if ( !current_user_can('manage_options') )
die ( __('Cheatin’ uh?') );
+function sanitize_option($option, $value) {
+
+ switch ($option) {
+ case 'admin_email':
+ $value = sanitize_email($value);
+ break;
+
+ case 'default_post_edit_rows':
+ case 'mailserver_port':
+ case 'comment_max_links':
+ $value = abs((int) $value);
+ break;
+
+ case 'posts_per_page':
+ case 'posts_per_rss':
+ $value = (int) $value;
+ if ( empty($value) ) $value = 1;
+ if ( $value < -1 ) $value = abs($value);
+ break;
+
+ case 'default_ping_status':
+ case 'default_comment_status':
+ // Options that if not there have 0 value but need to be something like "closed"
+ if ( $value == '0' || $value == '')
+ $value = 'closed';
+ break;
+
+ case 'blogdescription':
+ case 'blogname':
+ if (current_user_can('unfiltered_html') == false)
+ $value = wp_filter_post_kses( $value );
+ break;
+
+ case 'blog_charset':
+ $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value);
+ break;
+
+ case 'date_format':
+ case 'time_format':
+ case 'mailserver_url':
+ case 'mailserver_login':
+ case 'mailserver_pass':
+ case 'ping_sites':
+ case 'upload_path':
+ $value = strip_tags($value);
+ $value = wp_filter_kses($value);
+ break;
+
+ case 'gmt_offset':
+ $value = preg_replace('/[^0-9:.-]/', '', $value);
+ break;
+
+ case 'siteurl':
+ case 'home':
+ $value = clean_url($value);
+ break;
+ }
+
+ return $value;
+}
+
switch($action) {
case 'update':
check_admin_referer('update-options');
- if (!$_POST['page_options']) {
- foreach ($_POST as $key => $value) {
- $options[] = $key;
+ if ( !$_POST['page_options'] ) {
+ foreach ( (array) $_POST as $key => $value) {
+ if ( !in_array($key, array('_wpnonce', '_wp_http_referer')) )
+ $options[] = $key;
}
} else {
$options = explode(',', stripslashes($_POST['page_options']));
$old_siteurl = get_settings('siteurl');
$old_home = get_settings('home');
- // HACK
- // Options that if not there have 0 value but need to be something like "closed"
- $nonbools = array('default_ping_status', 'default_comment_status');
if ($options) {
foreach ($options as $option) {
$option = trim($option);
$value = trim(stripslashes($_POST[$option]));
- if( in_array($option, $nonbools) && ( $value == '0' || $value == '') )
- $value = 'closed';
-
- if( $option == 'blogdescription' || $option == 'blogname' )
- if (current_user_can('unfiltered_html') == false)
- $value = wp_filter_post_kses( $value );
+ $value = sanitize_option($option, $value);
if (update_option($option, $value) ) {
$any_changed++;
include('admin-header.php'); ?>
<div class="wrap">
- <h2><?php _e('All options'); ?></h2>
- <form name="form" action="options.php" method="post">
+ <h2><?php _e('All Options'); ?></h2>
+ <form name="form" action="options.php" method="post" id="all-options">
<?php wp_nonce_field('update-options') ?>
<input type="hidden" name="action" value="update" />
<table width="98%">
<?php
$options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name");
-foreach ($options as $option) :
- $value = wp_specialchars($option->option_value);
+foreach ( (array) $options as $option) :
+ $disabled = '';
+ $option->option_name = attribute_escape($option->option_name);
+ if ( is_serialized($option->option_value) ) {
+ if ( is_serialized_string($option->option_value) ) {
+ // this is a serialized string, so we should display it
+ $value = maybe_unserialize($option->option_value);
+ $options_to_update[] = $option->option_name;
+ $class = 'all-options';
+ } else {
+ $value = 'SERIALIZED DATA';
+ $disabled = ' disabled="disabled"';
+ $class = 'all-options disabled';
+ }
+ } else {
+ $value = $option->option_value;
+ $options_to_update[] = $option->option_name;
+ $class = 'all-options';
+ }
echo "
<tr>
<th scope='row'><label for='$option->option_name'>$option->option_name</label></th>
- <td><input type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "' /></td>
+<td>";
+
+ if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . wp_specialchars($value) . "</textarea>";
+ else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . attribute_escape($value) . "'$disabled />";
+
+ echo "</td>
<td>$option->option_description</td>
</tr>";
endforeach;
?>
</table>
-<p class="submit"><input type="submit" name="Update" value="<?php _e('Update Settings »') ?>" /></p>
+<?php $options_to_update = implode(',', $options_to_update); ?>
+<p class="submit"><input type="hidden" name="page_options" value="<?php echo $options_to_update; ?>" /><input type="submit" name="Update" value="<?php _e('Update Options »') ?>" /></p>
</form>
</div>