X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/449d082fcc4873c1f7d363a0d9f7409be7f6e77d..8cc0f04ca22ffd9449495b3e0240603309c9932c:/wp-admin/press-this.php?ds=sidebyside
diff --git a/wp-admin/press-this.php b/wp-admin/press-this.php
index 1823d217..c6632b51 100644
--- a/wp-admin/press-this.php
+++ b/wp-admin/press-this.php
@@ -8,22 +8,10 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
+header('Content-Type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset'));
-if ( ! current_user_can('publish_posts') ) wp_die( __( 'Cheatin’ uh?' ) );
-
-/**
- * Replace forward slash with backslash and slash.
- *
- * @package WordPress
- * @subpackage Press_This
- * @since 2.6.0
- *
- * @param string $string
- * @return string
- */
-function preg_quote2($string) {
- return str_replace('/', '\/', preg_quote($string));
-}
+if ( ! current_user_can('edit_posts') )
+ wp_die( __( 'Cheatin’ uh?' ) );
/**
* Convert characters.
@@ -54,25 +42,25 @@ function aposfix($text) {
function press_it() {
// define some basic variables
$quick['post_status'] = 'draft'; // set as draft first
- $quick['post_category'] = $_REQUEST['post_category'];
- $quick['tags_input'] = $_REQUEST['tags_input'];
- $quick['post_title'] = $_REQUEST['title'];
+ $quick['post_category'] = isset($_REQUEST['post_category']) ? $_REQUEST['post_category'] : null;
+ $quick['tax_input'] = isset($_REQUEST['tax_input']) ? $_REQUEST['tax_input'] : '';
+ $quick['post_title'] = isset($_REQUEST['title']) ? $_REQUEST['title'] : '';
$quick['post_content'] = '';
// insert the post with nothing in it, to get an ID
$post_ID = wp_insert_post($quick, true);
- $content = $_REQUEST['content'];
+ $content = isset($_REQUEST['content']) ? $_REQUEST['content'] : '';
- if($_REQUEST['photo_src'])
+ $upload = false;
+ if( !empty($_REQUEST['photo_src']) && current_user_can('upload_files') )
foreach( (array) $_REQUEST['photo_src'] as $key => $image)
// see if files exist in content - we don't want to upload non-used selected files.
if( strpos($_REQUEST['content'], $image) !== false ) {
- $upload = media_sideload_image($image, $post_ID, $_REQUEST['photo_description'][$key]);
+ $desc = isset($_REQUEST['photo_description'][$key]) ? $_REQUEST['photo_description'][$key] : '';
+ $upload = media_sideload_image($image, $post_ID, $desc);
- // Replace the POSTED content with correct uploaded ones.
- // escape quote for matching
- $quoted = preg_quote2($image);
- if( !is_wp_error($upload) ) $content = preg_replace('/
]*)src=(\"|\')'.$quoted.'(\2)([^>\/]*)\/*>/is', $upload, $content);
+ // Replace the POSTED content
with correct uploaded ones. Regex contains fix for Magic Quotes
+ if( !is_wp_error($upload) ) $content = preg_replace('/
]*)src=\\\?(\"|\')'.preg_quote($image, '/').'\\\?(\2)([^>\/]*)\/*>/is', $upload, $content);
}
// set the post_content and status
@@ -94,23 +82,25 @@ function press_it() {
}
// For submitted posts.
-if ( 'post' == $_REQUEST['action'] ) {
+if ( isset($_REQUEST['action']) && 'post' == $_REQUEST['action'] ) {
check_admin_referer('press-this');
$post_ID = press_it();
$posted = $post_ID;
+} else {
+ $post_ID = 0;
}
// Set Variables
-$title = wp_specialchars(aposfix(stripslashes($_GET['t'])));
-$selection = trim( aposfix( stripslashes($_GET['s']) ) );
+$title = isset($_GET['t']) ? esc_html(aposfix(stripslashes($_GET['t']))) : '';
+$selection = isset($_GET['s']) ? trim( aposfix( stripslashes($_GET['s']) ) ) : '';
if ( ! empty($selection) ) {
$selection = preg_replace('/(\r?\n|\r)/', '
', $selection); $selection = '
'.str_replace('
', '', $selection).''; } -$url = clean_url($_GET['u']); -$image = $_GET['i']; +$url = isset($_GET['u']) ? esc_url($_GET['u']) : ''; +$image = isset($_GET['i']) ? $_GET['i'] : ''; -if($_REQUEST['ajax']) { +if ( !empty($_REQUEST['ajax']) ) { switch ($_REQUEST['ajax']) { case 'video': ?> +