Wordpress 2.0.11
[autoinstalls/wordpress.git] / wp-admin / options.php
index 3c5b8dbf4dafcfd30b29d681e52f5d4e97f3210e..bd8b2b0d54e976c5f9629ac8094dbb2739a1153d 100644 (file)
@@ -24,6 +24,67 @@ for ($i=0; $i<count($wpvarstoreset); $i += 1) {
 if ( !current_user_can('manage_options') )
        die ( __('Cheatin&#8217; uh?') );
 
+function sanitize_option($option, $value) {
+
+       switch ($option) {
+               case 'admin_email':
+                       $value = sanitize_email($value);
+                       break;
+
+               case 'default_post_edit_rows':
+               case 'mailserver_port':
+               case 'comment_max_links':
+                       $value = abs((int) $value);
+                       break;
+
+               case 'posts_per_page':
+               case 'posts_per_rss':
+                       $value = (int) $value;
+                       if ( empty($value) ) $value = 1;
+                       if ( $value < -1 ) $value = abs($value);
+                       break;
+
+               case 'default_ping_status':
+               case 'default_comment_status':
+                       // Options that if not there have 0 value but need to be something like "closed"
+                       if ( $value == '0' || $value == '')
+                               $value = 'closed';
+                       break;
+
+               case 'blogdescription':
+               case 'blogname':
+                       if (current_user_can('unfiltered_html') == false)
+                               $value = wp_filter_post_kses( $value );
+                       break;
+
+               case 'blog_charset':
+                       $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value);
+                       break;
+
+               case 'date_format':
+               case 'time_format':
+               case 'mailserver_url':
+               case 'mailserver_login':
+               case 'mailserver_pass':
+               case 'ping_sites':
+               case 'upload_path':
+                       $value = strip_tags($value);
+                       $value = wp_filter_kses($value);
+                       break;
+
+               case 'gmt_offset':
+                       $value = preg_replace('/[^0-9:.-]/', '', $value);
+                       break;
+
+               case 'siteurl':
+               case 'home':
+                       $value = clean_url($value);
+                       break;
+       }
+
+       return $value;  
+}
+
 switch($action) {
 
 case 'update':
@@ -31,9 +92,10 @@ case 'update':
        
        check_admin_referer('update-options');
 
-       if (!$_POST['page_options']) {
-               foreach ($_POST as $key => $value) {
-                       $options[] = $key;
+       if ( !$_POST['page_options'] ) {
+               foreach ( (array) $_POST as $key => $value) {
+                       if ( !in_array($key, array('_wpnonce', '_wp_http_referer')) )
+                               $options[] = $key;
                }
        } else {
                $options = explode(',', stripslashes($_POST['page_options']));
@@ -43,19 +105,11 @@ case 'update':
        $old_siteurl = get_settings('siteurl');
        $old_home = get_settings('home');
 
-       // HACK
-       // Options that if not there have 0 value but need to be something like "closed"
-       $nonbools = array('default_ping_status', 'default_comment_status');
        if ($options) {
                foreach ($options as $option) {
                        $option = trim($option);
                        $value = trim(stripslashes($_POST[$option]));
-                               if( in_array($option, $nonbools) && ( $value == '0' || $value == '') )
-                               $value = 'closed';
-                       
-                       if( $option == 'blogdescription' || $option == 'blogname' )
-                               if (current_user_can('unfiltered_html') == false)
-                                       $value = wp_filter_post_kses( $value );
+                       $value = sanitize_option($option, $value);
                        
                        if (update_option($option, $value) ) {
                                $any_changed++;
@@ -87,26 +141,49 @@ default:
        include('admin-header.php'); ?>
 
 <div class="wrap">
-  <h2><?php _e('All options'); ?></h2>
-  <form name="form" action="options.php" method="post">
+  <h2><?php _e('All Options'); ?></h2>
+  <form name="form" action="options.php" method="post" id="all-options">
   <?php wp_nonce_field('update-options') ?>
   <input type="hidden" name="action" value="update" />
   <table width="98%">
 <?php
 $options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name");
 
-foreach ($options as $option) :
-       $value = wp_specialchars($option->option_value);
+foreach ( (array) $options as $option) :
+       $disabled = '';
+       $option->option_name = attribute_escape($option->option_name);
+       if ( is_serialized($option->option_value) ) {
+               if ( is_serialized_string($option->option_value) ) {
+                       // this is a serialized string, so we should display it
+                       $value = maybe_unserialize($option->option_value);
+                       $options_to_update[] = $option->option_name;
+                       $class = 'all-options';
+               } else {
+                       $value = 'SERIALIZED DATA';
+                       $disabled = ' disabled="disabled"';
+                       $class = 'all-options disabled';
+               }
+       } else {
+               $value = $option->option_value;
+               $options_to_update[] = $option->option_name;
+               $class = 'all-options';
+       }
        echo "
 <tr>
        <th scope='row'><label for='$option->option_name'>$option->option_name</label></th>
-       <td><input type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "' /></td>
+<td>";
+
+       if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . wp_specialchars($value) . "</textarea>";
+       else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . attribute_escape($value) . "'$disabled />";
+
+       echo "</td>
        <td>$option->option_description</td>
 </tr>";
 endforeach;
 ?>
   </table>
-<p class="submit"><input type="submit" name="Update" value="<?php _e('Update Settings &raquo;') ?>" /></p>
+<?php $options_to_update = implode(',', $options_to_update); ?>
+<p class="submit"><input type="hidden" name="page_options" value="<?php echo $options_to_update; ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
   </form>
 </div>