Index: wp-includes/functions-formatting.php =================================================================== --- wp-includes/functions-formatting.php (.../2.0.10) (revision 6405) +++ wp-includes/functions-formatting.php (.../2.0.11) (revision 6405) @@ -1067,7 +1067,7 @@ // Escape single quotes, specialchar double quotes, and fix line endings. function js_escape($text) { $safe_text = wp_specialchars($text, 'double'); - $safe_text = str_replace(''', "'", $safe_text); + $safe_text = preg_replace('/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes($safe_text)); $safe_text = preg_replace("/\r?\n/", "\\n", addslashes($safe_text)); return apply_filters('js_escape', $safe_text, $text); } Index: wp-includes/version.php =================================================================== --- wp-includes/version.php (.../2.0.10) (revision 6405) +++ wp-includes/version.php (.../2.0.11) (revision 6405) @@ -2,7 +2,7 @@ // This just holds the version number, in a separate file so we can bump it without cluttering the SVN -$wp_version = '2.0.10'; +$wp_version = '2.0.11'; $wp_db_version = 3441; ?> Index: wp-includes/pluggable-functions.php =================================================================== --- wp-includes/pluggable-functions.php (.../2.0.10) (revision 6405) +++ wp-includes/pluggable-functions.php (.../2.0.11) (revision 6405) @@ -120,6 +120,8 @@ if ( $userdata ) return $userdata; + $user_login = $wpdb->escape($user_login); + if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE user_login = '$user_login'") ) return false; Index: wp-includes/functions.php =================================================================== --- wp-includes/functions.php (.../2.0.10) (revision 6405) +++ wp-includes/functions.php (.../2.0.11) (revision 6405) @@ -299,6 +299,7 @@ /* Options functions */ +// expects $setting to already be SQL-escaped function get_settings($setting) { global $wpdb; @@ -376,14 +377,17 @@ return apply_filters('all_options', $all_options); } +// expects $option_name to NOT be SQL-escaped function update_option($option_name, $newvalue) { global $wpdb; + $safe_option_name = $wpdb->escape($option_name); + if ( is_string($newvalue) ) $newvalue = trim($newvalue); // If the new and old values are the same, no need to update. - $oldvalue = get_option($option_name); + $oldvalue = get_option($safe_option_name); if ( $newvalue == $oldvalue ) { return false; } @@ -416,11 +420,14 @@ } // thx Alex Stapleton, http://alex.vort-x.net/blog/ +// expects $name to NOT be SQL-escaped function add_option($name, $value = '', $description = '', $autoload = 'yes') { global $wpdb; + $safe_name = $wpdb->escape($name); + // Make sure the option doesn't already exist - if ( false !== get_option($name) ) + if ( false !== get_option($safe_name) ) return; $value = maybe_serialize($value); Index: xmlrpc.php =================================================================== --- xmlrpc.php (.../2.0.10) (revision 6405) +++ xmlrpc.php (.../2.0.11) (revision 6405) @@ -431,7 +431,7 @@ if ( !current_user_can('edit_post', $post_ID) ) return new IXR_Error(401, 'Sorry, you do not have the right to edit this post.'); - extract($actual_post); + extract($actual_post, EXTR_SKIP); if ( ('publish' == $post_status) && !current_user_can('publish_posts') ) return new IXR_Error(401, 'Sorry, you do not have the right to publish this post.'); @@ -597,8 +597,8 @@ return new IXR_Error(401, 'Sorry, you can not edit this post.'); $postdata = wp_get_single_post($post_ID, ARRAY_A); - extract($postdata); $this->escape($postdata); + extract($postdata, EXTR_SKIP); $post_title = $content_struct['title']; $post_content = apply_filters( 'content_save_pre', $content_struct['description'] ); Index: wp-mail.php =================================================================== --- wp-mail.php (.../2.0.10) (revision 6405) +++ wp-mail.php (.../2.0.11) (revision 6405) @@ -58,7 +58,7 @@ // Set the author using the email address (To or Reply-To, the last used) // otherwise use the site admin - if (preg_match('/From: /', $line) | preg_match('Reply-To: /', $line)) { + if (preg_match('/From: /', $line) | preg_match('/Reply-To: /', $line)) { $author=trim($line); if ( ereg("([a-zA-Z0-9\_\-\.]+@[\a-zA-z0-9\_\-\.]+)", $author , $regs) ) { $author = $regs[1]; Index: wp-content/themes/default/functions.php =================================================================== --- wp-content/themes/default/functions.php (.../2.0.10) (revision 6405) +++ wp-content/themes/default/functions.php (.../2.0.11) (revision 6405) @@ -1,397 +1,409 @@ -\n\n"; - if ( '' != $output ) - echo $head . $output . $foot; -} - -add_action('wp_head', 'kubrick_head'); - -function kubrick_header_image() { - return apply_filters('kubrick_header_image', get_settings('kubrick_header_image')); -} - -function kubrick_upper_color() { - if ( strstr( $url = kubrick_header_image_url(), 'header-img.php?' ) ) { - parse_str(substr($url, strpos($url, '?') + 1), $q); - return $q['upper']; - } else - return '69aee7'; -} - -function kubrick_lower_color() { - if ( strstr( $url = kubrick_header_image_url(), 'header-img.php?' ) ) { - parse_str(substr($url, strpos($url, '?') + 1), $q); - return $q['lower']; - } else - return '4180b6'; -} - -function kubrick_header_image_url() { - if ( $image = kubrick_header_image() ) - $url = get_template_directory_uri() . '/images/' . $image; - else - $url = get_template_directory_uri() . '/images/kubrickheader.jpg'; - - return $url; -} - -function kubrick_header_color() { - return apply_filters('kubrick_header_color', get_settings('kubrick_header_color')); -} - -function kubrick_header_color_string() { - $color = kubrick_header_color(); - if ( false === $color ) - return 'white'; - - return $color; -} - -function kubrick_header_display() { - return apply_filters('kubrick_header_display', get_settings('kubrick_header_display')); -} - -function kubrick_header_display_string() { - $display = kubrick_header_display(); - return $display ? $display : 'inline'; -} - -add_action('admin_menu', 'kubrick_add_theme_page'); - -function kubrick_add_theme_page() { - if ( $_GET['page'] == basename(__FILE__) ) { - if ( 'save' == $_REQUEST['action'] ) { - if ( isset($_REQUEST['njform']) ) { - if ( isset($_REQUEST['defaults']) ) { - delete_option('kubrick_header_image'); - delete_option('kubrick_header_color'); - delete_option('kubrick_header_display'); - } else { - if ( '' == $_REQUEST['njfontcolor'] ) - delete_option('kubrick_header_color'); - else - update_option('kubrick_header_color', $_REQUEST['njfontcolor']); - - if ( preg_match('/[0-9A-F]{6}|[0-9A-F]{3}/i', $_REQUEST['njuppercolor'], $uc) && preg_match('/[0-9A-F]{6}|[0-9A-F]{3}/i', $_REQUEST['njlowercolor'], $lc) ) { - $uc = ( strlen($uc[0]) == 3 ) ? $uc[0]{0}.$uc[0]{0}.$uc[0]{1}.$uc[0]{1}.$uc[0]{2}.$uc[0]{2} : $uc[0]; - $lc = ( strlen($lc[0]) == 3 ) ? $lc[0]{0}.$lc[0]{0}.$lc[0]{1}.$lc[0]{1}.$lc[0]{2}.$lc[0]{2} : $lc[0]; - update_option('kubrick_header_image', "header-img.php?upper=$uc&lower=$lc"); - } - - if ( isset($_REQUEST['toggledisplay']) ) { - if ( false === get_settings('kubrick_header_display') ) - update_option('kubrick_header_display', 'none'); - else - delete_option('kubrick_header_display'); - } - } - } else { - - if ( isset($_REQUEST['headerimage']) ) { - if ( '' == $_REQUEST['headerimage'] ) - delete_option('kubrick_header_image'); - else - update_option('kubrick_header_image', $_REQUEST['headerimage']); - } - - if ( isset($_REQUEST['fontcolor']) ) { - if ( '' == $_REQUEST['fontcolor'] ) - delete_option('kubrick_header_color'); - else - update_option('kubrick_header_color', $_REQUEST['fontcolor']); - } - - if ( isset($_REQUEST['fontdisplay']) ) { - if ( '' == $_REQUEST['fontdisplay'] || 'inline' == $_REQUEST['fontdisplay'] ) - delete_option('kubrick_header_display'); - else - update_option('kubrick_header_display', 'none'); - } - } - //print_r($_REQUEST); - wp_redirect("themes.php?page=functions.php&saved=true"); - die; - } - add_action('admin_head', 'kubrick_theme_page_head'); - } - add_theme_page('Customize Header', 'Header Image and Color', 'edit_themes', basename(__FILE__), 'kubrick_theme_page'); -} - -function kubrick_theme_page_head() { -?> - - - -

Options saved.

