; @@ -269,7 +269,7 @@ } if ( ( $page ) * 20 < $total || -1 == $total ) { $args['apage'] = $page + 1; - $r .= '' . "\n"; + $r .= '' . "\n"; } echo "

$r

"; ?> --- wp-admin/edit-form-advanced.php +++ wp-admin/edit-form-advanced.php @@ -168,11 +168,11 @@ ?>

--- wp-admin/edit-page-form.php +++ wp-admin/edit-page-form.php @@ -13,7 +13,7 @@ $form_extra = ""; } -$sendto = attribute_escape(stripslashes(wp_get_referer())); +$sendto = clean_url(stripslashes(wp_get_referer())); if ( 0 != $post_ID && $sendto == get_permalink($post_ID) ) $sendto = 'redo'; --- wp-admin/import/blogware.php +++ wp-admin/import/blogware.php @@ -104,7 +104,7 @@ $comments = $comments[1]; if ( $comments ) { - $comment_post_ID = $post_id; + $comment_post_ID = (int) $post_id; $num_comments = 0; foreach ($comments as $comment) { preg_match('|(.*?)|is', $comment, $comment_content); --- wp-admin/import/dotclear.php +++ wp-admin/import/dotclear.php @@ -437,8 +437,8 @@ extract($comment); // WordPressify Data - $comment_ID = ltrim($comment_id, '0'); - $comment_post_ID = $postarr[$post_id]; + $comment_ID = (int) ltrim($comment_id, '0'); + $comment_post_ID = (int) $postarr[$post_id]; $comment_approved = "$comment_pub"; $name = $wpdb->escape(csc ($comment_auteur)); $email = $wpdb->escape($comment_email); --- wp-admin/import/livejournal.php +++ wp-admin/import/livejournal.php @@ -82,7 +82,7 @@ $comments = $comments[1]; if ( $comments ) { - $comment_post_ID = $post_id; + $comment_post_ID = (int) $post_id; $num_comments = 0; foreach ($comments as $comment) { preg_match('|(.*?)|is', $comment, $comment_content); --- wp-admin/import/mt.php +++ wp-admin/import/mt.php @@ -171,7 +171,7 @@ return; } $this->file = $file['file']; - $this->id = $file['id']; + $this->id = (int) $file['id']; $this->get_entries(); $this->mt_authors_form(); @@ -295,7 +295,7 @@ } } - $comment_post_ID = $post_id; + $comment_post_ID = (int) $post_id; $comment_approved = 1; // Now for comments --- wp-admin/import/wordpress.php +++ wp-admin/import/wordpress.php @@ -174,7 +174,7 @@ return; } $this->file = $file['file']; - $this->id = $file['id']; + $this->id = (int) $file['id']; $this->get_entries(); $this->wp_authors_form(); @@ -201,7 +201,7 @@ if ( empty($parent) ) $category_parent = '0'; else - $category_parent = (int) category_exists($parent); + $category_parent = category_exists($parent); $catarr = compact('category_nicename', 'category_parent', 'posts_private', 'links_private', 'posts_private', 'cat_name'); --- wp-admin/link-manager.php +++ wp-admin/link-manager.php @@ -133,7 +133,7 @@ foreach ($links as $link) { $link->link_name = attribute_escape($link->link_name); $link->link_description = wp_specialchars($link->link_description); - $link->link_url = attribute_escape($link->link_url); + $link->link_url = clean_url($link->link_url); $link->link_category = wp_get_link_cats($link->link_id); $short_url = str_replace('http://', '', $link->link_url); $short_url = str_replace('www.', '', $short_url); --- wp-admin/page.php +++ wp-admin/page.php @@ -63,7 +63,7 @@ ?>

- +

- +

@@ -40,7 +40,7 @@ if ( empty( $_GET['backto'] ) ) $backto = __get_option('home'); else - $backto = attribute_escape(stripslashes($_GET['backto'])); + $backto = clean_url(stripslashes($_GET['backto'])); ?>

