X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/cc7b1505cd9fafd87c3672f669e13e98b0c544f7..022dfbbbe3215917d84708eb09acca93b21ae9e0:/wp-trackback.php diff --git a/wp-trackback.php b/wp-trackback.php index 1779c17a..ae6ed411 100644 --- a/wp-trackback.php +++ b/wp-trackback.php @@ -30,11 +30,13 @@ if ( !$_GET['tb_id'] ) { $tb_id = intval( $tb_id[ count($tb_id) - 1 ] ); } -$tb_url = $_POST['url']; -$title = $_POST['title']; -$excerpt = $_POST['excerpt']; -$blog_name = $_POST['blog_name']; -$charset = $_POST['charset']; +$tb_url = $_POST['url']; +$charset = $_POST['charset']; + +// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding() +$title = stripslashes($_POST['title']); +$excerpt = stripslashes($_POST['excerpt']); +$blog_name = stripslashes($_POST['blog_name']); if ($charset) $charset = strtoupper( trim($charset) ); @@ -42,11 +44,16 @@ else $charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS'; if ( function_exists('mb_convert_encoding') ) { // For international trackbacks - $title = mb_convert_encoding($title, get_settings('blog_charset'), $charset); - $excerpt = mb_convert_encoding($excerpt, get_settings('blog_charset'), $charset); - $blog_name = mb_convert_encoding($blog_name, get_settings('blog_charset'), $charset); + $title = mb_convert_encoding($title, get_option('blog_charset'), $charset); + $excerpt = mb_convert_encoding($excerpt, get_option('blog_charset'), $charset); + $blog_name = mb_convert_encoding($blog_name, get_option('blog_charset'), $charset); } +// Now that mb_convert_encoding() has been given a swing, we need to escape these three +$title = $wpdb->escape($title); +$excerpt = $wpdb->escape($excerpt); +$blog_name = $wpdb->escape($blog_name); + if ( is_single() || is_page() ) $tb_id = $posts[0]->ID; @@ -77,7 +84,7 @@ if ( !empty($tb_url) && !empty($title) && !empty($tb_url) ) { $title = (strlen($title) > 250) ? substr($title, 0, 250) . '...' : $title; } - $comment_post_ID = $tb_id; + $comment_post_ID = (int) $tb_id; $comment_author = $blog_name; $comment_author_email = ''; $comment_author_url = $tb_url;