'; -?> -
-
-

Header Image and Color

-
- -
-
-
-
-
- Any CSS color (red or #FF0000 or rgb(255, 0, 0))
- HEX only (#FF0000 or #F00)
- HEX only (#FF0000 or #F00)
- - - - - - -
-
-
-
- - - - - - - - - - - - -
- -
- -
-
-
-
- +\n\n"; + if ( '' != $output ) + echo $head . $output . $foot; +} + +add_action('wp_head', 'kubrick_head'); + +function kubrick_header_image() { + return apply_filters('kubrick_header_image', get_option('kubrick_header_image')); +} + +function kubrick_upper_color() { + if (strpos($url = kubrick_header_image_url(), 'header-img.php?') !== false) { + parse_str(substr($url, strpos($url, '?') + 1), $q); + return $q['upper']; + } else + return '69aee7'; +} + +function kubrick_lower_color() { + if (strpos($url = kubrick_header_image_url(), 'header-img.php?') !== false) { + parse_str(substr($url, strpos($url, '?') + 1), $q); + return $q['lower']; + } else + return '4180b6'; +} + +function kubrick_header_image_url() { + if ( $image = kubrick_header_image() ) + $url = get_template_directory_uri() . '/images/' . $image; + else + $url = get_template_directory_uri() . '/images/kubrickheader.jpg'; + + return $url; +} + +function kubrick_header_color() { + return apply_filters('kubrick_header_color', get_option('kubrick_header_color')); +} + +function kubrick_header_color_string() { + $color = kubrick_header_color(); + if ( false === $color ) + return 'white'; + + return $color; +} + +function kubrick_header_display() { + return apply_filters('kubrick_header_display', get_option('kubrick_header_display')); +} + +function kubrick_header_display_string() { + $display = kubrick_header_display(); + return $display ? $display : 'inline'; +} + +add_action('admin_menu', 'kubrick_add_theme_page'); + +function kubrick_add_theme_page() { + if ( $_GET['page'] == basename(__FILE__) ) { + if ( 'save' == $_REQUEST['action'] ) { + check_admin_referer('kubrick-header'); + if ( isset($_REQUEST['njform']) ) { + if ( isset($_REQUEST['defaults']) ) { + delete_option('kubrick_header_image'); + delete_option('kubrick_header_color'); + delete_option('kubrick_header_display'); + } else { + if ( '' == $_REQUEST['njfontcolor'] ) + delete_option('kubrick_header_color'); + else { + $fontcolor = preg_replace('/^.*(#[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['njfontcolor']); + update_option('kubrick_header_color', $fontcolor); + } + if ( preg_match('/[0-9A-F]{6}|[0-9A-F]{3}/i', $_REQUEST['njuppercolor'], $uc) && preg_match('/[0-9A-F]{6}|[0-9A-F]{3}/i', $_REQUEST['njlowercolor'], $lc) ) { + $uc = ( strlen($uc[0]) == 3 ) ? $uc[0]{0}.$uc[0]{0}.$uc[0]{1}.$uc[0]{1}.$uc[0]{2}.$uc[0]{2} : $uc[0]; + $lc = ( strlen($lc[0]) == 3 ) ? $lc[0]{0}.$lc[0]{0}.$lc[0]{1}.$lc[0]{1}.$lc[0]{2}.$lc[0]{2} : $lc[0]; + update_option('kubrick_header_image', "header-img.php?upper=$uc&lower=$lc"); + } + + if ( isset($_REQUEST['toggledisplay']) ) { + if ( false === get_option('kubrick_header_display') ) + update_option('kubrick_header_display', 'none'); + else + delete_option('kubrick_header_display'); + } + } + } else { + + if ( isset($_REQUEST['headerimage']) ) { + check_admin_referer('kubrick-header'); + if ( '' == $_REQUEST['headerimage'] ) + delete_option('kubrick_header_image'); + else { + $headerimage = preg_replace('/^.*?(header-img.php\?upper=[0-9a-fA-F]{6}&lower=[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['headerimage']); + update_option('kubrick_header_image', $headerimage); + } + } + + if ( isset($_REQUEST['fontcolor']) ) { + check_admin_referer('kubrick-header'); + if ( '' == $_REQUEST['fontcolor'] ) + delete_option('kubrick_header_color'); + else { + $fontcolor = preg_replace('/^.*?(#[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['fontcolor']); + update_option('kubrick_header_color', $fontcolor); + } + } + + if ( isset($_REQUEST['fontdisplay']) ) { + check_admin_referer('kubrick-header'); + if ( '' == $_REQUEST['fontdisplay'] || 'inline' == $_REQUEST['fontdisplay'] ) + delete_option('kubrick_header_display'); + else + update_option('kubrick_header_display', 'none'); + } + } + //print_r($_REQUEST); + wp_redirect("themes.php?page=functions.php&saved=true"); + die; + } + add_action('admin_head', 'kubrick_theme_page_head'); + } + add_theme_page('Customize Header', 'Header Image and Color', 'edit_themes', basename(__FILE__), 'kubrick_theme_page'); +} + +function kubrick_theme_page_head() { +?> + + + +

Options saved.

'; +?> +
+
+

Header Image and Color

+
+ +
+
+
+
+ +
+ Any CSS color (red or #FF0000 or rgb(255, 0, 0))
+ HEX only (#FF0000 or #F00)
+ HEX only (#FF0000 or #F00)
+ + + + + + +
+
+
+
+ + + + + + + + + + + + +

+
+ +
+ +
+
+
+
+ Property changes on: wp-content/themes/default/functions.php ___________________________________________________________________ Name: svn:eol-style + native Property changes on: wp-content/themes/default/attachment.php ___________________________________________________________________ Name: svn:eol-style + native Index: wp-links-opml.php =================================================================== --- wp-links-opml.php (.../2.0.10) (revision 6405) +++ wp-links-opml.php (.../2.0.11) (revision 6405) @@ -28,7 +28,7 @@ links.link_url, link_rss, $wpdb->links.link_name, $wpdb->links.link_category, $wpdb->linkcategories.cat_name, link_updated FROM $wpdb->links - JOIN $wpdb->linkcategories on $wpdb->links.link_category = $wpdb->linkcategories.cat_id + INNER JOIN $wpdb->linkcategories on $wpdb->links.link_category = $wpdb->linkcategories.cat_id AND $wpdb->links.link_visible = 'Y' $sql_cat ORDER BY $wpdb->linkcategories.cat_name, $wpdb->links.link_name \n"; Index: wp-admin/edit-form-advanced.php =================================================================== --- wp-admin/edit-form-advanced.php (.../2.0.10) (revision 6405) +++ wp-admin/edit-form-advanced.php (.../2.0.11) (revision 6405) @@ -1,10 +1,12 @@ -

+

@@ -24,16 +26,17 @@ $form_extra = ""; wp_nonce_field('add-post'); } else { + $post_ID = (int) $post_ID; $form_action = 'editpost'; $form_extra = ""; wp_nonce_field('update-post_' . $post_ID); } -$form_pingback = ''; +$form_pingback = ''; -$form_prevstatus = ''; +$form_prevstatus = ''; -$form_trackback = 'to_ping) .'" />'; +$form_trackback = 'to_ping) ) .'" />'; if ('' != $post->pinged) { $pings = '

'. __('Already pinged:') . '

'; } -$saveasdraft = ''; +$saveasdraft = ''; if (empty($post->post_status)) $post->post_status = 'draft'; ?> - + - + $_GET['message']) : ?> @@ -82,12 +85,12 @@