Have fun!"), $backto); ?>

--- wp-admin/upload-functions.php +++ wp-admin/upload-functions.php @@ -35,7 +35,7 @@ $r = ''; if ( $href ) - $r .= "\n"; + $r .= "\n"; if ( $href || $image_src ) $r .= "\t\t\t$innerHTML"; if ( $href ) @@ -83,9 +83,9 @@ echo '[ '; echo '' . __('view') . ''; echo ' | '; - echo '' . __('edit') . ''; + echo '' . __('edit') . ''; echo ' | '; - echo '' . __('cancel') . ''; + echo '' . __('cancel') . ''; echo ' ]'; ?>
@@ -123,9 +123,9 @@ echo '[ '; echo '' . __('view') . ''; echo ' | '; - echo '' . __('links') . ''; + echo '' . __('links') . ''; echo ' | '; - echo '' . __('cancel') . ''; + echo '' . __('cancel') . ''; echo ' ]'; ?>
--- wp-admin/upload.php +++ wp-admin/upload.php @@ -90,7 +90,7 @@ $href = add_query_arg( array('tab' => $t, 'ID' => '', 'action' => '', 'paged' => '') ); if ( isset($tab_array[4]) && is_array($tab_array[4]) ) add_query_arg( $tab_array[4], $href ); - $_href = attribute_escape( $href); + $_href = clean_url( $href); $page_links = ''; $class = 'upload-tab alignleft'; if ( $tab == $t ) { --- wp-admin/user-edit.php +++ wp-admin/user-edit.php @@ -55,7 +55,7 @@

