vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-05-21 11:44:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Improve sanitization of 'name' param in get_terms().

Browse Source 
Values of 'name' that contain db-encoded character on insert - like an
ampersand, which is HTML-encoded in the database - will only match if they go
through the same `sanitize_term_field()` routine.

Fixes #32248.

git-svn-id: https://develop.svn.wordpress.org/trunk@32353 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Boone Gorges
2015-05-05 11:13:51 +00:00
parent 3ca1ff6b72
commit 1efe303ebf
2 changed files with 33 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/wp-includes/taxonomy.php
View File

@@ -1857,13 +1857,12 @@ function get_terms( $taxonomies, $args = '' ) {
}
if ( ! empty( $args['name'] ) ) {
if ( is_array( $args['name'] ) ) {
$name = array_map( 'sanitize_text_field', $args['name'] );
$where .= " AND t.name IN ('" . implode( "', '", array_map( 'esc_sql', $name ) ) . "')";
} else {
$name = sanitize_text_field( $args['name'] );
$where .= $wpdb->prepare( " AND t.name = %s", $name );
$names = (array) $args['name'];
foreach ( $names as &$_name ) {
$_name = sanitize_term_field( 'name', $_name, 0, reset( $taxonomies ), 'db' );
}
$where .= " AND t.name IN ('" . implode( "', '", array_map( 'esc_sql', $names ) ) . "')";
}
if ( ! empty( $args['slug'] ) ) {