-
+

-
+
@@ -123,7 +126,7 @@ $o = get_userdata( $o->ID ); if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"'; else $selected = ''; -echo ""; +echo ""; endforeach; ?> @@ -138,7 +141,7 @@
-
+
@@ -221,7 +224,7 @@ Go back!'), 'edit.php')); if ( !current_user_can('edit_post', $comment->comment_post_ID) ) Index: wp-admin/options.php =================================================================== --- wp-admin/options.php (.../2.0.10) (revision 6405) +++ wp-admin/options.php (.../2.0.11) (revision 6405) @@ -151,10 +151,11 @@ foreach ( (array) $options as $option) : $disabled = ''; + $option->option_name = attribute_escape($option->option_name); if ( is_serialized($option->option_value) ) { if ( is_serialized_string($option->option_value) ) { // this is a serialized string, so we should display it - $value = wp_specialchars(maybe_unserialize($option->option_value), 'single'); + $value = maybe_unserialize($option->option_value); $options_to_update[] = $option->option_name; $class = 'all-options'; } else { @@ -163,7 +164,7 @@ $class = 'all-options disabled'; } } else { - $value = wp_specialchars($option->option_value, 'single'); + $value = $option->option_value; $options_to_update[] = $option->option_name; $class = 'all-options'; } @@ -172,9 +173,9 @@ "; - if (stristr($value, "\n")) echo ""; - else echo ""; - + if (strpos($value, "\n") !== false) echo ""; + else echo ""; + echo " $option->option_description "; @@ -182,7 +183,7 @@ ?> -

+

Index: wp-admin/admin-functions.php =================================================================== --- wp-admin/admin-functions.php (.../2.0.10) (revision 6405) +++ wp-admin/admin-functions.php (.../2.0.11) (revision 6405) @@ -319,11 +319,15 @@ $comment = get_comment($id); - $comment->comment_content = format_to_edit($comment->comment_content, $richedit); + $comment->comment_ID = (int) $comment->comment_ID; + $comment->comment_post_ID = (int) $comment->comment_post_ID; + + $comment->comment_content = format_to_edit($comment->comment_content); $comment->comment_content = apply_filters('comment_edit_pre', $comment->comment_content); $comment->comment_author = format_to_edit($comment->comment_author); $comment->comment_author_email = format_to_edit($comment->comment_author_email); + $comment->comment_author_url = clean_url($comment->comment_author_url); $comment->comment_author_url = format_to_edit($comment->comment_author_url); return $comment; @@ -862,6 +866,7 @@ $entry['meta_key'] = attribute_escape( $entry['meta_key']); $entry['meta_value'] = attribute_escape( $entry['meta_value']); + $entry['meta_id'] = (int) $entry['meta_id']; echo " @@ -933,6 +938,8 @@ global $wpdb; $post_ID = (int) $post_ID; + $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' ); + $metakeyselect = $wpdb->escape(stripslashes(trim($_POST['metakeyselect']))); $metakeyinput = $wpdb->escape(stripslashes(trim($_POST['metakeyinput']))); $metavalue = maybe_serialize(stripslashes((trim($_POST['metavalue'])))); @@ -948,6 +955,9 @@ if ($metakeyinput) $metakey = $metakeyinput; // default + if ( in_array($metakey, $protected) ) + return false; + $result = $wpdb->query(" INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value) @@ -965,6 +975,12 @@ function update_meta($mid, $mkey, $mvalue) { global $wpdb; + + $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' ); + + if ( in_array($mkey, $protected) ) + return false; + $mvalue = maybe_serialize(stripslashes($mvalue)); $mvalue = $wpdb->escape($mvalue); $mid = (int) $mid; @@ -1813,6 +1829,7 @@ }
+
Index: wp-admin/edit-page-form.php =================================================================== --- wp-admin/edit-page-form.php (.../2.0.10) (revision 6405) +++ wp-admin/edit-page-form.php (.../2.0.11) (revision 6405) @@ -9,11 +9,15 @@ $temp_ID = -1 * time(); $form_extra = ""; } else { + $post_ID = (int) $post_ID; $form_action = 'editpost'; $nonce_action = 'update-post_' . $post_ID; $form_extra = ""; } +$temp_ID = (int) $temp_ID; +$user_ID = (int) $user_ID; + $sendto = attribute_escape(wp_get_referer()); if ( 0 != $post_ID && $sendto == get_permalink($post_ID) ) @@ -60,7 +64,7 @@

-
+
@@ -85,7 +89,7 @@

-
+
id ) ) : // TODO: ROLE SYSTEM ?> @@ -98,6 +102,8 @@ $o = get_userdata( $o->ID ); if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"'; else $selected = ''; +$o->ID = (int) $o->ID; +$o->display_name = wp_specialchars( $o->display_name ); echo ""; endforeach; ?> @@ -118,7 +124,7 @@
-
+
Index: wp-admin/import/livejournal.php =================================================================== --- wp-admin/import/livejournal.php (.../2.0.10) (revision 6405) +++ wp-admin/import/livejournal.php (.../2.0.11) (revision 6405) @@ -153,6 +153,7 @@ $this->greet(); break; case 1 : + check_admin_referer('import-upload'); $this->import(); break; } Index: wp-admin/import/dotclear.php =================================================================== --- wp-admin/import/dotclear.php (.../2.0.10) (revision 6405) +++ wp-admin/import/dotclear.php (.../2.0.11) (revision 6405) @@ -1,16 +1,21 @@ get_var('SELECT cat_ID FROM '.$wpdb->categories.' WHERE category_nicename="'.$category_nicename.'"'); - + return $name; } } @@ -55,58 +60,59 @@ // // This cries out for a C-implementation to be included in PHP core // - function valid_1byte($char) { - if(!is_int($char)) return false; - return ($char & 0x80) == 0x00; - } - - function valid_2byte($char) { - if(!is_int($char)) return false; - return ($char & 0xE0) == 0xC0; - } - function valid_3byte($char) { - if(!is_int($char)) return false; - return ($char & 0xF0) == 0xE0; - } +function valid_1byte($char) { + if(!is_int($char)) return false; + return ($char & 0x80) == 0x00; +} - function valid_4byte($char) { - if(!is_int($char)) return false; - return ($char & 0xF8) == 0xF0; - } - - function valid_nextbyte($char) { - if(!is_int($char)) return false; - return ($char & 0xC0) == 0x80; - } - - function valid_utf8($string) { - $len = strlen($string); - $i = 0; - while( $i < $len ) { - $char = ord(substr($string, $i++, 1)); - if(valid_1byte($char)) { // continue - continue; - } else if(valid_2byte($char)) { // check 1 byte - if(!valid_nextbyte(ord(substr($string, $i++, 1)))) - return false; - } else if(valid_3byte($char)) { // check 2 bytes - if(!valid_nextbyte(ord(substr($string, $i++, 1)))) - return false; - if(!valid_nextbyte(ord(substr($string, $i++, 1)))) - return false; - } else if(valid_4byte($char)) { // check 3 bytes - if(!valid_nextbyte(ord(substr($string, $i++, 1)))) - return false; - if(!valid_nextbyte(ord(substr($string, $i++, 1)))) - return false; - if(!valid_nextbyte(ord(substr($string, $i++, 1)))) - return false; - } // goto next char - } - return true; // done - } +function valid_2byte($char) { + if(!is_int($char)) return false; + return ($char & 0xE0) == 0xC0; +} +function valid_3byte($char) { + if(!is_int($char)) return false; + return ($char & 0xF0) == 0xE0; +} + +function valid_4byte($char) { + if(!is_int($char)) return false; + return ($char & 0xF8) == 0xF0; +} + +function valid_nextbyte($char) { + if(!is_int($char)) return false; + return ($char & 0xC0) == 0x80; +} + +function valid_utf8($string) { + $len = strlen($string); + $i = 0; + while( $i < $len ) { + $char = ord(substr($string, $i++, 1)); + if(valid_1byte($char)) { // continue + continue; + } else if(valid_2byte($char)) { // check 1 byte + if(!valid_nextbyte(ord(substr($string, $i++, 1)))) + return false; + } else if(valid_3byte($char)) { // check 2 bytes + if(!valid_nextbyte(ord(substr($string, $i++, 1)))) + return false; + if(!valid_nextbyte(ord(substr($string, $i++, 1)))) + return false; + } else if(valid_4byte($char)) { // check 3 bytes + if(!valid_nextbyte(ord(substr($string, $i++, 1)))) + return false; + if(!valid_nextbyte(ord(substr($string, $i++, 1)))) + return false; + if(!valid_nextbyte(ord(substr($string, $i++, 1)))) + return false; + } // goto next char + } + return true; // done +} + function csc ($s) { if (valid_utf8 ($s)) { return $s; @@ -127,7 +133,7 @@ function header() { echo '
'; - echo '

'.__('Import Dotclear').'

