X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/449d082fcc4873c1f7d363a0d9f7409be7f6e77d..4f9d63e13cd8c6e275797c75b401b074b82937bc:/wp-admin/press-this.php diff --git a/wp-admin/press-this.php b/wp-admin/press-this.php index 1823d217..a1a6f780 100644 --- a/wp-admin/press-this.php +++ b/wp-admin/press-this.php @@ -7,40 +7,11 @@ */ /** WordPress Administration Bootstrap */ -require_once('admin.php'); +require_once('./admin.php'); +header('Content-Type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset')); -if ( ! current_user_can('publish_posts') ) wp_die( __( 'Cheatin’ uh?' ) ); - -/** - * Replace forward slash with backslash and slash. - * - * @package WordPress - * @subpackage Press_This - * @since 2.6.0 - * - * @param string $string - * @return string - */ -function preg_quote2($string) { - return str_replace('/', '\/', preg_quote($string)); -} - -/** - * Convert characters. - * - * @package WordPress - * @subpackage Press_This - * @since 2.6.0 - * - * @param string $text - * @return string - */ -function aposfix($text) { - $translation_table[chr(34)] = '"'; - $translation_table[chr(38)] = '&'; - $translation_table[chr(39)] = '''; - return preg_replace("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/","&" , strtr($text, $translation_table)); -} +if ( ! current_user_can('edit_posts') ) + wp_die( __( 'Cheatin’ uh?' ) ); /** * Press It form handler. @@ -54,38 +25,39 @@ function aposfix($text) { function press_it() { // define some basic variables $quick['post_status'] = 'draft'; // set as draft first - $quick['post_category'] = $_REQUEST['post_category']; - $quick['tags_input'] = $_REQUEST['tags_input']; - $quick['post_title'] = $_REQUEST['title']; - $quick['post_content'] = ''; + $quick['post_category'] = isset($_POST['post_category']) ? $_POST['post_category'] : null; + $quick['tax_input'] = isset($_POST['tax_input']) ? $_POST['tax_input'] : null; + $quick['post_title'] = ( trim($_POST['title']) != '' ) ? $_POST['title'] : ' '; + $quick['post_content'] = isset($_POST['post_content']) ? $_POST['post_content'] : ''; // insert the post with nothing in it, to get an ID $post_ID = wp_insert_post($quick, true); - $content = $_REQUEST['content']; + if ( is_wp_error($post_ID) ) + wp_die($post_ID); + + $content = isset($_POST['content']) ? $_POST['content'] : ''; - if($_REQUEST['photo_src']) - foreach( (array) $_REQUEST['photo_src'] as $key => $image) + $upload = false; + if ( !empty($_POST['photo_src']) && current_user_can('upload_files') ) { + foreach( (array) $_POST['photo_src'] as $key => $image) { // see if files exist in content - we don't want to upload non-used selected files. - if( strpos($_REQUEST['content'], $image) !== false ) { - $upload = media_sideload_image($image, $post_ID, $_REQUEST['photo_description'][$key]); + if ( strpos($_POST['content'], htmlspecialchars($image)) !== false ) { + $desc = isset($_POST['photo_description'][$key]) ? $_POST['photo_description'][$key] : ''; + $upload = media_sideload_image($image, $post_ID, $desc); - // Replace the POSTED content with correct uploaded ones. - // escape quote for matching - $quoted = preg_quote2($image); - if( !is_wp_error($upload) ) $content = preg_replace('/]*)src=(\"|\')'.$quoted.'(\2)([^>\/]*)\/*>/is', $upload, $content); + // Replace the POSTED content with correct uploaded ones. Regex contains fix for Magic Quotes + if ( !is_wp_error($upload) ) + $content = preg_replace('/]*)src=\\\?(\"|\')'.preg_quote(htmlspecialchars($image), '/').'\\\?(\2)([^>\/]*)\/*>/is', $upload, $content); } - + } + } // set the post_content and status - $quick['post_status'] = isset($_REQUEST['publish']) ? 'publish' : 'draft'; + $quick['post_status'] = isset($_POST['publish']) ? 'publish' : 'draft'; $quick['post_content'] = $content; - // error handling for $post - if ( is_wp_error($post_ID)) { - wp_die($id); - wp_delete_post($post_ID); // error handling for media_sideload - } elseif ( is_wp_error($upload)) { - wp_die($upload); + if ( is_wp_error($upload) ) { wp_delete_post($post_ID); + wp_die($upload); } else { $quick['ID'] = $post_ID; wp_update_post($quick); @@ -94,96 +66,111 @@ function press_it() { } // For submitted posts. -if ( 'post' == $_REQUEST['action'] ) { +if ( isset($_REQUEST['action']) && 'post' == $_REQUEST['action'] ) { check_admin_referer('press-this'); $post_ID = press_it(); $posted = $post_ID; +} else { + $post_ID = 0; } // Set Variables -$title = wp_specialchars(aposfix(stripslashes($_GET['t']))); -$selection = trim( aposfix( stripslashes($_GET['s']) ) ); +$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( stripslashes( $_GET['t'] ) , ENT_QUOTES) ) ) : ''; + +$selection = ''; +if ( !empty($_GET['s']) ) { + $selection = str_replace(''', "'", stripslashes($_GET['s'])); + $selection = trim( htmlspecialchars( html_entity_decode($selection, ENT_QUOTES) ) ); +} + if ( ! empty($selection) ) { $selection = preg_replace('/(\r?\n|\r)/', '
', $selection); - $selection = '
'.str_replace('
', '', $selection).''; + $selection = '' . str_replace('
', '', $selection) . ''; } -$url = clean_url($_GET['u']); -$image = $_GET['i']; - -if($_REQUEST['ajax']) { -switch ($_REQUEST['ajax']) { - case 'video': ?> - - - - - -