-

+

--- wp-comments-post.php +++ wp-comments-post.php @@ -25,14 +25,20 @@ // If the user is logged in $user = wp_get_current_user(); -if ( $user->ID ) : +if ( $user->ID ) { $comment_author = $wpdb->escape($user->display_name); $comment_author_email = $wpdb->escape($user->user_email); $comment_author_url = $wpdb->escape($user->user_url); -else : + if ( current_user_can('unfiltered_html') ) { + if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) { + kses_remove_filters(); // start with a clean slate + kses_init_filters(); // set up the filters + } + } +} else { if ( get_option('comment_registration') ) wp_die( __('Sorry, you must be logged in to post a comment.') ); -endif; +} $comment_type = ''; --- wp-includes/author-template.php +++ wp-includes/author-template.php @@ -144,7 +144,7 @@ function get_author_posts_url($author_id, $author_nicename = '') { global $wpdb, $wp_rewrite, $post, $cache_userdata; - $auth_ID = $author_id; + $auth_ID = (int) $author_id; $link = $wp_rewrite->get_author_permastruct(); if ( empty($link) ) { --- wp-includes/bookmark-template.php +++ wp-includes/bookmark-template.php @@ -96,7 +96,7 @@ $output .= get_option('links_recently_updated_prepend'); $the_link = '#'; if ( !empty($row->link_url) ) - $the_link = wp_specialchars($row->link_url); + $the_link = clean_url($row->link_url); $rel = $row->link_rel; if ( '' != $rel ) $rel = ' rel="' . $rel . '"'; @@ -165,7 +165,7 @@ if ( empty($cats) || ! is_array($cats) ) return ''; - $cat_id = $cats[0]; // Take the first cat. + $cat_id = (int) $cats[0]; // Take the first cat. $cat = get_category($cat_id); return $cat->cat_name; @@ -260,7 +260,7 @@ $the_link = '#'; if ( !empty($bookmark->link_url) ) - $the_link = wp_specialchars($bookmark->link_url); + $the_link = clean_url($bookmark->link_url); $rel = $bookmark->link_rel; if ( '' != $rel ) --- wp-includes/bookmark.php +++ wp-includes/bookmark.php @@ -3,6 +3,7 @@ function get_bookmark($bookmark_id, $output = OBJECT) { global $wpdb; + $bookmark_id = (int) $bookmark_id; $link = $wpdb->get_row("SELECT * FROM $wpdb->links WHERE link_id = '$bookmark_id'"); $link->link_category = wp_get_link_cats($bookmark_id); --- wp-includes/category-template.php +++ wp-includes/category-template.php @@ -62,8 +62,9 @@ function get_the_category($id = false) { global $post, $category_cache, $blog_id; + $id = (int) $id; if ( !$id ) - $id = $post->ID; + $id = (int) $post->ID; if ( !isset($category_cache[$blog_id][$id]) ) update_post_category_cache($id); --- wp-includes/category.php +++ wp-includes/category.php @@ -146,6 +146,7 @@ wp_cache_add($category->cat_ID, $category, 'category'); $_category = $category; } else { + $category = (int) $category; if ( ! $_category = wp_cache_get($category, 'category') ) { $_category = $wpdb->get_row("SELECT * FROM $wpdb->categories WHERE cat_ID = '$category' LIMIT 1"); wp_cache_set($category, $_category, 'category'); --- wp-includes/classes.php +++ wp-includes/classes.php @@ -148,6 +148,9 @@ $this->query_vars[$wpvar] = $_GET[$wpvar]; elseif (!empty($perma_query_vars[$wpvar])) $this->query_vars[$wpvar] = $perma_query_vars[$wpvar]; + + if ( !empty( $this->query_vars[$wpvar] ) ) + $this->query_vars[$wpvar] = (string) $this->query_vars[$wpvar]; } foreach ($this->private_query_vars as $var) { --- wp-includes/comment-template.php +++ wp-includes/comment-template.php @@ -150,7 +150,7 @@ $post_id = (int) $post_id; if ( !$post_id ) - $post_id = $id; + $post_id = (int) $id; $post = get_post($post_id); if ( ! isset($post->comment_count) ) @@ -271,6 +271,12 @@ return false; } +function wp_comment_form_unfiltered_html_nonce() { + global $post; + if ( current_user_can('unfiltered_html') ) + wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false); +} + function comments_template( $file = '/comments.php' ) { global $wp_query, $withcomments, $post, $wpdb, $id, $comment, $user_login, $user_ID, $user_identity; --- wp-includes/comment.php +++ wp-includes/comment.php @@ -81,6 +81,7 @@ $comment_cache[$comment->comment_ID] = &$comment; $_comment = & $comment_cache[$comment->comment_ID]; } else { + $comment = (int) $comment; if ( !isset($comment_cache[$comment]) ) { $_comment = $wpdb->get_row("SELECT * FROM $wpdb->comments WHERE comment_ID = '$comment' LIMIT 1"); $comment_cache[$comment->comment_ID] = & $_comment; @@ -169,7 +170,7 @@ if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) { $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]); $comment_author_url = stripslashes($comment_author_url); - $comment_author_url = attribute_escape($comment_author_url); + $comment_author_url = clean_url($comment_author_url); $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url; } } @@ -345,7 +346,7 @@ ('$comment_post_ID', '$comment_author', '$comment_author_email', '$comment_author_url', '$comment_author_IP', '$comment_date', '$comment_date_gmt', '$comment_content', '$comment_approved', '$comment_agent', '$comment_type', '$comment_parent', '$user_id') "); - $id = $wpdb->insert_id; + $id = (int) $wpdb->insert_id; if ( $comment_approved == 1) wp_update_comment_count($comment_post_ID); --- wp-includes/default-filters.php +++ wp-includes/default-filters.php @@ -31,6 +31,8 @@ add_filter('pre_comment_author_email', 'wp_filter_kses'); add_filter('pre_comment_author_url', 'wp_filter_kses'); +add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce'); + // Default filters for these functions add_filter('comment_author', 'wptexturize'); add_filter('comment_author', 'convert_chars'); --- wp-includes/feed.php +++ wp-includes/feed.php @@ -108,7 +108,7 @@ function get_author_rss_link($echo = false, $author_id, $author_nicename) { - $auth_ID = $author_id; + $auth_ID = (int) $author_id; $permalink_structure = get_option('permalink_structure'); if ( '' == $permalink_structure ) { --- wp-includes/formatting.php +++ wp-includes/formatting.php @@ -1072,7 +1072,11 @@ $strip = array('%0d', '%0a'); $url = str_replace($strip, '', $url); $url = str_replace(';//', '://', $url); - $url = (!strstr($url, '://')) ? 'http://'.$url : $url; + // Append http unless a relative link starting with / or a php file. + if ( strpos($url, '://') === false && + substr( $url, 0, 1 ) != '/' && !preg_match('/^[a-z0-9]+?\.php/i', $url) ) + $url = 'http://' . $url; + $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); if ( !is_array($protocols) ) $protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet'); --- wp-includes/functions.php +++ wp-includes/functions.php @@ -566,7 +566,7 @@ $post_id_array = (array) explode(',', $post_ids); $count = count( $post_id_array); for ( $i = 0; $i < $count; $i++ ) { - $post_id = $post_id_array[ $i ]; + $post_id = (int) $post_id_array[ $i ]; if ( isset( $category_cache[$blog_id][$post_id] ) ) { unset( $post_id_array[ $i ] ); continue; @@ -620,7 +620,7 @@ $post_id_array = (array) explode(',', $post_id_list); $count = count( $post_id_array); for ( $i = 0; $i < $count; $i++ ) { - $post_id = $post_id_array[ $i ]; + $post_id = (int) $post_id_array[ $i ]; if ( isset( $post_meta_cache[$blog_id][$post_id] ) ) { // If the meta is already cached unset( $post_id_array[ $i ] ); continue; @@ -920,9 +920,11 @@ return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl)); } -function wp_nonce_field($action = -1) { - echo ''; - wp_referer_field(); +function wp_nonce_field($action = -1, $name = "_wpnonce", $referer = true) { + $name = attribute_escape($name); + echo ''; + if ( $referer ) + wp_referer_field(); } function wp_referer_field() { @@ -1190,7 +1192,7 @@ $adminurl = get_option('siteurl') . '/wp-admin'; if ( wp_get_referer() ) - $adminurl = attribute_escape(wp_get_referer()); + $adminurl = clean_url(wp_get_referer()); $title = __('WordPress Confirmation'); // Remove extra layer of slashes. @@ -1198,7 +1200,7 @@ if ( $_POST ) { $q = http_build_query($_POST); $q = explode( ini_get('arg_separator.output'), $q); - $html .= "\t\n"; + $html .= "\t\n"; foreach ( (array) $q as $a ) { $v = substr(strstr($a, '='), 1); $k = substr($a, 0, -(strlen($v)+1)); @@ -1207,7 +1209,7 @@ $html .= "\t\t\n"; $html .= "\t\t
\n\t\t