'; + echo '

'.__('Import DotClear').'

'; echo '

'.__('Steps may take a few minutes depending on the size of your database. Please be patient.').'

'; } @@ -135,78 +141,79 @@ { echo '
'; } - + function greet() { - echo '

'.__('Howdy! This importer allows you to extract posts from a Dotclear database into your blog. Mileage may vary.').'

'; - echo '

'.__('Your Dotclear Configuration settings are as follows:').'

'; + echo '

'.__('Howdy! This importer allows you to extract posts from a DotClear database into your blog. Mileage may vary.').'

'; + echo '

'.__('Your DotClear Configuration settings are as follows:').'

'; echo ''; + wp_nonce_field('import-dotclear'); $this->db_form(); - echo ''; - echo ''; + echo '

'; + echo '
'; } - function get_dc_cats() + function get_dc_cats() { global $wpdb; // General Housekeeping $dcdb = new wpdb(get_option('dcuser'), get_option('dcpass'), get_option('dcname'), get_option('dchost')); set_magic_quotes_runtime(0); - $prefix = get_option('tpre'); - + $dbprefix = get_option('dcdbprefix'); + // Get Categories - return $dcdb->get_results('SELECT * FROM dc_categorie', ARRAY_A); + return $dcdb->get_results('SELECT * FROM '.$dbprefix.'categorie', ARRAY_A); } - + function get_dc_users() { global $wpdb; // General Housekeeping $dcdb = new wpdb(get_option('dcuser'), get_option('dcpass'), get_option('dcname'), get_option('dchost')); set_magic_quotes_runtime(0); - $prefix = get_option('tpre'); - + $dbprefix = get_option('dcdbprefix'); + // Get Users - - return $dcdb->get_results('SELECT * FROM dc_user', ARRAY_A); + + return $dcdb->get_results('SELECT * FROM '.$dbprefix.'user', ARRAY_A); } - + function get_dc_posts() { // General Housekeeping $dcdb = new wpdb(get_option('dcuser'), get_option('dcpass'), get_option('dcname'), get_option('dchost')); set_magic_quotes_runtime(0); - $prefix = get_option('tpre'); - + $dbprefix = get_option('dcdbprefix'); + // Get Posts - return $dcdb->get_results('SELECT dc_post.*, dc_categorie.cat_libelle_url AS post_cat_name - FROM dc_post INNER JOIN dc_categorie - ON dc_post.cat_id = dc_categorie.cat_id', ARRAY_A); + return $dcdb->get_results('SELECT '.$dbprefix.'post.*, '.$dbprefix.'categorie.cat_libelle_url AS post_cat_name + FROM '.$dbprefix.'post INNER JOIN '.$dbprefix.'categorie + ON '.$dbprefix.'post.cat_id = '.$dbprefix.'categorie.cat_id', ARRAY_A); } - + function get_dc_comments() { global $wpdb; // General Housekeeping $dcdb = new wpdb(get_option('dcuser'), get_option('dcpass'), get_option('dcname'), get_option('dchost')); set_magic_quotes_runtime(0); - $prefix = get_option('tpre'); - + $dbprefix = get_option('dcdbprefix'); + // Get Comments - return $dcdb->get_results('SELECT * FROM dc_comment', ARRAY_A); + return $dcdb->get_results('SELECT * FROM '.$dbprefix.'comment', ARRAY_A); } - + function get_dc_links() { //General Housekeeping $dcdb = new wpdb(get_option('dcuser'), get_option('dcpass'), get_option('dcname'), get_option('dchost')); set_magic_quotes_runtime(0); - $prefix = get_option('tpre'); + $dbprefix = get_option('dcdbprefix'); - return $dcdb->get_results('SELECT * FROM dc_link ORDER BY position', ARRAY_A); + return $dcdb->get_results('SELECT * FROM '.$dbprefix.'link ORDER BY position', ARRAY_A); } - - function cat2wp($categories='') + + function cat2wp($categories='') { // General Housekeeping global $wpdb; @@ -216,11 +223,11 @@ if(is_array($categories)) { echo '

'.__('Importing Categories...').'

'; - foreach ($categories as $category) + foreach ($categories as $category) { $count++; extract($category); - + // Make Nice Variables $name = $wpdb->escape($cat_libelle_url); $title = $wpdb->escape(csc ($cat_libelle)); @@ -236,7 +243,7 @@ } $dccat2wpcat[$id] = $ret_id; } - + // Store category translation for future use add_option('dccat2wpcat',$dccat2wpcat); echo '

'.sprintf(__('Done! %1$s categories imported.'), $count).'

'; @@ -245,14 +252,14 @@ echo __('No Categories to Import!'); return false; } - + function users2wp($users='') { // General Housekeeping global $wpdb; $count = 0; $dcid2wpid = array(); - + // Midnight Mojo if(is_array($users)) { @@ -261,14 +268,14 @@ { $count++; extract($user); - + // Make Nice Variables $name = $wpdb->escape(csc ($name)); $RealName = $wpdb->escape(csc ($user_pseudo)); - + if($uinfo = get_userdatabylogin($name)) { - + $ret_id = wp_insert_user(array( 'ID' => $uinfo->ID, 'user_login' => $user_id, @@ -278,7 +285,7 @@ 'display_name' => $Realname) ); } - else + else { $ret_id = wp_insert_user(array( 'user_login' => $user_id, @@ -289,9 +296,9 @@ ); } $dcid2wpid[$user_id] = $ret_id; - - // Set Dotclear-to-WordPress permissions translation - + + // Set DotClear-to-WordPress permissions translation + // Update Usermeta Data $user = new WP_User($ret_id); $wp_perms = $user_level + 1; @@ -302,26 +309,26 @@ else if(3 <= $wp_perms) { $user->set_role('contributor'); } else if(2 <= $wp_perms) { $user->set_role('contributor'); } else { $user->set_role('subscriber'); } - + update_usermeta( $ret_id, 'wp_user_level', $wp_perms); update_usermeta( $ret_id, 'rich_editing', 'false'); update_usermeta( $ret_id, 'first_name', csc ($user_prenom)); update_usermeta( $ret_id, 'last_name', csc ($user_nom)); }// End foreach($users as $user) - + // Store id translation array for future use add_option('dcid2wpid',$dcid2wpid); - - + + echo '

'.sprintf(__('Done! %1$s users imported.'), $count).'

'; return true; }// End if(is_array($users) - + echo __('No Users to Import!'); return false; - + }// End function user2wp() - + function posts2wp($posts='') { // General Housekeeping @@ -338,17 +345,18 @@ { $count++; extract($post); - - // Set Dotclear-to-WordPress status translation + + // Set DotClear-to-WordPress status translation $stattrans = array(0 => 'draft', 1 => 'publish'); $comment_status_map = array (0 => 'closed', 1 => 'open'); - + //Can we do this more efficiently? $uinfo = ( get_userdatabylogin( $user_id ) ) ? get_userdatabylogin( $user_id ) : 1; $authorid = ( is_object( $uinfo ) ) ? $uinfo->ID : $uinfo ; $Title = $wpdb->escape(csc ($post_titre)); $post_content = textconv ($post_content); + $post_excerpt = ""; if ($post_chapo != "") { $post_excerpt = textconv ($post_chapo); $post_content = $post_excerpt ."\n\n".$post_content; @@ -356,9 +364,9 @@ $post_excerpt = $wpdb->escape ($post_excerpt); $post_content = $wpdb->escape ($post_content); $post_status = $stattrans[$post_pub]; - + // Import Post data into WordPress - + if($pinfo = post_exists($Title,$post_content)) { $ret_id = wp_insert_post(array( @@ -378,7 +386,7 @@ 'comment_count' => $post_nb_comment + $post_nb_trackback) ); } - else + else { $ret_id = wp_insert_post(array( 'post_author' => $authorid, @@ -397,7 +405,7 @@ ); } $dcposts2wpposts[$post_id] = $ret_id; - + // Make Post-to-Category associations $cats = array(); if($cat1 = get_catbynicename($post_cat_name)) { $cats[1] = $cat1; } @@ -407,11 +415,11 @@ } // Store ID translation for later use add_option('dcposts2wpposts',$dcposts2wpposts); - + echo '

'.sprintf(__('Done! %1$s posts imported.'), $count).'

