$tb_id = intval( $tb_id[ count($tb_id) - 1 ] );
}
-$tb_url = $_POST['url'];
-$title = $_POST['title'];
-$excerpt = $_POST['excerpt'];
-$blog_name = $_POST['blog_name'];
-$charset = $_POST['charset'];
+$tb_url = $_POST['url'];
+$charset = $_POST['charset'];
+
+// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()
+$title = stripslashes($_POST['title']);
+$excerpt = stripslashes($_POST['excerpt']);
+$blog_name = stripslashes($_POST['blog_name']);
if ($charset)
$charset = strtoupper( trim($charset) );
$charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';
if ( function_exists('mb_convert_encoding') ) { // For international trackbacks
- $title = mb_convert_encoding($title, get_settings('blog_charset'), $charset);
- $excerpt = mb_convert_encoding($excerpt, get_settings('blog_charset'), $charset);
- $blog_name = mb_convert_encoding($blog_name, get_settings('blog_charset'), $charset);
+ $title = mb_convert_encoding($title, get_option('blog_charset'), $charset);
+ $excerpt = mb_convert_encoding($excerpt, get_option('blog_charset'), $charset);
+ $blog_name = mb_convert_encoding($blog_name, get_option('blog_charset'), $charset);
}
+// Now that mb_convert_encoding() has been given a swing, we need to escape these three
+$title = $wpdb->escape($title);
+$excerpt = $wpdb->escape($excerpt);
+$blog_name = $wpdb->escape($blog_name);
+
if ( is_single() || is_page() )
$tb_id = $posts[0]->ID;
if (empty($title) && empty($tb_url) && empty($blog_name)) {
// If it doesn't look like a trackback at all...
- header('Location: ' . get_permalink($tb_id));
+ wp_redirect(get_permalink($tb_id));
exit;
}
$title = (strlen($title) > 250) ? substr($title, 0, 250) . '...' : $title;
}
- $comment_post_ID = $tb_id;
+ $comment_post_ID = (int) $tb_id;
$comment_author = $blog_name;
$comment_author_email = '';
$comment_author_url = $tb_url;