" . wp_specialchars(wp_explain_nonce($action)) . "

\n\t\t

" . __('No') . "

\n\t\t
\n\t\n"; } else { - $html .= "\t
\n\t

" . wp_specialchars(wp_explain_nonce($action)) . "

\n\t

" . __('No') . " " . __('Yes') . "

\n\t
\n"; + $html .= "\t
\n\t

" . wp_specialchars(wp_explain_nonce($action)) . "

\n\t

" . __('No') . " " . __('Yes') . "

\n\t
\n"; } $html .= "\n"; wp_die($html, $title); --- wp-includes/general-template.php +++ wp-includes/general-template.php @@ -147,8 +147,7 @@ function wp_title($sep = '»', $display = true) { - global $wpdb; - global $m, $year, $monthnum, $day, $category_name, $wp_locale, $posts; + global $wpdb, $wp_locale, $wp_query; $cat = get_query_var('cat'); $p = get_query_var('p'); @@ -156,6 +155,10 @@ $category_name = get_query_var('category_name'); $author = get_query_var('author'); $author_name = get_query_var('author_name'); + $m = (int) get_query_var('m'); + $year = (int) get_query_var('year'); + $monthnum = (int)get_query_var('monthnum'); + $day = (int) get_query_var('day'); $title = ''; // If there's a category @@ -196,14 +199,15 @@ if ( !empty($year) ) { $title = $year; if ( !empty($monthnum) ) - $title .= " $sep ".$wp_locale->get_month($monthnum); + $title .= " $sep " . $wp_locale->get_month($monthnum); if ( !empty($day) ) - $title .= " $sep ".zeroise($day, 2); + $title .= " $sep " . zeroise($day, 2); } // If there is a post if ( is_single() || is_page() ) { - $title = strip_tags($posts[0]->post_title); + $queried = $wp_query->get_queried_object(); + $title = strip_tags($queried->post_title); $title = apply_filters('single_post_title', $title); } @@ -256,7 +260,12 @@ function single_month_title($prefix = '', $display = true ) { - global $m, $monthnum, $wp_locale, $year; + global $wp_locale; + + $m = (int) get_query_var('m'); + $year = (int) get_query_var('year'); + $monthnum = (int) get_query_var('monthnum'); + if ( !empty($monthnum) && !empty($year) ) { $my_year = $year; $my_month = $wp_locale->get_month($monthnum); @@ -280,6 +289,7 @@ function get_archives_link($url, $text, $format = 'html', $before = '', $after = '') { $text = wptexturize($text); $title_text = attribute_escape($text); + $url = clean_url($url); if ('link' == $format) return "\t\n"; @@ -962,7 +972,7 @@ $link = str_replace('%#%', $current - 1, $link); if ( $add_args ) $link = add_query_arg( $add_args, $link ); - $page_links[] = ""; + $page_links[] = ""; endif; for ( $n = 1; $n <= $total; $n++ ) : if ( $n == $current ) : @@ -974,7 +984,7 @@ $link = str_replace('%#%', $n, $link); if ( $add_args ) $link = add_query_arg( $add_args, $link ); - $page_links[] = "$n"; + $page_links[] = "$n"; $dots = true; elseif ( $dots && !$show_all ) : $page_links[] = "..."; @@ -987,7 +997,7 @@ $link = str_replace('%#%', $current + 1, $link); if ( $add_args ) $link = add_query_arg( $add_args, $link ); - $page_links[] = ""; + $page_links[] = ""; endif; switch ( $type ) : case 'array' : --- wp-includes/link-template.php +++ wp-includes/link-template.php @@ -93,8 +93,9 @@ function get_page_link($id = false) { global $post; + $id = (int) $id; if ( !$id ) - $id = $post->ID; + $id = (int) $post->ID; if ( 'page' == get_option('show_on_front') && $id == get_option('page_on_front') ) $link = get_option('home'); @@ -109,7 +110,7 @@ global $post, $wp_rewrite; if ( !$id ) - $id = $post->ID; + $id = (int) $post->ID; $pagestruct = $wp_rewrite->get_page_permastruct(); @@ -130,7 +131,7 @@ $link = false; if (! $id) { - $id = $post->ID; + $id = (int) $post->ID; } $object = get_post($id); @@ -379,7 +380,7 @@ function get_pagenum_link($pagenum = 1) { global $wp_rewrite; - $qstr = wp_specialchars($_SERVER['REQUEST_URI']); + $qstr = $_SERVER['REQUEST_URI']; $page_querystring = "paged"; $page_modstring = "page/"; @@ -446,7 +447,7 @@ return $qstr; } -function next_posts($max_page = 0) { // original by cfactor at cooltux.org +function get_next_posts_page_link($max_page = 0) { global $paged, $pagenow; if ( !is_single() ) { @@ -454,10 +455,14 @@ $paged = 1; $nextpage = intval($paged) + 1; if ( !$max_page || $max_page >= $nextpage ) - echo get_pagenum_link($nextpage); + return get_pagenum_link($nextpage); } } +function next_posts($max_page = 0) { + echo clean_url(get_next_posts_page_link($max_page)); +} + function next_posts_link($label='Next Page »', $max_page=0) { global $paged, $wpdb, $wp_query; if ( !