'; - return true; + return true; } - + function comments2wp($comments='') { // General Housekeeping @@ -419,7 +427,7 @@ $count = 0; $dccm2wpcm = array(); $postarr = get_option('dcposts2wpposts'); - + // Magic Mojo if(is_array($comments)) { @@ -428,7 +436,7 @@ { $count++; extract($comment); - + // WordPressify Data $comment_ID = (int) ltrim($comment_id, '0'); $comment_post_ID = (int) $postarr[$post_id]; @@ -437,7 +445,7 @@ $email = $wpdb->escape($comment_email); $web = "http://".$wpdb->escape($comment_site); $message = $wpdb->escape(textconv ($comment_content)); - + if($cinfo = comment_exists($name, $comment_dt)) { // Update comments @@ -454,7 +462,7 @@ 'comment_approved' => $comment_approved) ); } - else + else { // Insert comments $ret_id = wp_insert_comment(array( @@ -472,25 +480,25 @@ $dccm2wpcm[$comment_ID] = $ret_id; } // Store Comment ID translation for future use - add_option('dccm2wpcm', $dccm2wpcm); - + add_option('dccm2wpcm', $dccm2wpcm); + // Associate newly formed categories with posts get_comment_count($ret_id); - - + + echo '

'.sprintf(__('Done! %1$s comments imported.'), $count).'

'; return true; } echo __('No Comments to Import!'); return false; } - + function links2wp($links='') { // General Housekeeping global $wpdb; $count = 0; - + // Deal with the links if(is_array($links)) { @@ -499,7 +507,7 @@ { $count++; extract($link); - + if ($title != "") { if ($cinfo = link_cat_exists (csc ($title))) { $category = $cinfo; @@ -511,7 +519,7 @@ } else { $linkname = $wpdb->escape(csc ($label)); $description = $wpdb->escape(csc ($title)); - + if($linfo = link_exists($linkname)) { $ret_id = wp_insert_link(array( 'link_id' => $linfo, @@ -540,70 +548,75 @@ echo __('No Links to Import!'); return false; } - - function import_categories() - { - // Category Import + + function import_categories() + { + // Category Import $cats = $this->get_dc_cats(); $this->cat2wp($cats); add_option('dc_cats', $cats); - - - + + + echo '
'; - printf('', __('Import Users')); + wp_nonce_field('import-dotclear'); + printf('', attribute_escape(__('Import Users'))); echo '
'; } - + function import_users() { // User Import - $users = $this->get_dc_users(); + $users = $this->get_dc_users(); $this->users2wp($users); - + echo '
'; - printf('', __('Import Posts')); + wp_nonce_field('import-dotclear'); + printf('', attribute_escape(__('Import Posts'))); echo '
'; } - + function import_posts() { // Post Import $posts = $this->get_dc_posts(); $this->posts2wp($posts); - + echo '
'; - printf('', __('Import Comments')); + wp_nonce_field('import-dotclear'); + printf('', attribute_escape(__('Import Comments'))); echo '
'; } - + function import_comments() { // Comment Import $comments = $this->get_dc_comments(); $this->comments2wp($comments); - + echo '
'; - printf('', __('Import Links')); + wp_nonce_field('import-dotclear'); + printf('', attribute_escape(__('Import Links'))); echo '
'; } - + function import_links() { //Link Import $links = $this->get_dc_links(); $this->links2wp($links); add_option('dc_links', $links); - + echo '
'; - printf('', __('Finish')); + wp_nonce_field('import-dotclear'); + printf('', attribute_escape(__('Finish'))); echo '
'; } - + function cleanup_dcimport() { - delete_option('tpre'); + delete_option('dcdbprefix'); delete_option('dc_cats'); delete_option('dcid2wpid'); delete_option('dccat2wpcat'); @@ -617,16 +630,16 @@ delete_option('dccharset'); $this->tips(); } - + function tips() { - echo '

'.__('Welcome to WordPress. We hope (and expect!) that you will find this platform incredibly rewarding! As a new WordPress user coming from Dotclear, there are some things that we would like to point out. Hopefully, they will help your transition go as smoothly as possible.').'

'; + echo '

'.__('Welcome to WordPress. We hope (and expect!) that you will find this platform incredibly rewarding! As a new WordPress user coming from DotClear, there are some things that we would like to point out. Hopefully, they will help your transition go as smoothly as possible.').'

'; echo '

'.__('Users').'

'; - echo '

'.sprintf(__('You have already setup WordPress and have been assigned an administrative login and password. Forget it. You didn\'t have that login in Dotclear, why should you have it here? Instead we have taken care to import all of your users into our system. Unfortunately there is one downside. Because both WordPress and Dotclear uses a strong encryption hash with passwords, it is impossible to decrypt it and we are forced to assign temporary passwords to all your users. Every user has the same username, but their passwords are reset to password123. So Login and change it.'), '/wp-login.php').'

'; + echo '

'.sprintf(__('You have already setup WordPress and have been assigned an administrative login and password. Forget it. You didn\'t have that login in DotClear, why should you have it here? Instead we have taken care to import all of your users into our system. Unfortunately there is one downside. Because both WordPress and DotClear uses a strong encryption hash with passwords, it is impossible to decrypt it and we are forced to assign temporary passwords to all your users. Every user has the same username, but their passwords are reset to password123. So Login and change it.'), '/wp-login.php').'

'; echo '

'.__('Preserving Authors').'

'; echo '

'.__('Secondly, we have attempted to preserve post authors. If you are the only author or contributor to your blog, then you are safe. In most cases, we are successful in this preservation endeavor. However, if we cannot ascertain the name of the writer due to discrepancies between database tables, we assign it to you, the administrative user.').'

'; echo '

'.__('Textile').'

'; - echo '

'.__('Also, since you\'re coming from Dotclear, you probably have been using Textile to format your comments and posts. If this is the case, we recommend downloading and installing Textile for WordPress. Trust me... You\'ll want it.').'

'; + echo '

'.__('Also, since you\'re coming from DotClear, you probably have been using Textile to format your comments and posts. If this is the case, we recommend downloading and installing Textile for WordPress. Trust me... You\'ll want it.').'

'; echo '

'.__('WordPress Resources').'

'; echo '

'.__('Finally, there are numerous WordPress resources around the internet. Some of them are:').'

'; echo '
    '; @@ -636,20 +649,20 @@ echo '
'; echo '

'.sprintf(__('That\'s it! What are you waiting for? Go login!'), '../wp-login.php').'

'; } - + function db_form() { - echo '
    '; - printf('
    • ', __('Dotclear Database User:')); - printf('
    • ', __('Dotclear Database Password:')); - printf('
    • ', __('Dotclear Database Name:')); - printf('
    • ', __('Dotclear Database Host:')); - /* printf('
    • ', __('Dotclear Table prefix (if any):')); */ - printf('
    • ', __('Originating character set:')); - echo '
'; + echo ''; + printf('', __('DotClear Database User:')); + printf('', __('DotClear Database Password:')); + printf('', __('DotClear Database Name:')); + printf('', __('DotClear Database Host:')); + printf('', __('DotClear Table prefix:')); + printf('', __('Originating character set:')); + echo '
'; } - - function dispatch() + + function dispatch() { if (empty ($_GET['step'])) @@ -657,51 +670,53 @@ else $step = (int) $_GET['step']; $this->header(); - - if ( $step > 0 ) + + if ( $step > 0 ) { + check_admin_referer('import-dotclear'); + if($_POST['dbuser']) { if(get_option('dcuser')) - delete_option('dcuser'); - add_option('dcuser',$_POST['dbuser']); + delete_option('dcuser'); + add_option('dcuser', sanitize_user($_POST['dbuser'], true)); } if($_POST['dbpass']) { if(get_option('dcpass')) - delete_option('dcpass'); - add_option('dcpass',$_POST['dbpass']); + delete_option('dcpass'); + add_option('dcpass', sanitize_user($_POST['dbpass'], true)); } - + if($_POST['dbname']) { if(get_option('dcname')) - delete_option('dcname'); - add_option('dcname',$_POST['dbname']); + delete_option('dcname'); + add_option('dcname', sanitize_user($_POST['dbname'], true)); } if($_POST['dbhost']) { if(get_option('dchost')) delete_option('dchost'); - add_option('dchost',$_POST['dbhost']); + add_option('dchost', sanitize_user($_POST['dbhost'], true)); } if($_POST['dccharset']) { if(get_option('dccharset')) delete_option('dccharset'); - add_option('dccharset',$_POST['dccharset']); - } + add_option('dccharset', sanitize_user($_POST['dccharset'], true)); + } if($_POST['dbprefix']) { - if(get_option('tpre')) - delete_option('tpre'); - add_option('tpre',$_POST['dbprefix']); - } + if(get_option('dcdbprefix')) + delete_option('dcdbprefix'); + add_option('dcdbprefix', sanitize_user($_POST['dbprefix'], true)); + } } - switch ($step) + switch ($step) { default: case 0 : @@ -726,16 +741,16 @@ $this->cleanup_dcimport(); break; } - + $this->footer(); } - function Dotclear_Import() + function Dotclear_Import() { - // Nothing. + // Nothing. } } $dc_import = new Dotclear_Import(); -register_importer('dotclear', __('Dotclear'), __('Import posts from a Dotclear Blog'), array ($dc_import, 'dispatch')); +register_importer('dotclear', __('DotClear'), __('Import categories, users, posts, comments, and links from a DotClear blog'), array ($dc_import, 'dispatch')); ?> Property changes on: wp-admin/import/dotclear.php ___________________________________________________________________ Name: svn:eol-style + native Index: wp-admin/import/mt.php =================================================================== --- wp-admin/import/mt.php (.../2.0.10) (revision 6405) +++ wp-admin/import/mt.php (.../2.0.11) (revision 6405) @@ -145,6 +145,7 @@ $authors = $this->get_mt_authors(); echo '
    '; echo '
    '; + wp_nonce_field('import-mt'); $j = -1; foreach ($authors as $author) { ++ $j; @@ -415,9 +416,11 @@ $this->greet(); break; case 1 : + check_admin_referer('import-upload'); $this->select_authors(); break; case 2: + check_admin_referer('import-mt'); $this->import(); break; } Index: wp-admin/import/textpattern.php =================================================================== --- wp-admin/import/textpattern.php (.../2.0.10) (revision 6405) +++ wp-admin/import/textpattern.php (.../2.0.11) (revision 6405) @@ -4,13 +4,13 @@ **/ if(!function_exists('get_catbynicename')) { - function get_catbynicename($category_nicename) + function get_catbynicename($category_nicename) { global $wpdb; - + $cat_id -= 0; // force numeric $name = $wpdb->get_var('SELECT cat_ID FROM '.$wpdb->categories.' WHERE category_nicename="'.$category_nicename.'"'); - + return $name; } } @@ -49,15 +49,18 @@ { echo '
'; } - - function greet() - { - echo '

'.__('Howdy! This importer allows you to extract posts from any Textpattern 4.0.2+ into your blog. This has not been tested on previous versions of Textpattern. Mileage may vary.').'

'; + + function greet() { + echo '
'; + echo '

'.__('Howdy! This imports categories, users, posts, comments, and links from any Textpattern 4.0.2+ into this blog.').'

'; + echo '

'.__('This has not been tested on previous versions of Textpattern. Mileage may vary.').'

'; echo '

'.__('Your Textpattern Configuration settings are as follows:').'

'; echo ''; + wp_nonce_field('import-textpattern'); $this->db_form(); - echo ''; + echo '

'; echo ''; + echo '
'; } function get_txp_cats() @@ -67,17 +70,17 @@ $txpdb = new wpdb(get_option('txpuser'), get_option('txppass'), get_option('txpname'), get_option('txphost')); set_magic_quotes_runtime(0); $prefix = get_option('tpre'); - + // Get Categories - return $txpdb->get_results('SELECT - id, - name, - title - FROM '.$prefix.'txp_category - WHERE type = "article"', - ARRAY_A); + return $txpdb->get_results('SELECT + id, + name, + title + FROM '.$prefix.'txp_category + WHERE type = "article"', + ARRAY_A); } - + function get_txp_users() { global $wpdb; @@ -85,44 +88,44 @@ $txpdb = new wpdb(get_option('txpuser'), get_option('txppass'), get_option('txpname'), get_option('txphost')); set_magic_quotes_runtime(0); $prefix = get_option('tpre'); - + // Get Users - + return $txpdb->get_results('SELECT - user_id, - name, - RealName, - email, - privs - FROM '.$prefix.'txp_users', ARRAY_A); + user_id, + name, + RealName, + email, + privs + FROM '.$prefix.'txp_users', ARRAY_A); } - + function get_txp_posts() { // General Housekeeping $txpdb = new wpdb(get_option('txpuser'), get_option('txppass'), get_option('txpname'), get_option('txphost')); set_magic_quotes_runtime(0); $prefix = get_option('tpre'); - + // Get Posts - return $txpdb->get_results('SELECT - ID, - Posted, - AuthorID, - LastMod, - Title, - Body, - Excerpt, - Category1, - Category2, - Status, - Keywords, - url_title, - comments_count - FROM '.$prefix.'textpattern - ', ARRAY_A); + return $txpdb->get_results('SELECT + ID, + Posted, + AuthorID, + LastMod, + Title, + Body, + Excerpt, + Category1, + Category2, + Status, + Keywords, + url_title, + comments_count + FROM '.$prefix.'textpattern + ', ARRAY_A); } - + function get_txp_comments() { global $wpdb; @@ -130,30 +133,30 @@ $txpdb = new wpdb(get_option('txpuser'), get_option('txppass'), get_option('txpname'), get_option('txphost')); set_magic_quotes_runtime(0); $prefix = get_option('tpre'); - + // Get Comments return $txpdb->get_results('SELECT * FROM '.$prefix.'txp_discuss', ARRAY_A); } - + function get_txp_links() { //General Housekeeping $txpdb = new wpdb(get_option('txpuser'), get_option('txppass'), get_option('txpname'), get_option('txphost')); set_magic_quotes_runtime(0); $prefix = get_option('tpre'); - - return $txpdb->get_results('SELECT - id, - date, - category, - url, - linkname, - description - FROM '.$prefix.'txp_link', - ARRAY_A); + + return $txpdb->get_results('SELECT + id, + date, + category, + url, + linkname, + description + FROM '.$prefix.'txp_link', + ARRAY_A); } - - function cat2wp($categories='') + + function cat2wp($categories='') { // General Housekeeping global $wpdb; @@ -163,16 +166,16 @@ if(is_array($categories)) { echo '

'.__('Importing Categories...').'

'; - foreach ($categories as $category) + foreach ($categories as $category) { $count++; extract($category); - - + + // Make Nice Variables $name = $wpdb->escape($name); $title = $wpdb->escape($title); - + if($cinfo = category_exists($name)) { $ret_id = wp_insert_category(array('cat_ID' => $cinfo, 'category_nicename' => $name, 'cat_name' => $title)); @@ -183,7 +186,7 @@ } $txpcat2wpcat[$id] = $ret_id; } - + // Store category translation for future use add_option('txpcat2wpcat',$txpcat2wpcat); echo '

'.sprintf(__('Done! %1$s categories imported.'), $count).'