$max_page ) { @@ -473,18 +478,20 @@ } } - -function previous_posts() { // original by cfactor at cooltux.org +function get_previous_posts_page_link() { global $paged, $pagenow; if ( !is_single() ) { $nextpage = intval($paged) - 1; if ( $nextpage < 1 ) $nextpage = 1; - echo get_pagenum_link($nextpage); + return get_pagenum_link($nextpage); } } +function previous_posts() { + echo clean_url(get_previous_posts_page_link()); +} function previous_posts_link($label='« Previous Page') { global $paged; --- wp-includes/pluggable.php +++ wp-includes/pluggable.php @@ -473,7 +473,7 @@ if ( !function_exists('wp_verify_nonce') ) : function wp_verify_nonce($nonce, $action = -1) { $user = wp_get_current_user(); - $uid = $user->id; + $uid = (int) $user->id; $i = ceil(time() / 43200); @@ -487,7 +487,7 @@ if ( !function_exists('wp_create_nonce') ) : function wp_create_nonce($action = -1) { $user = wp_get_current_user(); - $uid = $user->id; + $uid = (int) $user->id; $i = ceil(time() / 43200); --- wp-includes/post.php +++ wp-includes/post.php @@ -105,6 +105,7 @@ $post_cache[$blog_id][$post->ID] = &$post; $_post = & $post_cache[$blog_id][$post->ID]; } else { + $post = (int) $post; if ( $_post = wp_cache_get($post, 'pages') ) return get_page($_post, $output); elseif ( isset($post_cache[$blog_id][$post]) ) @@ -374,7 +375,7 @@ global $id, $post_meta_cache, $wpdb, $blog_id; if ( !$post_id ) - $post_id = $id; + $post_id = (int) $id; $post_id = (int) $post_id; @@ -446,6 +447,8 @@ } function wp_get_post_categories($post_id = 0) { + $post_id = (int) $post_id; + $cats = &get_the_category($post_id); $cat_ids = array(); foreach ( $cats as $cat ) @@ -457,6 +460,7 @@ global $wpdb; // Set the limit clause, if we got a limit + $num = (int) $num; if ($num) { $limit = "LIMIT $num"; } @@ -470,6 +474,8 @@ function wp_get_single_post($postid = 0, $mode = OBJECT) { global $wpdb; + $postid = (int) $postid; + $post = get_post($postid, $mode); // Set categories @@ -533,7 +539,7 @@ // Get the post ID. if ( $update ) - $post_ID = $ID; + $post_ID = (int) $ID; // Create a valid post name. Drafts are allowed to have an empty // post name. @@ -637,7 +643,7 @@ (post_author, post_date, post_date_gmt, post_content, post_content_filtered, post_title, post_excerpt, post_status, post_type, comment_status, ping_status, post_password, post_name, to_ping, pinged, post_modified, post_modified_gmt, post_parent, menu_order, post_mime_type) VALUES ('$post_author', '$post_date', '$post_date_gmt', '$post_content', '$post_content_filtered', '$post_title', '$post_excerpt', '$post_status', '$post_type', '$comment_status', '$ping_status', '$post_password', '$post_name', '$to_ping', '$pinged', '$post_date', '$post_date_gmt', '$post_parent', '$menu_order', '$post_mime_type')"); - $post_ID = $wpdb->insert_id; + $post_ID = (int) $wpdb->insert_id; } if ( empty($post_name) && 'draft' != $post_status ) { @@ -763,6 +769,8 @@ function wp_set_post_categories($post_ID = 0, $post_categories = array()) { global $wpdb; + + $post_ID = (int) $post_ID; // If $post_categories isn't already an array, make it one: if (!is_array($post_categories) || 0 == count($post_categories) || empty($post_categories)) $post_categories = array(get_option('default_category')); @@ -773,7 +781,7 @@ $old_categories = $wpdb->get_col(" SELECT category_id FROM $wpdb->post2cat - WHERE post_id = $post_ID"); + WHERE post_id = '$post_ID'"); if (!$old_categories) { $old_categories = array(); @@ -788,8 +796,8 @@ foreach ($delete_cats as $del) { $wpdb->query(" DELETE FROM $wpdb->post2cat - WHERE category_id = $del - AND post_id = $post_ID + WHERE category_id = '$del' + AND post_id = '$post_ID' "); } } @@ -799,10 +807,11 @@ if ($add_cats) { foreach ($add_cats as $new_cat) { + $new_cat = (int) $new_cat; if ( !empty($new_cat) ) $wpdb->query(" INSERT INTO $wpdb->post2cat (post_id, category_id) - VALUES ($post_ID, $new_cat)"); + VALUES ('$post_ID', '$new_cat')"); } } @@ -928,6 +937,7 @@ wp_cache_add($page->ID, $page, 'pages'); $_page = $page; } else { + $page = (int) $page; // first, check the cache if ( ! ( $_page = wp_cache_get($page, 'pages') ) ) { // not in the page cache? @@ -1244,7 +1254,7 @@ $update = false; if ( !empty($ID) ) { $update = true; - $post_ID = $ID; + $post_ID = (int) $ID; } // Create a valid post name. @@ -1339,7 +1349,7 @@ (post_author, post_date, post_date_gmt, post_content, post_content_filtered, post_title, post_excerpt, post_status, post_type, comment_status, ping_status, post_password, post_name, to_ping, pinged, post_modified, post_modified_gmt, post_parent, menu_order, post_mime_type, guid) VALUES ('$post_author', '$post_date', '$post_date_gmt', '$post_content', '$post_content_filtered', '$post_title', '$post_excerpt', '$post_status', '$post_type', '$comment_status', '$ping_status', '$post_password', '$post_name', '$to_ping', '$pinged', '$post_date', '$post_date_gmt', '$post_parent', '$menu_order', '$post_mime_type', '$guid')"); - $post_ID = $wpdb->insert_id; + $post_ID = (int) $wpdb->insert_id; } if ( empty($post_name) ) { @@ -1494,7 +1504,7 @@ $mime = (int) $mime; if ( !