'; @@ -192,14 +195,14 @@ echo __('No Categories to Import!'); return false; } - + function users2wp($users='') { // General Housekeeping global $wpdb; $count = 0; $txpid2wpid = array(); - + // Midnight Mojo if(is_array($users)) { @@ -208,14 +211,14 @@ { $count++; extract($user); - + // Make Nice Variables $name = $wpdb->escape($name); $RealName = $wpdb->escape($RealName); - + if($uinfo = get_userdatabylogin($name)) { - + $ret_id = wp_insert_user(array( 'ID' => $uinfo->ID, 'user_login' => $name, @@ -225,7 +228,7 @@ 'display_name' => $name) ); } - else + else { $ret_id = wp_insert_user(array( 'user_login' => $name, @@ -236,10 +239,10 @@ ); } $txpid2wpid[$user_id] = $ret_id; - + // Set Textpattern-to-WordPress permissions translation $transperms = array(1 => '10', 2 => '9', 3 => '5', 4 => '4', 5 => '3', 6 => '2', 7 => '0'); - + // Update Usermeta Data $user = new WP_User($ret_id); if('10' == $transperms[$privs]) { $user->set_role('administrator'); } @@ -249,24 +252,24 @@ if('3' == $transperms[$privs]) { $user->set_role('contributor'); } if('2' == $transperms[$privs]) { $user->set_role('contributor'); } if('0' == $transperms[$privs]) { $user->set_role('subscriber'); } - + update_usermeta( $ret_id, 'wp_user_level', $transperms[$privs] ); update_usermeta( $ret_id, 'rich_editing', 'false'); }// End foreach($users as $user) - + // Store id translation array for future use add_option('txpid2wpid',$txpid2wpid); - - + + echo '

'.sprintf(__('Done! %1$s users imported.'), $count).'

'; return true; }// End if(is_array($users) - + echo __('No Users to Import!'); return false; - + }// End function user2wp() - + function posts2wp($posts='') { // General Housekeeping @@ -283,10 +286,10 @@ { $count++; extract($post); - + // Set Textpattern-to-WordPress status translation $stattrans = array(1 => 'draft', 2 => 'private', 3 => 'draft', 4 => 'publish', 5 => 'publish'); - + //Can we do this more efficiently? $uinfo = ( get_userdatabylogin( $AuthorID ) ) ? get_userdatabylogin( $AuthorID ) : 1; $authorid = ( is_object( $uinfo ) ) ? $uinfo->ID : $uinfo ; @@ -295,59 +298,59 @@ $Body = $wpdb->escape($Body); $Excerpt = $wpdb->escape($Excerpt); $post_status = $stattrans[$Status]; - + // Import Post data into WordPress - + if($pinfo = post_exists($Title,$Body)) { $ret_id = wp_insert_post(array( - 'ID' => $pinfo, - 'post_date' => $Posted, - 'post_date_gmt' => $post_date_gmt, - 'post_author' => $authorid, - 'post_modified' => $LastMod, - 'post_modified_gmt' => $post_modified_gmt, - 'post_title' => $Title, - 'post_content' => $Body, - 'post_excerpt' => $Excerpt, - 'post_status' => $post_status, - 'post_name' => $url_title, - 'comment_count' => $comments_count) - ); + 'ID' => $pinfo, + 'post_date' => $Posted, + 'post_date_gmt' => $post_date_gmt, + 'post_author' => $authorid, + 'post_modified' => $LastMod, + 'post_modified_gmt' => $post_modified_gmt, + 'post_title' => $Title, + 'post_content' => $Body, + 'post_excerpt' => $Excerpt, + 'post_status' => $post_status, + 'post_name' => $url_title, + 'comment_count' => $comments_count) + ); } - else + else { $ret_id = wp_insert_post(array( - 'post_date' => $Posted, - 'post_date_gmt' => $post_date_gmt, - 'post_author' => $authorid, - 'post_modified' => $LastMod, - 'post_modified_gmt' => $post_modified_gmt, - 'post_title' => $Title, - 'post_content' => $Body, - 'post_excerpt' => $Excerpt, - 'post_status' => $post_status, - 'post_name' => $url_title, - 'comment_count' => $comments_count) - ); + 'post_date' => $Posted, + 'post_date_gmt' => $post_date_gmt, + 'post_author' => $authorid, + 'post_modified' => $LastMod, + 'post_modified_gmt' => $post_modified_gmt, + 'post_title' => $Title, + 'post_content' => $Body, + 'post_excerpt' => $Excerpt, + 'post_status' => $post_status, + 'post_name' => $url_title, + 'comment_count' => $comments_count) + ); } $txpposts2wpposts[$ID] = $ret_id; - + // Make Post-to-Category associations $cats = array(); if($cat1 = get_catbynicename($Category1)) { $cats[1] = $cat1; } if($cat2 = get_catbynicename($Category2)) { $cats[2] = $cat2; } - if(!empty($cats)) { wp_set_post_cats('', $ret_id, $cats); } + if(!empty($cats)) { wp_set_post_categories($ret_id, $cats); } } } // Store ID translation for later use add_option('txpposts2wpposts',$txpposts2wpposts); - + echo '

'.sprintf(__('Done! %1$s posts imported.'), $count).'

'; - return true; + return true; } - + function comments2wp($comments='') { // General Housekeeping @@ -355,7 +358,7 @@ $count = 0; $txpcm2wpcm = array(); $postarr = get_option('txpposts2wpposts'); - + // Magic Mojo if(is_array($comments)) { @@ -364,7 +367,7 @@ { $count++; extract($comment); - + // WordPressify Data $comment_ID = ltrim($discussid, '0'); $comment_post_ID = $postarr[$parentid]; @@ -373,57 +376,57 @@ $email = $wpdb->escape($email); $web = $wpdb->escape($web); $message = $wpdb->escape($message); - + if($cinfo = comment_exists($name, $posted)) { // Update comments $ret_id = wp_update_comment(array( - 'comment_ID' => $cinfo, - 'comment_post_ID' => $comment_post_ID, - 'comment_author' => $name, - 'comment_author_email' => $email, - 'comment_author_url' => $web, - 'comment_date' => $posted, - 'comment_content' => $message, - 'comment_approved' => $comment_approved) - ); + 'comment_ID' => $cinfo, + 'comment_post_ID' => $comment_post_ID, + 'comment_author' => $name, + 'comment_author_email' => $email, + 'comment_author_url' => $web, + 'comment_date' => $posted, + 'comment_content' => $message, + 'comment_approved' => $comment_approved) + ); } - else + else { // Insert comments $ret_id = wp_insert_comment(array( - 'comment_post_ID' => $comment_post_ID, - 'comment_author' => $name, - 'comment_author_email' => $email, - 'comment_author_url' => $web, - 'comment_author_IP' => $ip, - 'comment_date' => $posted, - 'comment_content' => $message, - 'comment_approved' => $comment_approved) - ); + 'comment_post_ID' => $comment_post_ID, + 'comment_author' => $name, + 'comment_author_email' => $email, + 'comment_author_url' => $web, + 'comment_author_IP' => $ip, + 'comment_date' => $posted, + 'comment_content' => $message, + 'comment_approved' => $comment_approved) + ); } $txpcm2wpcm[$comment_ID] = $ret_id; } // Store Comment ID translation for future use - add_option('txpcm2wpcm', $txpcm2wpcm); - + add_option('txpcm2wpcm', $txpcm2wpcm); + // Associate newly formed categories with posts get_comment_count($ret_id); - - + + echo '

'.sprintf(__('Done! %1$s comments imported.'), $count).'

'; return true; } echo __('No Comments to Import!'); return false; } - + function links2wp($links='') { // General Housekeeping global $wpdb; $count = 0; - + // Deal with the links if(is_array($links)) { @@ -432,12 +435,12 @@ { $count++; extract($link); - + // Make nice vars $category = $wpdb->escape($category); $linkname = $wpdb->escape($linkname); $description = $wpdb->escape($description); - + if($linfo = link_exists($linkname)) { $ret_id = wp_insert_link(array( @@ -449,7 +452,7 @@ 'link_updated' => $date) ); } - else + else { $ret_id = wp_insert_link(array( 'link_url' => $url, @@ -470,67 +473,72 @@ echo __('No Links to Import!'); return false; } - - function import_categories() - { - // Category Import + + function import_categories() + { + // Category Import $cats = $this->get_txp_cats(); $this->cat2wp($cats); add_option('txp_cats', $cats); - - - + + + echo '
'; - printf('', __('Import Users')); + wp_nonce_field('import-textpattern'); + printf('', attribute_escape(__('Import Users'))); echo '
'; } - + function import_users() { // User Import - $users = $this->get_txp_users(); + $users = $this->get_txp_users(); $this->users2wp($users); - + echo '
'; - printf('', __('Import Posts')); + wp_nonce_field('import-textpattern'); + printf('', attribute_escape(__('Import Posts'))); echo '
'; } - + function import_posts() { // Post Import $posts = $this->get_txp_posts(); $this->posts2wp($posts); - + echo '
'; - printf('', __('Import Comments')); + wp_nonce_field('import-textpattern'); + printf('', attribute_escape(__('Import Comments'))); echo '
'; } - + function import_comments() { // Comment Import $comments = $this->get_txp_comments(); $this->comments2wp($comments); - + echo '
'; - printf('', __('Import Links')); + wp_nonce_field('import-textpattern'); + printf('', attribute_escape(__('Import Links'))); echo '
'; } - + function import_links() { //Link Import $links = $this->get_txp_links(); $this->links2wp($links); add_option('txp_links', $links); - + echo '
'; - printf('', __('Finish')); + wp_nonce_field('import-textpattern'); + printf('', attribute_escape(__('Finish'))); echo '
'; } - + function cleanup_txpimport() { delete_option('tpre'); @@ -546,7 +554,7 @@ delete_option('txphost'); $this->tips(); } - + function tips() { echo '

'.__('Welcome to WordPress. We hope (and expect!) that you will find this platform incredibly rewarding! As a new WordPress user coming from Textpattern, there are some things that we would like to point out. Hopefully, they will help your transition go as smoothly as possible.').'

'; @@ -565,19 +573,19 @@ echo ''; echo '

'.sprintf(__('That\'s it! What are you waiting for? Go login!'), '/wp-login.php').'

'; } - + function db_form() { - echo '
    '; - printf('
    • ', __('Textpattern Database User:')); - printf('
    • ', __('Textpattern Database Password:')); - printf('
    • ', __('Textpattern Database Name:')); - printf('
    • ', __('Textpattern Database Host:')); - printf('
    • ', __('Textpattern Table prefix (if any):')); - echo '
'; + echo ''; + printf('', __('Textpattern Database User:')); + printf('', __('Textpattern Database Password:')); + printf('', __('Textpattern Database Name:')); + printf('', __('Textpattern Database Host:')); + printf('', __('Textpattern Table prefix (if any):')); + echo '
'; } - - function dispatch() + + function dispatch() { if (empty ($_GET['step'])) @@ -585,45 +593,47 @@ else $step = (int) $_GET['step']; $this->header(); - - if ( $step > 0 ) + + if ( $step > 0 ) { + check_admin_referer('import-textpattern'); + if($_POST['dbuser']) { if(get_option('txpuser')) - delete_option('txpuser'); - add_option('txpuser',$_POST['dbuser']); + delete_option('txpuser'); + add_option('txpuser', sanitize_user($_POST['dbuser'], true)); } if($_POST['dbpass']) { if(get_option('txppass')) - delete_option('txppass'); - add_option('txppass',$_POST['dbpass']); + delete_option('txppass'); + add_option('txppass', sanitize_user($_POST['dbpass'], true)); } - + if($_POST['dbname']) { if(get_option('txpname')) - delete_option('txpname'); - add_option('txpname',$_POST['dbname']); + delete_option('txpname'); + add_option('txpname', sanitize_user($_POST['dbname'], true)); } if($_POST['dbhost']) { if(get_option('txphost')) delete_option('txphost'); - add_option('txphost',$_POST['dbhost']); + add_option('txphost', sanitize_user($_POST['dbhost'], true)); } if($_POST['dbprefix']) { if(get_option('tpre')) delete_option('tpre'); - add_option('tpre',$_POST['dbprefix']); - } + add_option('tpre', sanitize_user($_POST['dbprefix'])); + } } - switch ($step) + switch ($step) { default: case 0 : @@ -648,16 +658,16 @@ $this->cleanup_txpimport(); break; } - + $this->footer(); } - function Textpattern_Import() + function Textpattern_Import() { - // Nothing. + // Nothing. } } $txp_import = new Textpattern_Import(); -register_importer('textpattern', __('Textpattern'), __('Import posts from a Textpattern Blog'), array ($txp_import, 'dispatch')); +register_importer('textpattern', __('Textpattern'), __('Import categories, users, posts, comments, and links from a Textpattern blog'), array ($txp_import, 'dispatch')); ?> Index: wp-admin/import/greymatter.php =================================================================== --- wp-admin/import/greymatter.php (.../2.0.10) (revision 6405) +++ wp-admin/import/greymatter.php (.../2.0.11) (revision 6405) @@ -6,7 +6,7 @@ function header() { echo '
'; - echo '

'.__('Import Greymatter').'

'; + echo '

'.__('Import GreyMatter').'

'; } function footer() { @@ -34,6 +34,7 @@
+

@@ -66,10 +67,10 @@ $string = str_replace("|*|","
\n",$string); return($string); } - + function import() { global $wpdb; - + $wpvarstoreset = array('gmpath', 'archivespath', 'lastentry'); for ($i=0; $iheader(); ?>

@@ -128,7 +131,7 @@ $user_info = array("user_login"=>"$user_login", "user_pass"=>"$pass1", "user_nickname"=>"$user_nickname", "user_email"=>"$user_email", "user_url"=>"$user_url", "user_ip"=>"$user_ip", "user_domain"=>"$user_domain", "user_browser"=>"$user_browser", "dateYMDhour"=>"$user_joindate", "user_level"=>"1", "user_idmode"=>"nickname"); $user_id = wp_insert_user($user_info); $this->gmnames[$userdata[0]] = $user_id; - + printf('
  • '.__('user %s...').' '.__('Done').'
    • ', "$user_login"); } @@ -136,11 +139,11 @@

    • escape("user@deleted.com"); $user_url=$wpdb->escape(""); $user_joindate=$wpdb->escape($user_joindate); - + $user_info = array("user_login"=>$user_login, "user_pass"=>$pass1, "user_nickname"=>$user_nickname, "user_email"=>$user_email, "user_url"=>$user_url, "user_ip"=>$user_ip, "user_domain"=>$user_domain, "user_browser"=>$user_browser, "dateYMDhour"=>$user_joindate, "user_level"=>0, "user_idmode"=>"nickname"); $user_id = wp_insert_user($user_info); $this->gmnames[$postinfo[1]] = $user_id; - + echo ': '; printf(__('registered deleted user %s at level 0 '), "$user_login"); } - + if (array_key_exists($postinfo[1], $this->gmnames)) { $post_author = $this->gmnames[$postinfo[1]]; } else { $post_author = $user_id; } - + $postdata = compact('post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_title', 'post_excerpt', 'post_status', 'comment_status', 'ping_status', 'post_modified', 'post_modified_gmt'); $post_ID = wp_insert_post($postdata); } @@ -281,7 +284,7 @@ ?>

    •  

    -

    +

    footer(); } @@ -297,17 +300,18 @@ $this->greet(); break; case 1: + check_admin_referer('import-greymatter'); $this->import(); break; } } function GM_Import() { - // Nothing. + // Nothing. } } $gm_import = new GM_Import(); -register_importer('greymatter', __('Greymatter'), __('Import posts and comments from your Greymatter blog'), array ($gm_import, 'dispatch')); +register_importer('greymatter', __('GreyMatter'), __('Import users, posts, and comments from a Greymatter blog'), array ($gm_import, 'dispatch')); ?> Index: wp-admin/import/rss.php =================================================================== --- wp-admin/import/rss.php (.../2.0.10) (revision 6405) +++ wp-admin/import/rss.php (.../2.0.11) (revision 6405) @@ -154,6 +154,7 @@ $this->greet(); break; case 1 : + check_admin_referer('import-upload'); $this->import(); break; } Index: wp-admin/edit-form-comment.php =================================================================== --- wp-admin/edit-form-comment.php (.../2.0.10) (revision 6405) +++ wp-admin/edit-form-comment.php (.../2.0.11) (revision 6405) @@ -8,7 +8,7 @@ comment_ID) ?>
    - + - +

    (Separate multiple URIs with spaces.)
    '), 'http://wordpress.org/docs/reference/post/#trackback') ?>

    @@ -64,7 +64,7 @@ '; } ?> - +