$post =& get_post( $mime ) ) return false; - $post_id = $post->ID; + $post_id = (int) $post->ID; $mime = $post->post_mime_type; } --- wp-includes/query.php +++ wp-includes/query.php @@ -931,9 +931,9 @@ if ( is_user_logged_in() ) { if ( 'post' == $post_type ) - $cap = 'edit_private_posts'; + $cap = 'read_private_posts'; else - $cap = 'edit_private_pages'; + $cap = 'read_private_pages'; if ( current_user_can($cap) ) $where .= " OR post_status = 'private'"; --- wp-includes/registration.php +++ wp-includes/registration.php @@ -89,7 +89,7 @@ $query = "UPDATE $wpdb->users SET user_pass='$user_pass', user_email='$user_email', user_url='$user_url', user_nicename = '$user_nicename', display_name = '$display_name' WHERE ID = '$ID'"; $query = apply_filters('update_user_query', $query); $wpdb->query( $query ); - $user_id = $ID; + $user_id = (int) $ID; } else { $query = "INSERT INTO $wpdb->users (user_login, user_pass, user_email, user_url, user_registered, user_nicename, display_name) @@ -97,7 +97,7 @@ ('$user_login', '$user_pass', '$user_email', '$user_url', '$user_registered', '$user_nicename', '$display_name')"; $query = apply_filters('create_user_query', $query); $wpdb->query( $query ); - $user_id = $wpdb->insert_id; + $user_id = (int) $wpdb->insert_id; } update_usermeta( $user_id, 'first_name', $first_name); --- wp-includes/rss.php +++ wp-includes/rss.php @@ -782,13 +782,13 @@ if ( preg_match( $pat, $date_str, $match ) ) { list( $year, $month, $day, $hours, $minutes, $seconds) = - array( $match[1], $match[2], $match[3], $match[4], $match[5], $match[6]); + array( $match[1], $match[2], $match[3], $match[4], $match[5], $match[7]); # calc epoch for current date assuming GMT $epoch = gmmktime( $hours, $minutes, $seconds, $month, $day, $year); $offset = 0; - if ( $match[10] == 'Z' ) { + if ( $match[11] == 'Z' ) { # zulu time, aka GMT } else { --- wp-includes/script-loader.php +++ wp-includes/script-loader.php @@ -78,7 +78,7 @@ if ( isset($this->args[$handle]) ) $ver .= '&' . $this->args[$handle]; $src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src; - $src = add_query_arg('ver', $ver, $src); + $src = clean_url(add_query_arg('ver', $ver, $src)); echo "\n"; } $this->printed[] = $handle; --- wp-includes/theme.php +++ wp-includes/theme.php @@ -345,7 +345,7 @@ function get_page_template() { global $wp_query; - $id = $wp_query->post->ID; + $id = (int) $wp_query->post->ID; $template = get_post_meta($id, '_wp_page_template', true); if ( 'default' == $template ) --- wp-includes/user.php +++ wp-includes/user.php @@ -9,6 +9,7 @@ function get_usernumposts($userid) { global $wpdb; + $userid = (int) $userid; return $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->posts WHERE post_author = '$userid' AND post_type = 'post' AND post_status = 'publish'"); } @@ -160,8 +161,8 @@ $userdata = $user->data; $user_login = $user->user_login; - $user_level = $user->user_level; - $user_ID = $user->ID; + $user_level = (int) $user->user_level; + $user_ID = (int) $user->ID; $user_email = $user->user_email; $user_url = $user->user_url; $user_pass_md5 = md5($user->user_pass); --- wp-includes/version.php +++ wp-includes/version.php @@ -2,7 +2,7 @@ // This holds the version number in a separate file so we can bump it without cluttering the SVN -$wp_version = '2.1.2'; +$wp_version = '2.1.3'; $wp_db_version = 4773; ?> --- wp-login.php +++ wp-login.php @@ -286,7 +286,7 @@ $user_pass = ''; $using_cookie = FALSE; - if ( !isset( $_REQUEST['redirect_to'] ) ) + if ( !isset( $_REQUEST['redirect_to'] ) || is_user_logged_in() ) $redirect_to = 'wp-admin/'; else $redirect_to = $_REQUEST['redirect_to']; --- wp-trackback.php +++ wp-trackback.php @@ -84,7 +84,7 @@ $title = (strlen($title) > 250) ? substr($title, 0, 250) . '...' : $title; } - $comment_post_ID = $tb_id; + $comment_post_ID = (int) $tb_id; $comment_author = $blog_name; $comment_author_email = ''; $comment_author_url = $tb_url; --- xmlrpc.php +++ xmlrpc.php @@ -209,7 +209,7 @@ $this->escape($args); - $post_ID = $args[1]; + $post_ID = (int) $args[1]; $user_login = $args[2]; $user_pass = $args[3]; @@ -244,7 +244,7 @@ $this->escape($args); - $blog_ID = $args[1]; /* though we don't use it yet */ + $blog_ID = (int) $args[1]; /* though we don't use it yet */ $user_login = $args[2]; $user_pass = $args[3]; $num_posts = $args[4]; @@ -292,7 +292,7 @@ $this->escape($args); - $blog_ID = $args[1]; + $blog_ID = (int) $args[1]; $user_login = $args[2]; $user_pass = $args[3]; $template = $args[4]; /* could be 'main' or 'archiveIndex', but we don't use it */ @@ -326,7 +326,7 @@ $this->escape($args); - $blog_ID = $args[1]; + $blog_ID = (int) $args[1]; $user_login = $args[2]; $user_pass = $args[3]; $content = $args[4]; @@ -363,7 +363,7 @@ $this->escape($args); - $blog_ID = $args[1]; /* though we don't use it yet */ + $blog_ID = (int) $args[1]; /* though we don't use it yet */ $user_login = $args[2]; $user_pass = $args[3]; $content = $args[4]; @@ -411,7 +411,7 @@ $this->escape($args); - $post_ID = $args[1]; + $post_ID = (int) $args[1]; $user_login = $args[2]; $user_pass = $args[3]; $content = $args[4]; @@ -435,6 +435,9 @@ extract($actual_post); + if ( ('publish' == $post_status) && !current_user_can('publish_posts') ) + return new IXR_Error(401, 'Sorry, you do not have the right to publish this post.'); + $post_title = xmlrpc_getposttitle($content); $post_category = xmlrpc_getpostcategory($content); $post_content = xmlrpc_removepostdata($content); @@ -459,7 +462,7 @@ $this->escape($args); - $post_ID = $args[1]; + $post_ID = (int) $args[1]; $user_login = $args[2]; $user_pass = $args[3]; $publish = $args[4]; @@ -500,7 +503,7 @@ $this->escape($args); - $blog_ID = $args[0]; // we will support this in the near future + $blog_ID = (int) $args[0]; // we will support this in the near future $user_login = $args[1]; $user_pass = $args[2]; $content_struct = $args[3]; @@ -597,7 +600,7 @@ $this->escape($args); - $post_ID = $args[0]; + $post_ID = (int) $args[0]; $user_login = $args[1]; $user_pass = $args[2]; $content_struct = $args[3]; @@ -631,6 +634,10 @@ $post_more = $content_struct['mt_text_more']; $post_status = $publish ? 'publish' : 'draft'; + + if ( ('publish' == $post_status) && !current_user_can('publish_posts') ) + return new IXR_Error(401, 'Sorry, you do not have the right to publish this post.'); + if ($post_more) { $post_content = $post_content . "\n\n" . $post_more; } @@ -680,7 +687,7 @@ $this->escape($args); - $post_ID = $args[0]; + $post_ID = (int) $args[0]; $user_login = $args[1]; $user_pass = $args[2]; @@ -735,10 +742,10 @@ $this->escape($args); - $blog_ID = $args[0]; + $blog_ID = (int) $args[0]; $user_login = $args[1]; $user_pass = $args[2]; - $num_posts = $args[3]; + $num_posts = (int) $args[3]; if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; @@ -801,7 +808,7 @@ $this->escape($args); - $blog_ID = $args[0]; + $blog_ID = (int) $args[0]; $user_login = $args[1]; $user_pass = $args[2]; @@ -835,7 +842,7 @@ global $wpdb; - $blog_ID = $wpdb->escape($args[0]); + $blog_ID = (int) $args[0]; $user_login = $wpdb->escape($args[1]); $user_pass = $wpdb->escape($args[2]); $data = $args[3]; @@ -861,8 +868,9 @@ $upload = wp_upload_bits($name, $type, $bits); if ( ! empty($upload['error']) ) { - logIO('O', '(MW) Could not write file '.$name); - return new IXR_Error(500, 'Could not write file '.$name); + $errorString = 'Could not write file ' . $name . ' (' . $upload['error'] . ')'; + logIO('O', '(MW) ' . $errorString); + return new IXR_Error(500, $errorString); } // Construct the attachment array // attach to post_id -1 @@ -892,10 +900,10 @@ $this->escape($args); - $blog_ID = $args[0]; + $blog_ID = (int) $args[0]; $user_login = $args[1]; $user_pass = $args[2]; - $num_posts = $args[3]; + $num_posts = (int) $args[3]; if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; @@ -937,7 +945,7 @@ $this->escape($args); - $blog_ID = $args[0]; + $blog_ID = (int) $args[0]; $user_login = $args[1]; $user_pass = $args[2]; @@ -966,7 +974,7 @@ $this->escape($args); - $post_ID = $args[0]; + $post_ID = (int) $args[0]; $user_login = $args[1]; $user_pass = $args[2]; @@ -996,7 +1004,7 @@ $this->escape($args); - $post_ID = $args[0]; + $post_ID = (int) $args[0]; $user_login = $args[1]; $user_pass = $args[2]; $categories = $args[3]; @@ -1079,7 +1087,7 @@ $this->escape($args); - $post_ID = $args[0]; + $post_ID = (int) $args[0]; $user_login = $args[1]; $user_pass = $args[2]; @@ -1141,18 +1149,18 @@ } elseif (preg_match('#p/[0-9]{1,}#', $urltest['path'], $match)) { // the path defines the post_ID (archives/p/XXXX) $blah = explode('/', $match[0]); - $post_ID = $blah[1]; + $post_ID = (int) $blah[1]; $way = 'from the path'; } elseif (preg_match('#p=[0-9]{1,}#', $urltest['query'], $match)) { // the querystring defines the post_ID (?p=XXXX) $blah = explode('=', $match[0]); - $post_ID = $blah[1]; + $post_ID = (int) $blah[1]; $way = 'from the querystring'; } elseif (isset($urltest['fragment'])) { // an #anchor is there, it's either... if (intval($urltest['fragment'])) { // ...an integer #XXXX (simpliest case) - $post_ID = $urltest['fragment']; + $post_ID = (int) $urltest['fragment']; $way = 'from the fragment (numeric)'; } elseif (preg_match('/post-[0-9]+/',$urltest['fragment'])) { // ...a post id in the form 'post-###'